Why Do We Need a New Data Security Advisory Group?
by James B. Morris

The hackers are winning the cyber wars.

Watch this Cisco commercial for 30 seconds.

As the speaker in the video says, "There's an army of us, relentlessy unpicking your patchwork of security ... Think you'll spot us? ... You haven't so far."

Well, we haven’t ... and that’s the primary reason why there is a need for a new Data Security Advisory Group (DSAG).

Today’s hackers are well-funded, organized syndicates who are picking apart our shaky patchwork of security. They’re not going to stop until we stop them.

We've been leaderless for years, and it is only going to get worse. Consider this graphic:

Graph of Federal Reserve Data Breaches

The "Malicious Code" line in the graphic is almost solid for the first half of 2016. Even more sobering is the very recent "Unknown" category of breaches in 2016, another solid line. Could this be a new, more sophisticated form of breach that nobody knows how to defeat? Which begs the question, how many breaches have not yet even been detected?

There is a need for a new DSAG because we are mostly standing around today like a deer caught in the headlights when it comes to permanently defeating the hackers.

There is a need for a new DSAG because the U.S. needs new, effective leadership to defeat the hackers, and a new DSAG will provide that leadership.

How will DSAG provide this new, effective leadership?

Many CEOs are concerned and frustrated today by the lack of some kind of national focus that would make it clear what is expected of their companies with regard to fraud prevention and protecting sensitive data from hackers. There is no shortage of watchdogs and enforcement agencies looking over CEOs' shoulders and telling them they are not doing enough to prevent fraud and stop the hackers. There is also fear that Congress, left to its own devices, might pass future legislation forcing ineffective and expensive security requirements on U.S. companies. It is our mission at DSAG to act before Congress takes a misstep that we will all regret. Thus one of DSAG's most important goals is to provide leadership to the Congress (and to federal rules-making and standards-making organizations, e.g. the FTC and NIST) by providing a bulletproof set of technical requirements and standards that will ultimately stop the fraudsters and hackers.

DSAG's technical requirements and standards will provide next-generation, secure-systems vendors with functional requirements for new products that will be 100% effective in eliminating fraud and data loss/damage by hackers. The technical requirements and standards established by DSAG would (1) become legally binding on next-generation systems vendors and purchasers of those systems and (2) provide legal immunity for those purchasers who install and use the next-generation systems. For example, if you store sensitive data belonging to your customers, your employees, banks, or any other organization, you would be required by law to store that data only on secure computer systems that have been approved to meet the technical requirements and standards maintained by DSAG. If you do so, you would be immune from lawsuits, FTC enforcement actions, and fines. The achievement of this goal would result in the CEOs of America finally understanding what the legal requirements are for maintaining effective fraud prevention and data security measures. After they have complied with those requirements, CEOs will be free to devote all of their time to growing their businesses instead of worrying about when the next data breach or fraud charge-back will occur.

To achieve the goal of providing an effective and credible set of technical requirements and standards, DSAG will need the best and the brightest of the computer science community to be involved in its effort. This means recruiting the most experienced and skilled computer scientists with deep knowledge of computer-science research during the last forty or so years in the field of operating systems (including microkernels, virtual machines, formal verification techniques, etc.).

In fact, over the last forty or so years the computer science academic community has already proposed and prototyped in the lab essentially all of the technology required to institute the technical requirements and standards necessary to put a stop to the fraudsters and the hackers.

------ About the Author ------

James B. Morris has a Ph.D. in computer science from the University of Texas at Austin. He has been a researcher, developer, and expert in the fields of computer systems, software development, operating systems, and cryptography for almost forty years.

Fraud Prevention Standards Should Not be Entrusted to Profit-Making Organizations
by James B. Morris

Home Depot and Walmart recently filed lawsuits against Visa and MasterCard.

Article: Home Depot Is the Latest Retailer Suing Visa and MasterCard Over Security

The Home Depot lawsuit primarily alleges that security for the new EMV chip cards is not nearly as strong as it should be, leaving both retailers and customers vulnerable to fraud. This relatively weak security is alleged to be the result of Visa's and MasterCard's pursuit of higher profits from retail merchants in general and Home Depot in particular.

When you purchase goods today at Home Depot using a new chip card, the final step in the payment process for those goods is to sign the payment card receipt. This is no different than what you used to do when you used a magnetic stripe card to make a purchase in the past. This is called a chip-and-signature payment.

Chip cards were first used in Europe, and have been in use there for many years. Instead of requiring a signature as the final step in the payment process, European chip-card payments require the customer to enter a Personal Identification Number (PIN). This is called a chip-and-PIN payment.

So why the lawsuits?

A major factor in the dispute that gives rise to the lawsuits is that chip-and-signature does almost nothing to prevent fraud. On the other hand, chip-and-PIN is generally very effective against fraud, although it should be pointed out that chip-and-PIN does nothing to prevent a data breach by hackers. Visa and MasterCard claim that chip-and-PIN transactions are inconvenient for customers because it is difficult for people to remember their PIN (which begs the question of how these memory-challenged individuals would ever be able to use an ATM or conduct business in a bank branch if they can't remember their PIN). Home Depot claims in their lawsuit that Visa and MasterCard mandate chip-and-signature only because chip-and-signature generates more profits for Visa and MasterCard than chip-and-PIN. If this is true, then profits apparently trump fraud prevention at Visa and Mastercard.

