John Akerson's Thoughts

Business, technology and life

The Great Cost of Setting Terry Childs free.

Paul Venezia has continued his fantastic coverage of the Terry Childs case from San Francisco.  Terry was accused of a denial of service attack when he withheld access to network resources last year.

It is worth reading everything that Paul has written on the Terry Childs case. His work has been thorough and extremely well thought out.  You can read his latest article here.  http://www.infoworld.com/t/insider-threat/terry-childs-back-in-court-516

Given what Terry Childs has done, and the relevant California laws, I predict that Terry Childs will go free. 

Here’s why.  California Code 502 states: “‘Computer services’ includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network.”
Paul points out that the code also says in “Subdivision (c) (that it) does not apply to punish any acts which are committed by a person within the scope of his or her lawful employment.I think the combination of those two elements of the California law ensure that Terry Childs is going free. Either charges will be dropped, OR, he will be found not guilty.

 

A quick recap of of the case facts: Terry Childs is a certified technical expert. He was working in limited-access computer area, and a person who he did not know should have access to the network asked him for a sort of blank check of administrative access.  Terry felt that his responsibility was to protect that access – he denied access to that person. He also called to let others know of what he considered an attempted security breach. Subsequently, Terry denied access to other people, who also had inadequate expertise.  Eventually he gave those passwords and that access to the cities mayor. Although the mayor also lacked technical expertise, Terry thought that the Mayor was the only person with sufficient authority and responsibility. That was Terry’s duty, as he saw fit.

Paul wrote “It’s been proven that Childs had no technical peers within the IT department; thus, essentially everyone he worked with could pose a threat to the network from his perspective.”

So – Terry Childs did what he thought was his job. He knew his job better than anyone else in his company. Given the California code, and the amazing mistakes in all areas of the prosecution of this case – Terry going to go free. (as an example, in publishing details of the case, prosecutors published and posted online a large number of valid/accurate usernames and passwords, comprimising security, and perhaps underscoring the reasons why Childs was so careful.) Terry Childs will be exonerated or charges will be dropped. 

In most cases it would be great for charges to be dropped, for the accused to be released. In Terry’s case, he will go free at an enormous cost.  Terry will be branded for the rest of his life, fairly or unfairly, as a rogue administrator. It is a tag that he will not be able to escape. Given that label, that brand – it won’t matter that his income was 6 figures in the past. I suspect this case will likely cost him the rest of his career.  Nobody wants to hire a rogue – nobody wants a person who served a year in jail for being ACCUSED of computer crimes.  The job market is getting tighter for everyone, but for Terry Childs, this case is going to shrink it so much further.

What Terry did not show the best judgment, but I understand it. Computer security is always a tricky risk-management balance that is comprised of access granting and access limitation. The best risk management principles are always based on the concept of “deny all access, and grant only the most limited access that is absolutely required.”  The second half of that principle is – “if greater than necessary access is requested, always have appropriate and informed executives execute an acceptance of that additional risk”  If he thought that all of the Information Management executives were incapable of being informed due to their inadequate depth of knowledge – it is understandable that he only gave access to the person who he KNEW had the authority and responsibility.  So what he did was completely understandable. His actions and intent were neither good judgment nor convictable crime.

The harder issues will come when this case is resolved. A large percentage of the dangerous, detrimental and malicious computer hacks come from insiders.  Another large percentage of dangerous, detrimental and malicious acts come via social engineering, which is essentially convincing someone that you really need a certain access.

Properly managing risk with regard to access control, even to employees, requires smart policies, intelligence, and good judgment – and even with all those, it is an extremely difficult challenge.  If the case establishes precedent that technology managers and experts must open access, that will have 3 simultaneous negative effects.

1) It will make security and risk management more challenging.
2) It will make dangerous acts much easier
3) It will increase information technology costs.

That will be great cost to everyone.

Advertisements

June 5, 2009 - Posted by | Business, Life, Security, Technology

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: