Wednesday, June 26, 2013

IRS Targeting Should be No Surprise to BSA/AML Specialists

I've been following this so-called scandal about the IRS BOLO lists. Now, don't get me wrong- if the White House had anything to do with directing the IRS to investigate anyone that would be wrong. I'm just not so sure that they did.

I'm just shocked that more private sector people have not come out to say "this is not a surprise to me". To me, I had not clue that revealing this would be "whistle-blowing" since my own career suggested this was exactly what happens at the IRS.

Briefly, AML specialists operate under the Bank Secrecy Act (BSA) which was largely started in an effort to fight organized crime. If you remember, Al Capone went to jail largely for tax evasion - not for the violent crimes. The United States figured it was a swell idea to make it a regulation that banks needed to look out for signs of tax evasion. This BSA program exploded right after 911 when additional regulations for Know Your Customer and anti-terrorism funding regulations meant that banks everywhere suddenly beefed up their BSA/AML programs to a huge degree. This program looks for transactions that could be considered an evasion of tax reporting or terrorist financing and then writes SARs or Suspicious Activity Reports to the government. The government basically uses these as precedent for a warrant anytime they want, under the concept that a "lay person" considers the activity suspicious enough to report it to the government is a very, very powerful statement to make before a grand jury. No secrets here folks, read it all here and other government websites.

Except, that I'm afraid, I don't personally consider these people to be very "lay" in that they are actually pretty highly trained, often by law enforcement, to target very specific individuals depending on the particular political agenda at the time. In the Bush era whilst working for a bank in the AML program, we were given a day training by FBI agents on how to look for the evidence of the use of Hawala. Which, although discouraged in the US, is still very much legal. Later, under the Obama era, we were advised by auditors from a different agency that there was a 'rash' of people who were coverting their assets to gold, and putting the gold in safety deposits boxes. (Also perfectly legal itself) We were told we should report these people, and they were often associated with the Tea Party.

We would only have to assume, therefore, that there is a sort of feedback loop occurring here. The AML divisions of banks attend seminars by government agencies that educate them on the latest money laundering trends to look out for, the banks increasingly file on those trends which those agencies then use to justify the trend itself. If we were being told that certain behavior or association with political or religious parties often correlated with tax evasion, we reported more of that behavior as possible evidence of tax evasion. So of course the IRS must have a BOLO. And yes, these do go to the IRS among other agencies.

Before anyone freaks out and thinks this is a larger conspiracy at play- you know what the two things have in common? They are means of taking currency out of the banking system in a fashion that makes it easy to cheat on your taxes. This is what this entire BOLO list is about. The key words and groups they picked where ones they anticipated or have seen where historically submitted some questionable documentation. Medical Marijuana? There is a a huge mess around the tax situation for those organizations anyway; many of them having to turn to the guise of non-profit agencies that take "donations" just to confirm to a sensible code. Additionally, many normal business expenses cannot be written off, so I'm sure they get a lot of honest mistakes. Some people are just... gullible, or guilty of a urban legend. I think the Tea Party had a pretty good urban legend going about "legal" ways to avoid paying takes, and it got them attention.
Fox News

Does this excuse the behavior? Is any of the above ethical or justified? That's not what this article is about. That is a much bigger question for other articles. I simply purpose that I think there are many, many people who were not at all surprised by these announcements in the private sector banking. I'm surprised I have not heard more from them.

Philosophy on Information Security

I wanted to write down a collection of guiding principles that I've collected over my career so far, having been so privileged and having worked with many senior IT and Security folks, I can take credit for none of these revelations except for collecting them here to share with you.

These are some of the most valuable insights I've had, and the now make up the core of my guiding philosophy toward information security and compliance. Thank you to everyone who has contributed to forming these principles, and if you recognize one as your very own please feel free to take credit or email me and I'll include the credit to you. Its a compliment that these are so blended to my background and my mind that I no longer recognize the places where they originated, and not meant as any slight.

  • Security decisions are, ultimately, business decisions. The unspoken second half of that is "... and you have to be ok with that." In other words, we can provide the best information possible to our bosses and the organizations we work for about the risks, methods of mitigation and recommended strategies, but ultimately the decision they make is a business decision and includes factors we're not privy to. In fact, we don't WANT to be privy to, often times being political in nature. Your work can be amazing, perfect and flawless and the company may still decide to go a different way. It is not a reflection on you or your work. This can be translated as, "learn to let go".
  • Bring method to madness. Generally speaking, a lot of what we do as security professionals is bring a framework or method of approaching very large and complex problems. We're experts and taking things like NIST or ISO and using them as a roadmap to approaching a wide variety of IT problems. When you're faced with what seems like a uncoordinated, uncharted, and disorganized approach- find the method. Down to the basic scientific method approach to troubleshooting.
  • Learn to be humble, ask for help and never pretend you know what you're doing. Having the pleasure of working with senior folks in the field, I can tell you they do not mind if you openly admit you do not know how to do something. They may be frustrated that they do not have the time to teach you under a deadline, but that is not ire directed at you. What will get you in trouble, get you fired, is if you fail to mention what you don't know and try to guess your way through it. You break something, and then they have to spend time not only fixing what you broke but training you anyway. Admit when you do not know.
  • I know this is IT, but softskills are important too. I originally went into the field of forensics to become a medical examiner, and partway through the criminology and biology courses I discovered that whilst I had the stomach for gore, my nose was very sensitive. I wanted to be a medical examiner, not just because forensics fascinates me- but because, like many IT folks, I am happier in a less-social comfort zone. I thought computer forensics and infosec was a good choice, but I've found myself more than once asked to be "less intimidating". For someone who found themselves on the losing end of a bully's fist, this was a shock to my system. I read books on negtiation, joined something like a woman's 'toastmasters', and even found online webinars and seminars on project management, communication skills, negotiation and soft-skills. Be approachable, be open, learn consensus building.
  • Never stop learning. No REALLY. I loved school. I thought IT would be a good field because when I talked to folks currently with a successful career, the one warning that was repeated over and over was "you never stop learning". School just doesn't cut it for this. It is not just that technology is changing so quickly that you have to keep up, it is the sheer inter-connected nature of the beast. You may go into security, but you will have to beef up on networking, then eventually databases, and one day you'll find yourself needing some scripting skills. You go into networking, you better believe you need server skills, which means eventually you'll get into databases. If you're any good at either you'll be into security as well... do you see what I mean? Be prepared for two full time jobs. One where you do your job and another where you are constantly learning how to do the job you need to do tomorrow.
  •  Take a moment to smell the roses, remember to play. Sometimes we get so caught up in whatever little small political or technological hurdle we are currently facing that we forget to stop and look around and remember "How freaking cool is my job?!" Take a moment to savor your accomplishments, your efforts in learning, your ability to explore a field of science many look to with feelings of magic and mystery. You help make people's lives better. Taking time away from what is frustrating you and just playing can be powerful in many ways. Play is key to problem solving, it can rejuvenate and revive you, and it can bring clarity in ways you never thought. Just take a moment.

Well, that is all for now. I have another post brewing on interview questions every Infosec / CISSP should be asking their prospective new employer!
Stay tuned.