The Security Blog

With the US economy in danger in 1933, almost 100 years ago, two laws were passed to perform important tasks.  On the one hand, to calm and reassure a desperate public that future investments by themselves should be into fully risk-transparent companies; and on the other to demand that companies which collect money from the public, will fully assess, investigate, mitigate and disclose such risks.

These laws, called the “The Securities Act of 1933″  and “The Securities Exchange Act of 1934″ , set minimum thresholds for many practices, including the disclosure of all forms of risk.  Arguably, the most visible effect of these laws was the creation of the Securities and Exchanges Commission, or, for short, the SEC.

While the disclosure of risk was always mandated by these laws, as you can see below, there was never a direct call to disclose ‘cyber’ (or information security) risks. (Regulation S-K 503 (c) ).

Risk factors. Where appropriate, provide under the caption “Risk Factors” a discussion of the most significant factors that make the offering speculative or risky. This discussion must be concise and organized logically. Do not present risks that could apply to any issuer or any offering. Explain how the risk affects the issuer or the securities being offered. Set forth each risk factor under a subcaption that adequately describes the risk. The risk factor discussion must immediately follow the summary section. … The risk factors may include, among other things, the following:

1. Your lack of an operating history;
2. Your lack of profitable operations in recent periods;
3. Your financial position;
4. Your business or proposed business; or
5. The lack of a market for your common equity securities or securities convertible into or exercisable for common equity securities.

In fact, due to the SEC’s demands, since 2005, if disclosing information security risk *at all*,  some companies chose to put in the annual 10-K and quarterly 10-Q forms a ‘boilerplate’ template stating something like:

Failure of an information system or a compromise of security of an information system could adversely affect our results of operations and financial reporting

That should now change.

In October 2011ce, the SEC’s Division of Corporate Finance issued a Disclosure Guidance (available at the SEC site) ‘suggesting’ (in fact requiring, or adding liability if someone doesn’t follow) a far more detailed and comprehensive discussion of information security risks.

In the next blog entry, I will discuss, analyze, and explain my views of this Guidance, as an Information Security Risk professional.

Note:  I am not an attorney and this blog does not intend to represent legal advice.  For legal advice, consult an attorney.

Today, a CNN.com article stated that, predictably, 

Earlier this week, New Jersey-based Iranian blogger Mehdi Saharkhiz filed a lawsuit in a U.S. federal court against Nokia Siemens Networks on behalf of his father, Isa, who has been in an Iranian prison since July 2009.

In what is sure to be the baseline of its defense, Nokia-Siemens stated that the lawsuit is brought "in the wrong place, against the wrong party and on the wrong premise".   Oddly enough, NSN is not disputing that their equipment was used to spy on Iranian people, a defense they used in the past and now proves to be disingenuous.  There is no doubt that the Nokia-Siemens company, technically managed by a shell group of managers in Germany, we used to perform the surveillance after last year's elections in Iran, and that the result of such surveillance was the arrest, rapes, and executions, of many people who dared speak against the government there.  

Nokia-Siemens also states, to the European Union Parliament, no less, that  they left Iran in early 2009, and that they sold their last monitoring center there in March 2009.  

…soon after our formation as a company, we made a decision to exit from the monitoring center business, and closed a transaction to divest our remaining assets in March 2009, well before the disputed election in June. …

Really?

Nokia Siemens Is Lying.  Again.

The company's own website, has open jobs in Iran:  Want one?

A simple search on Linkedin shows that there are at least 76 people that list their current employer in Iran as Nokia-Siemens.  At least one of them has the title "Country Manager", a title which indicates that (a) there is enough business in that country to need a designated manager and (b) that the company is not based in Iran.  

And here is an employee that started working at NSN-Iran in January 2010.

Isn't it time for Nokia-Siemens to tell the truth?  Should they not divest and stop supporting that despotic, crazy, regime?

As for what we can do?

Well, we need to stop buying Nokia, Siemens, or Nokia-Siemens products.  We need to assess if anyone we find who works for NSN has a professional certification, especially around HR, Security or Networking, and complain to the certification organizations' boards, an ask for those certifications to be revoked (for performing unethical work)

And I would love to hear more ideas on how we can punish the Iranian government…   This Iranian Legal Odyssey should succeed further in punishing the Iranian regime for choosing its pariah way.