Unfortunately, everybody is overlooking the real problem.

The real problem is that profit-making organizations are in control of the decision process that mandates the use of either chip-and-PIN or chip-and-signature payment transactions. This needs to change, because it is folly to entrust fraud prevention decisions to profit-making organizations like Visa and MasterCard.

DSAG is an independent, non-profit, security-standards organization. Let's take another look at DSAG's mission statement: Establish technical requirements and standards for next-generation computer systems that will eliminate card-present fraud, card-not-present fraud, and data loss as a result of hacking. DSAG's technical requirements and standards will provide next-generation, secure-systems vendors with functional requirements for new products that will be 100% effective in eliminating fraud and data loss/damage by hackers. The technical requirements and standards established by DSAG would (1) become legally binding on next-generation systems vendors and purchasers of those systems and (2) provide legal immunity for those purchasers who install and use the next-generation systems. For example, if you accept payment cards (chip cards) for purchases, you would be required by law to use only secure computer systems that have been approved to meet the technical requirements and standards maintained by DSAG. If you do so, you would be immune from lawsuits, FTC enforcement actions, and fines.

One of DSAG's technical requirements and standards would almost certainly mandate the use of chip-and-PIN for all payment transactions, because chip-and-PIN is far better at preventing fraud than chip-and-signature. Fraud prevention should be a technical standards decision, not a profit-making decision and certainly not a decision based on what is most convenient for customers. DSAG (an independent, non-profit, security-standards organization) should determine the most effective fraud-prevention standards for everybody. The right fraud-prevention decision will always mean putting fraud prevention first in the decision process. DSAG's decision regarding the use of chip-and-PIN versus chip-and-signature will be driven by the best technical security practices for fraud prevention, not what is best for the bottom line of profit-making organizations and not what is the most convenient for customers.

This is precisely why fraud prevention standards should not be entrusted to profit-making organizations.

------ About the Author ------

James B. Morris has a Ph.D. in computer science from the University of Texas at Austin. He has been a researcher, developer, and expert in the fields of computer systems, software development, operating systems, and cryptography for almost forty years.

DSAG Will Eliminate Both Card-Present and Card-Not-Present Fraud in the Payments Industry
by James B. Morris

Article: Chip and Pin 'to be hacked within a year', expert predicts

Here is the first of a couple of very disturbing warnings from the article above: Theresa Payton, a former White House Chief Information Officer, has warned that the industry needs to think about developing alternative ways to protect [EMV] card transactions after experts managed to crack the technology in a test laboratory.

Computer scientists have known for several years that the payments industry needs to develop more secure ways of protecting EMV payment transactions, but it seems the payments industry is still asleep at the wheel on this issue.

The second disturbing warning is this: Payton said that people should be prepared for 'card not present fraud' to go "through the roof".

Ms. Payton is right again. Card-not-present purchases are almost always purchases at an online merchant such as Amazon. Both the payments industry and merchants have mostly ignored the explosion of card-not-present fraud. That's too bad, because there is most assuredly a way to eliminate both card-not-present and card-present fraud.

The history of "cybersecurity" is mostly a forty-year saga of failure after failure. It is simply not possible to secure the current generation of computers. Because we have focused on trying to secure computers and networks (cybersecurity) instead of securing the data itself (data security), we find ourselves today in a state of extreme vulnerability to fraudsters and hackers. The payments industry and many merchants have been navigating by the wrong stars, and it comes as no surprise to computer scientists that the payments industry and merchants have lost their way when it comes to payments security.

It is primarily because of this loss of direction that the Data Security Advisory Group (DSAG) was formed. The mission of DSAG is to establish technical requirements and standards for next-generation computer systems that will eliminate card-present fraud, card-not-present fraud, and data loss as a result of hacking.

This is an achievable mission, but nothing less than a revolutionary new technical vision will be required. This vision will require a new generation of secure computer systems technology that has security built in from the very start.

At the same time cybersecurity "leaders" are failing us today, payments industry "leaders" are saddling us with new ideas that will never be secure and are not needed: mobile payments and tokenization are two examples.

The idea of using a cellular telephone for mobile payments is the latest attempt to convince us that the smartphone is the only device we will need in the brave new world as seen by smartphone futurists. This movement surges ahead in the wake of increasing fraud and data breaches even though smartphones are notoriously insecure and always will be.

The smartphone-is-the-answer-for-everything enthusiasts ask, "Why do I need to carry a plastic payment card to make payments?" DSAG asks, "Why do I need to carry a plastic payment card to make payments and why do I need to rely on a smartphone to make payments?" DSAG asks, "Why not use what I am required to carry around anyway to make payments: my brain, my fingers, and my eyes?"

