Arresting IT Administrators

This is one way of ensuring that IT keeps up with patches:

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.

Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software.

The next step would be to arrest managers at software companies for not releasing patches fast enough. And maybe programmers for writing buggy code. I don’t know where this line of thinking ends.

Posted on December 27, 2022 at 7:01 AM41 Comments

Comments

Derek Jones December 27, 2022 7:42 AM

Improving the reliability of software requires time and money.

The threat of prosecution will incentivize managers to invest resources to increase the reliability of their products.

I understand why the software security industry would be against these prosecutions. More reliable software would reduce the size of their market and their profitability.

jbmartin6 December 27, 2022 8:21 AM

Maybe this line of thinking ends where negligence laws end, with the reasonable person doctrine.

Derek Jones December 27, 2022 8:44 AM

When microcomputers first appeared, those of us working on ‘real’ computers laughed at how buggy some of the applications were.

As application usage became pervasive, users learned a norm for software reliability, i.e., what a reasonable person would expect.

Applications may slowly become more reliable, simply because the volume of new/modified code decreases and existing mistakes are fixed.

In the meantime, we continue to live through interesting times.

Jordan December 27, 2022 8:46 AM

The affects of negligence seem similar to previous industries like public utilities or bridges.

It would be nice if there were impetus for business people to act selflessly. We’ve made a huge amount of tech under the current impetus.

Tom Dilatush December 27, 2022 9:02 AM

I’ve been writing code for over 50 years now – just imagine how many bugs I created! I’m kinda hoping for a statute of limitations 🙂

Ted December 27, 2022 10:54 AM

So the initial access point for the attack was a Microsoft SharePoint vuln that had a patch in Feb 2019?

And the Albanian system was accessed through this vuln two years later, around May 2021? Which was still another 14 months before the July 2022 ransomware and wiper attacks?

Hmm. I hope we get more reporting as to why this occurred.

If I understand the charges correctly the five government IT admins are being held under Albania’s Criminal Code, Article 248 (a short paragraph).

Josephine Wolff has a well-researched and thoughtful analysis of this event. We are starting to see more criminal consequences for cybersecurity administrators emerge in the public sphere. There are many good reasons to have an ongoing dialogue about these types of decisions.

https://slate.com/technology/2022/12/albania-cyberattack-iran-it-workers-arrested.html

Rob December 27, 2022 10:58 AM

There’s not enough info in the article for me to really decide on whether or not this is bad.

I agree with @jbmartin6, this could very well fall under negligence. If they hadn’t done anything for months, I can completely understand them being charged. If it’s they’re a few days or a week or two behind, not particularly reasonable to charge.

Roger Loeb December 27, 2022 10:59 AM

Responsibility starts at the top, not the people at the bottom. If security is inadequate, the top executives failed to fund the necessary functions. In almost any organization, particularly in a government bureaucracy, the people who do the work have little or no freedom of independent thought. When they point out a flaw, such as a security exposure, the usual response is, “we don’t have the budget to deal with that.” On the other hand, if you want someone to blame, the folks near the bottom of the totem pole have the least ability to object.

Wayne December 27, 2022 11:14 AM

I’m now retired from IT. My last major job at a decent-sized city, 200k residents in the MSA, I was the sole database administrator. The boss sprang a pen test on us one night. Mine were the only servers they weren’t able to get in to.

I was pleased.

Never got to see the final report, though. I really wanted to see that, just to see what one looked like.

I much prefer working at a university library. Very pleasant pre-retirement gig.

poopyhead mcgee December 27, 2022 11:42 AM

I am only commenting to say Roger hit the bullseye: the problem in IT lies where it ALWAYS has: executives listening to and making decisions based on what hot shot marketers tell them instead of their own engineers.

Clive Robinson December 27, 2022 12:00 PM

@ Bruce, ALL,

“And maybe programmers for writing buggy code. I don’t know where this line of thinking ends.”

In this case if you understand the mechanism the answer is all to obvious.

1, Some one with power is embarrassed, and potentialy will get loss of face.
2, So they point the finger,and let loose the hounds.
3, Those having fingers pointed at them inturn point fingers,and encorage the hounds on.
4, Eventually they reach a person who can not turn and point, so the hounds now rip them apart.

