It’s the Culture … and Dead Canaries

It appears that Volkswagen’s internal auditors “… found no evidence to suggest that members of the executive board or supervisory board were involved in the diesel fraud …” according to an article “VW Says ‘Culture’ Flaw Led To Crisis” by William Boston, Hendrik Varnholt and Sarah Sloat in the December 11, 2015 issue of The Wall Street Journal. In the same article, Hans Dieter Pötsch, VW’s chairman, is quoted as saying that “There was not one single mistake, but rather a chain of errors that was never broken.”

These two factors—senior management’s role and multiple “errors”—apply just as much to information security in general as to fraudulent emissions device-defeat software in particular. This is not new by any means. As described in Jennifer Bayuk’s 2009 book “Enterprise Security for the Executive: Setting the Tone from the Top,” executives determine the security culture. If the culture is one of deceit, then that is the tone executives have set—there is no need for them to be explicitly involved for the “corporate culture” to take effect.

Furthermore, in cybersecurity, there is seldom one particular reason for an attack being successful. Yes, hackers may be very sophisticated. But defenses are often weak and known vulnerabilities have frequently not been addressed. There are many contributing factors, but only one root cause. And, in many major successful breaches—Target, OPM, IRS—the most senior person is often the real cause. They frequently don’t understand cybersecurity, nor are they willing to invest to an appropriate level in security expertise and tools—until after the event. For example, the CEO of Heartland Payments, Robert O. Carr, educated himself on the intricacies of cybersecurity following a major data breach of his company in 2008. So what are the usual consequences? Often there is a relatively brief drop in share price for public companies, and increased costs to advise victims, offer credit checking, and put in place the security that they should have had in the first place.

Sometimes senior executives are replaced, but not always. They might go into retirement or take their golden parachutes and find themselves other lucrative roles on boards of directors or as advisors. There surely isn’t much deterrence in that. They had the responsibility, but little personal liability. It’s just another example of “moral hazard” where blame is deflected to some nebulous space.

Not until those at the top really grasp information security and privacy principles and take on the direct responsibility for ensuring that strict policies are developed and enforced through adherence to very specific standards will we see any real improvement in the battle against cyber attacks. Furthermore, senior executives need to understand the complexity of cyber-physical systems and how errant software can affect physical systems.

Towards the end of the WSJ article quoted above, we read what might well be the most important lesson of all, namely, that VW’s IT infrastructure needs to be upgraded, since it was “insufficient to identify the fraud.” Herr Pötsch “… also cited insufficient testing procedures in  the engine development department that allowed individual engineers to push engines out the door without a second set of eyes to corroborate their findings.”

While testing procedures could have been at fault, rigorous verification and validation requirements only prove that the engine systems comply with predetermined requirements and have been implemented in accord with those requirements. If the requirements stipulated various emission levels during testing, then the engines with the defeat-device software would have surely met those requirements even if testing procedures were to be upgraded.

Yes, a greater focus on software security and safety assurance should be an improvement, but is no guarantee. The key is to build in security (protecting against attacks by hackers) and safety (preventing harm to humans and the environment) from the start so that they will become part of the requirements and specifications of the engine control software. In this way, testing will be against desirable characteristics, not fraudulent ones.

The tone of improved security and safety should certainly come from the top of the organization. But senior executives need to understand and determine appropriate security and safety standards and set their policies and procedures accordingly. Unfortunately, Herr Pötsch’s statements do not seem to show an understanding of the overall lifecycle assurance process.

Post a Comment

Your email is never published nor shared. Required fields are marked *