Cybersecurity whistleblowers: Get ready for more
- 19 February, 2016 22:21
It is not a public problem yet. But according to multiple experts, it will be.
“It” is the cybersecurity whistleblower – an employee who sees a flaw, or flaws, in his or her company’s network security, brings the problem to management but gets ignored or punished – marginalized, harassed, demoted or even fired.
And then the worker either goes public or files a complaint with a federal regulatory agency like the Securities and Exchange Commission (SEC).
Such a scenario is unlikely to end well – almost certainly for the company (if the complaint is credible) and perhaps even for the whistleblower, notwithstanding laws meant to protect them.
The company could face fines and other regulatory actions. The employee, who in some cases could be rewarded (the SEC offers 10 percent to 30 percent of a settlement of more than $1 million to “qualifying” whistleblowers), still might find it damaging to a career.
[ ALSO ON CSO: Whistleblowers at risk when using US government websites ]
“Think about it. If you were someone classified as a whistleblower, it would label you unemployable,” said one expert who declined to speak for attribution.
Another expert, who also declined to speak for attribution, said when he refused to certify that his previous employer was meeting a certain security standard, “I got warned, and eventually resigned. It became a hostile work environment.”
He has never spoken about it to regulators or other outside authorities either.
Eddie Schwartz, international vice president of ISACA and president of WhiteOps, said he knows of a case where a nation-state hack occurred and an employee reported it to his superiors.
“He was told to mind his business and that the organization was dealing with it. It wasn’t, and when he reported it to authorities, he was essentially fired for it,” Schwartz said.
So the predicted increase in cybersecurity whistleblower cases is somewhat speculative at the moment, in part due to secrecy. There are no public cases involving them on record so far, even though most businesses have had an online presence for two decades or even longer.
They do exist, according to Debra Katz, a founding partner at Katz, Marshall & Banks. She said her firm has represented about a dozen such whistleblowers, but those cases were, “settled in the pre-litigation stage and contain robust confidentiality provisions.” In other words, they are not public.
A second reason for a lack of clarity is that it remains a relatively new legal field. “All federal agencies – not just the SEC – are playing catch-up to align their policies with the seriousness of cybersecurity threats,” Katz said.
That means there is not much legal history, precedent or even laws that specifically addresses cybersecurity whistleblowers.
While there are nearly two dozen laws in various states that provide protection for whistleblowers in areas ranging from asbestos to drinking water, solid waste, railroads, motor vehicles, shipping containers, pipelines aviation, consumer products, hazardous waste, food, drugs and more, there is nothing on the books that provides specific protection for those involved with cybersecurity.
Still, attorneys like Katz, who specialize in whistleblower cases, say top management in organizations may need to play catch-up as well, since such cases could lead to damaging breaches or an investigation by a regulatory agency – or both.
And while legal protections may not be explicit for cybersecurity whistleblowers, they exist by implication, experts say. Lance Hayden, managing director at the Berkeley Research Group and a CSO contributor, is one of several who have cited a settlement last September between the SEC and R.T. Jones Capital Equities Management over charges that the firm’s violation of the “safeguards rule” led to a breach that compromised the information of about 100,000 people.
While the firm did not have to admit to the charges, it agreed to a censure by the SEC and to pay a $75,000 fine.
There was no documented evidence of whistleblower involvement in the case, but Hayden wrote that it became, “a sort of catalyst,” for the SEC to focus on cybersecurity.
He quoted SEC Commissioner Kara Stein saying after the R.T. Jones settlement that the agency intends “...to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues …”
Dallas Hammer, an attorney with Zuckerman Law, writing for the National Law Review, said the R.T. Jones case indicates that, “cybersecurity issues have become a key enforcement priority for the SEC,” which means that, “in turn, whistleblower tips that touch on cybersecurity may receive additional scrutiny.”
And Katz wrote last fall that, “for public companies and other entities regulated by the Securities and Exchange Commission, mismanagement of their cybersecurity could violate securities laws.”