Thus the survival trait that is most important is to have a scapegoat or hot potato holder…

So…

If for all the readers here as you probably are not at the top you need two things,

1, Documented evidence it was your boss.
2, Someone or something to blaim.

Enter stage right with a bow “Machine Learning”…

(and no I’m not joking ML is going to be the next “Ernst Stavro Blofeld” or “Billion Dollar Brain”).

TimH December 27, 2022 12:30 PM

Make patching mandatory and suddenly patches will start including features that the vendors want but others down the line don’t.

waldo December 27, 2022 12:51 PM

The comment about arresting software developers for writing buggy code is a bit naive. Usually it is their managers and executive directors that dictate when releases are to be scheduled, duration of project timelines etc. and very few developers have any real say in when software goes out of the door. That must certainly change – but until developers are empowered to have a say in the QC of their code, they are not alone negligent for buggy code. It is the system that is at fault – one of profits and time to market pressures.

David in Toronto December 27, 2022 1:43 PM

The answer needs to be systematic. Since that isn’t going to magically appear overnight, there need to be strategic pressure points exercised. That won’t be just IT. It will need purchasing/procurement, senior leadership, business doing a few key things each. Legal pressures will bring things along. Cyberinsurance or lack thereof will shake some things up. And failures, very public failures.

Right now if I go into organizations you can hear absolutely contradictory garbage. Examples (that I have seen in singular organizations):

  • They want to treat servers like appliances that you can go out and replace when they break.
  • If you ask why they havent patched in 3 years they’ll tell you they can’t upgrade X because application Y was written for that platform and will need to be rewritten for X+1.
  • Their web applications were written under contract by far too many companies and trivial changes require months and cost insanely much to fix.

This is unacceptable and unsustainable. The whole supply chain is at fault.

barfa December 27, 2022 2:47 PM

Arrest politicians for not making policies that prioritize better national IT security. Arrest current voters that votes for the politicians that failed to [see above].
Arrest the dead parents of current voters that raised them to [see above].
Arrest god &/or Existence that created humans so flawed that we [see above].
Just as long as the buck never stops.

&ers December 27, 2022 3:07 PM

@Wayne

“I was pleased.”

You shouldn’t be.

My experience tell me that there is no
impenetrable systems. Given that you have
experienced red team that can think out of box
and can develop exploits in real-time, you have
enough funding and enough time – ANY system can
be penetrated.

I’d say that read team was just inexperienced.

Raika December 27, 2022 3:20 PM

I think the first step if it hasn’t been mentioned is to prosecute the exectuives and board members of companies that perpetuate privacy and security breaches. Make it financially infeasible for them to force developers and programmers to “go fast” and produce fallible work.

Erdem Memisyazici December 27, 2022 3:59 PM

Why not? It does lead to massive monetary damages, and it could (has) cost lives.

It’s not an unavoidable natural disaster to have bad code or configuration. It’s just an extremely difficult process to get right.

Generally only militaries and also a handful of private establishments have bug free software 99.99% of the time. I can see why they called for arrests.

Reminds me of space agency woes.

Anonymous December 27, 2022 6:01 PM

I see no reason computer engineer should not be held to the same standard as other engineers, and computer security staff to the same standard as physical security staff.

Clive Robinson December 27, 2022 6:41 PM

@ Erdem Memisyazici, ALL,

Re : Nothing is 100%

“It’s not an unavoidable natural disaster to have bad code or configuration.”

No, likewise hardware that can not be replaced or upgraded. But acknowledging that and dealing with it sensibly are where it all goes horribly wrong..

Almost the first question I ask when getting involved is,

“What is the business case for this computer to be connected to external communications / Internet?”

I’ve had various hand wavery answers but next to none are actually a business case, let alone sensible or to be blunt responsible.

And it all kind of goes down hill from there security wise most places…

Few appear to understand the notion that you can not defend against every instance of an attack, but you can mitigate the class of attack it’s in.

The strongest mitigation from attack in the ICTsec toolbox is “Segregation” and it’s usually relatively simple to do, but often “It’s not convenient”.

To put it simply,

“If they can not reach it they can not attack it.”

Yes that still leaves “insider attacks” where reaching/using kit is SOP. And also as I know having developed one or two ways myself “air-gap crossing attacks” are not just possible they are practical to a certain extent.

