Adoption and Privacy Issues Get Aired at NIST's Fifth Cybersecurity Framework Workshop

Last week in Raleigh, North Carolina, the National Institute of Standards and Technology (NIST) hosted a fifth and final workshop on the development of a comprehensive critical infrastructure cybersecurity framework as the February 2014 deadline for finalizing the ambitious effort draws near.  After an intensive amount of work on a complex and thorny subject, many of the participants, particularly those who participated in all five of the workshops, were in awe over how far NIST has come since it received its marching orders via President Obama's executive order last February.

But as could be expected, there are a lot of issues that have yet to be resolved.  As my latest piece for CSO Magazine spells out, one major question remains unanswered despite the prodigious work by NIST and industry collaborators:  what constitutes adoption of the framework?  Without really good answers to this question, the framework itself could become a hollow exercise that, while representing good thinking and practices, does very little in reality to raise the cybersecurity bar.  The definition of adoption as well as related issues (such as the incentives needed to adopt the framework) got a lot of airtime among the attendees in North Carolina.

A well-organized effort to get NIST to overhaul its latest attempt to incorporate privacy and civil liberty considerations into the framework was one of the more surprising aspects of the workshop.  The framework's privacy appendix is too broad and should be pared down to deal only with privacy matters as they relate to cybersecurity, a number of top infrastructure industry reps said.

NIST has some, but not much, time left to tinker further with the framework before it becomes final.  And the group is still fielding feedback during an open comment period that ends in December.

For more information on the latest workshop, check out my article in CSO.

Read More

U.S., Germany, Singapore, Australia, UK & China Top List of Apple Device Data Requests

Apple today released a report detailing, to the extent it can, the number of requests it receives from governments around the globe seeking information on individual users or devices.  Following in the footsteps of Google and other Internet companies, Apple's stated goal with the report is to be as transparent as possible. The timing of the report's release comes amidst growing concern as a result of the Snowden revelations over the degree to which U.S. companies share individual user data, communications and activities with the National Security Agency (NSA).

The Cupertino giant makes an effort to distinguish itself from Google and similar Internet services, noting that most of the government requests are device-related, and that only a small fraction of the requests seek information from online or mobile service accounts such as iTunes or iCloud.  In a statement widely viewed as a thinly veiled dig at the Internet search provider, the report states "our business does not depend on collecting personal data. We have no interest in amassing personal information about our customers."

Moreover, the data Apple does present on these "account" requests reveal little about NSA or national security requests because the U.S. government bars the company from presenting this information in anything other than consolidated ranges of 1000s.  The bulk of the account requests, however, do come from U.S. authorities, whether local or national law enforcement or intelligence agencies.  Very few come from other nations (perhaps because, as Apple notes, law enforcement agencies outside the U.S. must first go through U.S. legal channels before obtaining account information.)

Interestingly, Apple says it has not received any of the so-called 215 requests at the heart of so many of the NSA controversies.  Section 215 of the Patriot Act allows the U.S. government to petition the Foreign Intelligence Surveillance Court to issue demands for user data from service providers.  "Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us," the report notes.  (Some commenters are suggesting that this statement is Apple's "warrant canary," namely that Apple is going on the record to say that it has never received a Section 215 warrant only to remove such a statement in future reports in the event it does receive a warrant.  Apple, like other service providers, is legally barred from disclosing the receipt of these demands.)

The more interesting data are what Apple calls device information requests, none of which reflect national security-related requests and many of which originate with device owners themselves working in conjunction with local law enforcement.

The table below lays out these requests by country, in order of frequency.  The U.S. tops the list in terms of frequency of requests (3,542) followed by Germany (2,156), Singapore (1,498), Australia (1,178), United Kingdom (1,028) and China (585).  Typically Apple provides data in response to these requests most of the time -- but not always.

For example, in Japan there were 106 requests for device data during the first six months of 2013, but Apple only provided some data in 12 of those cases - a mere 11%.  In Taiwan, Apple received 81 government requests but only provided some data in 12% of those instances.

It's possible that in these situations the requests were related to mass device theft and thus data on the device owners was not relevant.  In Brazil, for example, Apple received 34 requests related to 5,057 devices but five of those 34 requests involved stolen cargo.  In Brazil, Apple provided data in only 6% of the cases.

Read More