She noted that the Dodd-Frank Act established an SEC Whistleblower Program that, while it does not specifically address cybersecurity, could still lead to an enforcement action if a company is out of compliance with compliance requirements.
But those implications come with qualifications – both Hammer and Katz tempered their conclusions with words like “may” and “could” rather than “will.”
Ariel Silverstone, a consulting chief security and privacy officer, doesn’t think the qualifications are necessary. Since the SEC’s whistleblower program language doesn’t exclude cybersecurity, it is therefore included, he said.
[ MORE ON CSO: Changing the whistleblower-retaliation culture ]
Still, all those involved say it is impossible to make blanket statements about the topic since it is not a simple, black-and-white issue.
Derek Brink, vice president and research fellow at Aberdeen Group, noted what every security expert says – that there is no such thing as 100 percent security – so therefore the role of security professionals is, “to help the company manage its security-related risks to an acceptable level.”
If a company is ignoring a clear regulatory or legal directive – such as R.T. Jones’s failure to enforce the “safeguards rule” that sets standards for the protection of customer information – that would make it a relatively easy call.
But, Brink said, if it comes down to a disagreement over what level of risk management is acceptable, it is much less clear.
“The key point is that the security professionals don’t own the risk,” he said. “The business leaders own it. So it’s the job of the security professionals to advise and recommend, but it’s the job of the business leaders to decide.”
And if it comes down to a difference of opinion about the proper level of risk management, he said there is no legitimate whistle to blow.
Anton Chuvakin, research vice president, security and risk management at Gartner for Technical Professionals, agreed. A crime or clear regulatory violation is one thing, but, “in most cases, abysmal security is not a crime, so it would be hard to qualify him or her as a whistleblower,” he said.
Schwartz said any prudent organization will take cybersecurity seriously, and therefore investigate any concerns raised by employees. But he said it is important for workers to express those concerns through the chain of command first.
If there is no response, or a hostile response, “they can seek assistance through other authorities if that’s warranted, but there is no one size fits all for these types of situations.”
Katz didn’t want to make blanket statements either. For a whistleblower to be protected, the complaint would likely have to be about a failure to comply with legal or regulatory requirements, she said.
“In addition to the SEC, the FCC (Federal Communications Commission) and the FTC (Federal Trade Commission) are also enforcing lax cybersecurity standards,” she said, adding that, “there may be parts of the recent Cybersecurity Information Sharing Act (CISA) on which whistleblowers can rely.”
But broadly speaking, she said, what qualifies as a legitimate complaint by a cybersecurity whistleblower, “is still being sorted out.”
It would seem obvious that the way for organizations to avoid all this potential trouble is to take cybersecurity seriously.
But security initiatives can be complicated and expensive, and in a hypercompetitive world where it is crucial to limit expenses, that is not always the case.
It should be, however, according to Rich Mogull, who is both analyst and CEO at Securosis. He is blunt about it. “If a problem is reported you fix it. Full stop,” he said. “That’s how security needs to be handled. If someone had to go around supervisors to get something taken care of, then it’s time for a deeper investigation into what went wrong and why someone had to blow a whistle to get an issue resolved, vs. handling it through normal channels.”
Silverstone said he encourages employees to report any perceived flaws in security, in the same way they should report safety or harassment. He said he even makes it part of an employee policy handbook. “I encourage them to be adamant about it,” he said, adding that in his experience, virtually all those who brought concerns to him were well intentioned.
“There are very few who abuse the system,” he said. “I only remember one person who wasn’t telling the truth.”
Still, for those who don't work for the government or who have union protections, going outside management to blow the whistle on a security problem is risky, even if a complaint is upheld.
Stronger laws might help, said the anonymous expert who resigned rather than falsely certify compliance, and didn’t blow the whistle. “Our economy is built in such a way that the employer has the upper hand. Nothing good will come of it,” he said.