However sensible segregation makes attacking from outside quite hard, thus lifts you several levels above the “low hanging fruit” that surrounds you in what is due to lack of segregation “a target rich environment”. Segregation thus removes all but “tatgeted attacks” that will get through unless different tactics are used[1].

I have to run software for mantainance development of upgrades purposes that I know has more holes than a string vest (the reason is ICS hardware that can not be replaced). So I run them strongly segregated and so far I’ve not had any issues, nor have the customers.

[1] In physical security you work on the idea that you can not stop attackers reaching their targets by passive means alone. Thus you go down the,

“Detect, Delay, respond.”

Route usually with the notion of,

“Capture and Eliminate threat”

As the end goal of effectively “banging the perps in jail” etc. For various reasons in information security “capture” is rarely viable, but threat elimination by changing defences proactively is.

Firefly December 28, 2022 7:02 AM

The arrests will continue until security improves.

“I don’t know where this line of thinking ends.”

I don’t know either. But at least for other jobs there are similar mechanisms that when you don’t care about certain (security) standards you will face consequences.
They usually won’t get arrested (except in cases of huge personal/financial damage) but maybe need to apply for a new job.

cyberion December 28, 2022 8:24 AM

Not as bad as arresting IT admins, but in Suffolk County, Long Island, an information technology director was put on leave for negligence for a similar reason recently.

There’s disagreement on how much effort the director had put on trying to get the systems updated. Also it was apparently related to funding in this case.

How Hackers Used One Software Flaw to Take Down a County Computer System
https://www.nytimes.com/2022/12/21/nyregion/suffolk-county-cyberattack.html

msb December 28, 2022 12:57 PM

Software developers need to be held accountable to the same level of liability as any other industry.

If the wheels fall off your new car, the manufacturer gets sued for damages. If that car is recalled and you don’t get it fixed, that’s now on you.

Metal shavings in you Ketchup? Law suit, and maybe criminal charges if someone is injuerd.

Building falls over? same-same.

The same should apply to software. If software is the vector ransomware, the developer should pay damages. If that was exploited because you haven’t applied an available patch, then too bad for you.

Clive Robinson December 28, 2022 1:37 PM

@ ALL,

Re : Blaim them all, not.

One of the problems with legislation is those that frame it get it wrong.

At it’s simplest either the legislation is too narrow in scope and does not cover all that people want it to, or it’s too broad in scope and things that should not be a crime are.

But there are other issues. Software is more complex than just about every other endevor mankind has put his hand to. But… People see software as a “single entity” which is very very unwise and legislators for the past four decades have fallen into this trap.

Think of it this way,

“Should the legislation that covers cars and other road vehicles cover knives?”

They are both made of machined materials that are then assembled into a finished product that is made available for purchase…

So they are the same right?

Common sense says no, so you have different legislation for them.

We need to relise that adding effective and usefull software legislation is going to atleast double the size of existing product law then have quite some more on top…

If you don’t immediately see why, then have a look around your home and ask “What does not have software in it?”

For software legislation very very little will be of the “one size covers all”. Otherwise there will be miscarrages of justice to put it mildly.

Dick Brooks (REA) December 28, 2022 6:50 PM

I hope the arrested IT staffers have evidence showing their request for funding to address cybersecurity protections was denied and they can point the authorities at the real culprits. The cybersecurity professionals I’ve worked with take their job very seriously, for good reason – they are the ones that get called at 2:00 AM when someone has taken over the SCADA system, then they have to fix the problem. Many of the people I’ve worked with over the years prefer a proactive approach to cybersecurity to avoid the 2:00 AM reactionary wake-up calls.

ResearcherZero December 29, 2022 6:46 PM

Arrest all the politicians for interfering with police operations.

https://www.mynwfl.com/post/rebekahjonescasedismissed

https://eu.tallahassee.com/story/news/2020/12/08/scientists-speak-out-raid-fired-florida-doh-employee-rebekah-jones-home/3862377001/

COVID data manager investigated, raided for using publicly available password

“It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read.”
https://arstechnica.com/tech-policy/2020/12/florida-posted-the-password-to-a-key-disaster-system-on-its-website/

Video of the raid
https://twitter.com/GeoRebekah/status/1336065787900145665

Finally arrest their mothers for not teaching them good manners and instilling in their sons and daughters at least some level of compassion…