In DSAG's version of the future, you will be authenticated at the checkout stand (and at home) by a retina scan and fingerprints and possibly also a PIN. You won't need a plastic card and you won't need a smartphone. The idea is to authenticate you, not a payment card and not a smartphone. A payment card and a smartphone can both be "spoofed" by fraudsters to look like they are your card or your phone. It is far more difficult to spoof your fingerprints, your retinas, and your PIN (if you use common sense in managing your PIN). There is effectively no payment fraud in DSAG's vision of the future.

What about tokens and tokenization? Again, not needed. In DSAG's vision of the future, merchants purchasing next-generation products that meet the DSAG technical requirements and standards would be able to safely store credit card numbers, expiration dates, etc. in a secure data vault within their internal networks. This solution would be more secure than storing tokens and dealing with a token service provider. Thus the DSAG vision will remove the need for tokens and token service providers. These are red herrings that are insecure and not needed.

If you think the technology described above is difficult or impossible to implement, you are wrong. In fact, over the last forty or so years the computer science academic community has already proposed and prototyped in the lab essentially all of the technology required to institute the technical requirements and standards necessary to put a stop to the fraudsters and the hackers.

------ About the Author ------

James B. Morris has a Ph.D. in computer science from the University of Texas at Austin. He has been a researcher, developer, and expert in the fields of computer systems, software development, operating systems, and cryptography for almost forty years.

The Hacking Plague: Most of us Just Don't Get It
by James B. Morris

Very few of us really get it when it comes to the persistent problem of hacking.

It's not about discovering the source of the hacking.

It's not about finding and arresting the perpetrators of the hacking.

It's not about using cybersecurity technology to prevent the hacking in current-generation systems like Windows (Sorry folks, but that is just not going to happen).

The focus should be on eliminating data loss as result of hacking and eventually putting a permanent stop to the hacking with next-generation data-storage technology.

Putin called the DNC hacks a public service: Putin calls DNC hack public service, denies Russia's involvement.

That's also a red herring.

This is all you need to know: Data loss as a result of hacking can rather easily be eliminated in next-generation systems, and most of the technology to achieve this goal has already been prototyped in the lab or developed as open-source software by computer scientists.

DSAG is going to be the leader in achieving this goal.

Every time there is a data breach, the pundits and the politicians call on the FBI to investigate and find the bad guys. The cybersecurity experts are also summoned.

We are deluged by news stories today that claim Russia is behind the DNC and DCCC hacks. Why? Primarily because (the "experts" claim) the malware in these hacks appears to be similar to that used by Russia in the past.

This conclusion would be laughable if it were not so seriously flawed. First of all, hackers from all over the world share their latest malware with other hackers worldwide (the good guys have been doing this with legitimate software for many years), so it is virtually impossible to determine who used what malware and where it originated. Secondly, any moderately competent hacker is able to easily leave false clues that will throw the cybersecurity forensics people off the trail of the real hackers. Does anyone honestly believe that a competent hacker would be stupid enough to leave clues that could get him or her busted?

Another thing most people just don't get is that hacking is not like other crimes of theft, because cyberlaws are not practically enforceable.

The average amount of cash stolen in a bank robbery is under $20,000. For this crime, you are very likely to get caught and you could do as much as 10 years in jail. That's not worth it for $20,000.

For most cybercrime, the amount of cash ultimately obtained from data stolen in a breach can easily exceed several million dollars. You are not likely to get caught, and even if you are caught, you will probably not do more than about 5-7 years in jail. For most hackers, this is worth it! Cybercrime does pay, especially if you are a hacker in a country with an economy that is in the tank.

This is why I say that cyberlaws are not practically enforceable: the reward is usually very much worth the punishment in the world of cybercrime.

So, again, this is all you need to know: Data loss as a result of hacking can rather easily be eliminated in next-generation systems, and most of the technology to achieve this goal has already been prototyped in the lab or developed as open-source software by computer scientists.

How come that's so hard to believe?

To paraphrase Napolean Hill: Too often there is a spirit of selfishness in a society that prompts each individual to think his or her ideas should prevail. DSAG represents a compendium of ideas, and this is why DSAG is needed to eliminate the hacking plague. It is an important part of DSAG's responsibility to induce people to subordinate their own ideas and interests for the good of the whole. Success, no matter what may be one's conception of that term, is nearly always a question of one's ability to get others to subordinate their own individualities and follow a leader.

In the case of eliminating data loss as result of hacking, that leader is DSAG.

Cecil Lewis said it much better than I in the book Sagittarius Rising. Although Lewis was referring to the political condition in Europe prior to the beginning of World War I, this quote is very pertinent to the hacker wars of today.

"We needed effort, not greater in quantity, but other in quality; a different point of view, a new perspective, a more constant aim, coordinating and co-relating circumstances and conditions for the general good. Men with such faculties existed; but they were scarcely listened to, for the conditions under which they would undertake to pilot us to safety demanded heavy sacrifice and drastic change--both utterly abhorrent to those who could not see the danger they were in."

------ About the Author ------

James B. Morris has a Ph.D. in computer science from the University of Texas at Austin. He has been a researcher, developer, and expert in the fields of computer systems, software development, operating systems, and cryptography for almost forty years.