{"id":753,"date":"2018-05-17T14:16:32","date_gmt":"2018-05-17T14:16:32","guid":{"rendered":"https:\/\/securitycurve.com\/?p=753"},"modified":"2018-05-17T14:16:32","modified_gmt":"2018-05-17T14:16:32","slug":"a-case-for-professional-licensing","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=753","title":{"rendered":"A case for professional licensing?"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright lazyload\" data-src=\"https:\/\/e.lvme.me\/rovlta9.jpg\" width=\"359\" height=\"431\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 359px; --smush-placeholder-aspect-ratio: 359\/431;\" \/>So you maybe saw the news that <a href=\"https:\/\/www.cnbc.com\/2018\/05\/16\/fired-uber-cybersecurity-chief-joe-sullivan-joins-start-up-cloudflare.html\">Joe Sullivan is going to Cloudflare<\/a>?\u00a0 If the name isn&#8217;t familiar to you, this is the person who was fired from Uber as fallout from their <a href=\"http:\/\/thehill.com\/policy\/technology\/372596-uber-no-justification-for-covering-up-data-breach\">breach shenanigans:<\/a>\u00a0i.e., systematically covering up the breach, paying off the attackers, botching the response, etc.\u00a0 Cloudflare has decided that he&#8217;s the kind of leader they need, and <a href=\"https:\/\/blog.cloudflare.com\/why-im-joining-cloudflare\/\">Mr. Sullivan says he wants to be at Cloudflare<\/a> so he can &#8220;secure the whole Internet&#8221;.<\/p>\n<p>Look, I&#8217;ve got nothing against Sullivan personally: I&#8217;m sure he&#8217;s an awesome guy.\u00a0 I bet he he loves his kids and is nice to dogs&#8230; maybe he&#8217;s even a scout master or rescues kittens out of trees.\u00a0 \u00a0But I&#8217;m left wondering what, if any, standard of conduct security practitioners should hold themselves to&#8230; and what standard we as a society should enforce.<\/p>\n<p>Here&#8217;s what I mean.\u00a0 Whether or not Sullivan was responsible for specific decision-making, let&#8217;s not forget that Uber is <a href=\"https:\/\/www.reuters.com\/article\/us-uber-tech-crime-exclusive\/exclusive-uber-faces-criminal-probe-over-software-used-to-evade-authorities-idUSKBN1802U1\">being criminally investigated for implementing software to avoid law enforcement<\/a>, allegedly implemented <a href=\"http:\/\/www.businessinsider.com\/report-uber-system-disrupted-government-investigations-2018-1\">software to operationalize obstruction of justice<\/a>, has\u00a0<a href=\"https:\/\/www.ftc.gov\/news-events\/blogs\/business-blog\/2017\/08\/ftc-says-uber-took-wrong-turn-misleading-privacy-security\">settled with the FTC about false security claims,<\/a>\u00a0and of course the aforementioned breach stuff.\u00a0 And that&#8217;s not even mentioning the fact that the app itself <a href=\"https:\/\/www.cultofmac.com\/304401\/ubers-android-app-literally-malware\/\">has been called &#8220;literally malware&#8221; by the research community<\/a> by virtue of the amount of data it collects and how it operates.<\/p>\n<p>Was Sullivan responsible for all this stuff?\u00a0 Probably not&#8230; Maybe he wasn&#8217;t there when these decisions were made.\u00a0 Maybe these decisions were made by other people. The more salient question though, is did he know about it and continue to work there?\u00a0 And frankly, it&#8217;s problematic either way.\u00a0 If he did know about it, I&#8217;d argue that he was to some degree &#8220;on board&#8221; (because employees have one way to vote and every day they show up for work is another day they vote &#8220;yes&#8221;.)\u00a0 If he didn&#8217;t know about it, is that any better?\u00a0 That speaks to either work ethic (i.e. not caring enough to be in the loop), professional rigor, or competence.<\/p>\n<p>Let&#8217;s stop for a moment and posit what would happen were we talking about, say, a surgeon.\u00a0 For example, what if a patient dies because of failure by their surgeon to adhere to normative and accepted standards of care?\u00a0 For example, say a surgeon <a href=\"https:\/\/en.wikipedia.org\/wiki\/John_R._Brinkley\">implanted a goat organ<\/a>\u00a0in your abdomen while you were getting your appendix removed because that&#8217;s how they roll.\u00a0 Or what if a surgeon overlooked someone else&#8217;s ethical issue &#8211; say, an anesthesiologist that showed up drunk?\u00a0\u00a0Assuming that surgeon were fired from hospital A as a result of one of those things, it it acceptable for them to continue to practice at hospital B?\u00a0 Now I get it that there&#8217;s a difference here.\u00a0 But ask yourself if it&#8217;s a difference in kind or in degree?<\/p>\n<p>I used to work for a large MSSP and cloud provider.\u00a0 There was one interview question we always asked. It had to do with a hypothetical scenario where a critical security control (provided by us for a customer) failed and how the candidate would handle it.\u00a0 \u00a0As an example, say IDS was disabled during a period of time when we were monitoring a customer &#8212; or that we had knowledge of a breach near-miss that we contributed to.\u00a0 \u00a0Given that scenario, we&#8217;d ask the candidate if they&#8217;d tell the client &#8212; if so when? If not, how would they address it.\u00a0 \u00a0This was a &#8220;dealbreaker&#8221; question, by the way: anybody who said anything other than &#8220;yes, we tell the customer &#8212; and we do it immediately&#8221; wasn&#8217;t a fit.\u00a0 Because ethics.<\/p>\n<p>There are situations where doing security poorly &#8211; or overlooking questionable ethics &#8211; can be dangerous to the world at large.\u00a0 Do we decide to enforce robust ethics and a professional standard of care?\u00a0 Or do we let the free market decide?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So you maybe saw the news that Joe Sullivan is going to Cloudflare?\u00a0 If the name isn&#8217;t familiar to you, this is the person who was fired from Uber as fallout from their breach shenanigans:\u00a0i.e., systematically covering up the breach, paying off the attackers, botching the response, etc.\u00a0 Cloudflare has decided that he&#8217;s the kind [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[26,73,122],"class_list":["post-753","post","type-post","status-publish","format-standard","hentry","category-security","tag-cloudflare","tag-licensing","tag-uber"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=753"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/753\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}