Compassion Training Alters Altruism and Neural Responses to Suffering

These results suggest that compassion can be cultivated with training and that greater altruistic behavior may emerge from increased engagement of neural systems implicated in understanding the suffering of other people, executive and emotional control, and reward processing.
https://journals.sagepub.com/doi/abs/10.1177/0956797612469537

Compassion Through Reading Fiction

“To understand stories, we have to understand characters, their motivations, interactions, reactions, and goals. It’s possible that while understanding stories, we can improve our ability to understand real people in the real world at the same time.”
https://www.apa.org/monitor/2021/11/feature-cultivating-empathy

Thinking About the Future Can Shift Our Intentions to Behave Better

We also know from other research that excessive worry or rumination are oftentimes not very productive. So maybe it is indeed a positive orientation toward the future. At the same time, thinking about the future in general may make one’s current needs seem less important. Again, this is also a hypothesis and it would be worthwhile to test it.
https://nautil.us/how-mental-time-travel-can-make-us-better-people-254241/

Pope Francis sermon – On Cults of Personality

“There isn’t only the violence of weapons, there is verbal violence, psychological violence, the violence of abuse of power, the hidden violence of gossip. Don’t take advantage of your own position and role to mortify the other. True heresy consists not only in preaching another gospel, as Saint Paul told us, but also in ceasing to translate its message into today’s languages and ways of thinking.”

Francis told the story of a 17th century convent in Port Royal, France, where the superior, Mother Angelique, had charismatically reformed herself and her monastery after evil crept in, but the devil came back in the form of a rigid faith.

“They had cast out the demon, but he had returned seven times stronger, and under the guise of austerity and rigor, he had introduced rigidity and the presumption that they were better than others. Before, it appeared rough and violent, now it shows up as elegant and refined. We need to realize that and once again to unmask it. That is how these ‘elegant demons’ are: they enter smoothly, without our even being conscious of them.”
https://apnews.com/article/pope-francis-religion-vatican-city-a14a52f3d3300330acfd13b5bffb0144

Canis familiaris December 30, 2022 9:18 AM

Holding software ‘engineers’ to the same standards as civil or electrical engineers is fine, so long as you are happy to pay the same for each computer as a bridge.

Unfortunately, folk have become used to the ‘cheap and cheerful’ approach of things ‘sort of’ working most of the time. If you take away their toys, the children will complain.

Clive Robinson December 30, 2022 10:50 AM

@ Canis familiaris, ALL,

Re : Computer Systems Cost

“Holding software ‘engineers’ to the same standards as civil or electrical engineers is fine, so long as you are happy to pay the same for each computer as a bridge.”

Hmmm “software -v- civil/electrical” is not comparing apples with apples. Likewise the product costs,

Software ~= development/customers

Hardware ~= (developemt + production)/customers

From experience I know that untill more recent times, Software Developers could earn 3-10 times as much as civil/electrical engineers as well as electronics design engineers. For my sins I’ve done all of those jobs including being both a civil engineer/designer and when a lot younger my real passion the design of sporting / leisure marine craft[1].

The real issue is not the cost but,

“The time.”

I used to write embeded systems software for mask programmable microcontrolers used in “Fast Moving Consumer Electronics”(FMCE). You had to get it right, ie “Zero Defect” and that involves one heck of a lot of test, about 60-75% of the actual development time. But in modern software that would be up in the 90% range if just “done by hand”.

It’s why other shall we say more curious languages like Rust are of interest along with various types of formal methods.

But you also should consider about the most complicated mechanical engineered devices people are ever going to see. Which are the likes of 747 aircraft and some cruise ships that have a million pluss parts. Bridges may be large, but actually they are not that complex in terms of parts.

There are a lot of software projects that easily exceed those figures, in terms of effectively unique parts. Also those parts tend to be rather more “individually “unique rather than scaled” (think of engine parts that are not scaled unlike like nuts and bolts). Think of software being made with hundreds of thousands of different sub-assemblies rather than the likes of bridges and buildings that can and have been made with less than a thousand sub assemblies (you can actually build houses with less than a hundred different types of –not scaled– parts).

Which brings us to your second paragraph,

“Unfortunately, folk have become used to the ‘cheap and cheerful’ approach of things ‘sort of’ working most of the time. If you take away their toys, the children will complain.”

That is all true but missing “quick” or “untested”… The thing about commercial and consumer software, is mostly it is,

“Quick, dirty, and very much untested, and fails frequently (BSOD etc).”

And we get away with it because,

“It realy is mostly toy software.”

With toy cars, nobody realy cares “if the wheels come off” as you play with them, because you just put them back on again. With real cars people do very much care “if the wheels come off” as you drive them down the highway… Because that tends to result in body parts all over the highway, a few of which will be human…

[1] The design and construction of marine vessles was my passion and what I wanted to do as a career, electronics and computers were just a hobby to excercise the brain with. Then as a teenager I started to get ill from working with the chemicals involved and all over “dermatitis that weeps” is not a good look on anyone. So I had to jump career paths and my hobby that I was rather good at became the beginning of my proffession. For other reasons at some point or another my other hobbies have become my proffession. Lets just say I don’t recommend it as a career path, because you end up loosing one by one your hobbies and nobody should do that…

Nick Levinson December 31, 2022 6:30 PM

This depends on Albanian law, on which we don’t have much information, because not only do we need the text of the law we’d also need to know, e.g., the rules of construction and the effect of adjectival law. In the U.S., we have many cases that go beyond the simple words of a statute; a law against fraud can’t list every form of fraud, so instead judges instruct juries on the relevant law of fraud and appellate courts determine the validity of those instructions. So the Albanian case should be viewed not as a possible stretch of the law but as an opening into whether the law should reach people with the responsibilities (or lack thereof) described here in similar contexts.

In the U.S., a case like it could happen where a contract or terms or other law provides the path from statute to liability, including civil and criminal. Probably customers like nuclear power plant owners arrange for that liability, with notice to the programmers et al. (they’re supposed to read what they sign and customers don’t want employees or contractors who are too sloppy to understand the degree of their liability). Palantir offers an operating system and other software and prices start at a million dollars a month and has customers like the CIA; I expect that the legal liability accepted by Palantir is enough to haul the firm and its people into court, and Palantir itself likely can do much the same to its own people.

modem phonemes December 31, 2022 9:23 PM

@ ResearcherZero

mandiant

There is a lot of discussion about general organizational matters, which has its place, but where is there discussion about how to address in general substantive actual problem, which remains invariant, regardless of the organization’s structure ?

This seems like a lot of modern IT nostrums, such as “agile”, which provide recommendations for everything but the essential, namely principles for discovering and addressing the substance of programming design.

Who? January 1, 2023 9:38 AM

Firmware developers should be arrested for not providing BIOS updates after a few years, opening unfixable vulnerabilities on computers. Not to say Intel staff for forcing industry to provide its management engine and not providing a clean [official] way to disable it.

lu4ker January 1, 2023 12:12 PM

@Who?

It’s relatively easy to avoid IME, build your own chip with ARM. Of course you still have to trust and verify your chosen foundry …

Nick Levinson January 1, 2023 1:30 PM

@Who?:

No, I generally disagree about arrest.

Unless the suppliers offer an update, they probably don’t have to. If they offer updates, they can probably stop anytime. If they contractually agree to a schedule, a limit on MTBF, or a minimum duration to EOL and they breach the contract, you may have a civil remedy.

In any case, you can figure the cost of ownership of the device you’re thinking of acquiring based on when you’d have to stop using it because it would have become too vulnerable, thus obsolete compared to predicted alternatives.

Arrest is dramatic and can be satisfying, but a criminal case is harder to prove than a civil one. The burden of proof is higher.

Chris January 16, 2023 7:32 PM

Brilliant idea!!

Out of EVERY Audit of government systems in Australia (Federal, State, and Local), there has NEVER been a single one that has found compliance with our mandatory cyber controls.

There’s absolutely no consequences for any public servant who “doesn’t care”, so none do.

I wasted 12 years selling Authentication technology all over the word – not even one time did any of my potential customers (most CISOs for banks, government, and large corps) test or even question the efficacy of my product.

NOBODY in cyber security takes their job seriously. They all say they do, but when the rubber hits the road – they simply don’t engage their brains. A stint behind bars is almost certainly needed to help them understand the damage their recklessness is causing to everyone else.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.