Monday, May 11, 2015

Hey CPA: Should I get anti-virus for my home network?

Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.

Then it struck me: would a CPA be able to lead this sort of discussion?

The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.

Coincidentally, the WSJ published a review of the Bit Defender BOX around the same time I had this discussion. For what it is, see Amazon's Video Review.

As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:
  • If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
  • Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
  • Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm. 
  • Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic.  More generally, it talks about the overall (lack of) reliability and 
  • Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords. 
But that's not all. WSJ also published this article detailing five key corporate security practices, including:
  • Patching, i.e. installing software updates to plug security holes in the software,
  • Limiting connectivity of devices on a "need to do basis",
  • Encrypting data that is confidential or highly confidential (e.g. credit card data)
  • Use of physical security devices instead of just passwords
  • Independently assessing vendor compliance with security. 
The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point. 

But, again, does the current competency map train CPAs sufficiently to spot that? 

We should keep in mind a couple of things.

Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally. 

Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection. 

Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level. 

Okay so we all know the kids are tech savvy. 

But we need a competency map that would be relevant to the future generation that will be entering the profession.  Furthermore, if the CPA profession wants to achieve its vision of being the  "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond. 

Tuesday, May 5, 2015

Should Algorithm Audits be mandated for HFT firms?

Was heading into work on train and came across WSJ's op-ed piece on the need for regulation around algorithms involved in trading. The article mentions how the regulators have not done much since the Flash Crash of 2010.

What is the Flash Crash of 2010?

As noted in the piece, "flash crash hit on the afternoon of May 6, 2010, as riots in Athens and a European debt crisis weighed on markets. In about eight minutes the Dow Jones Industrial Average fell 700 points before rebounding." 

The op-ed goes on to dismiss the "official" explanation (i.e. a large hedge placed by a US firm and financial shenanigans of UK based day trader) and states: "More important, they say, is the role of high-frequency firms, which use hard-to-monitor algorithms to trade large amounts of stock in fractions of seconds. If they trade erratically, the market can come unglued, as happened in the flash crash."

The article notes that the SEC has been exploring the mandating disclosure requirements and controls on firms that use algorithms. However, the article also quotes a number of regulators who say they don't have enough funds to keep pace with the firms. 

Before I go back down memory lane, it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath (see clip below for a summary), also calls for "auditing algorithms for fairness".  He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data.

So is it time for auditing algorithms through an "AlgoTrust" offering?

As I noted on my reflections on "Big Data: A Revolution That Will Transform How We Live, Work, and Think": 

"[H]ow would you go about auditing an algo? Although auditors lack the technical skills of algoritmists, it doesn't prevent them from auditing algorithms. The WebTrust for Certification Authorities (WebTrust for CAs) could be a model where assurance practitioners develop a standard in conjunction with algorithmists and enable audits to be performed against the standard. Why is WebTrust for CAs a model? WebTrust for CAs is a technical standard where an audit firm would "assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)". That is, although the cryptographic key generation process is something that goes beyond the technical discipline of a regular CPA, it did not prevent the assurance firms from issuing an opinion."

I also noted:

"some of the ground work for such a service is already established. Fundamentally, an algorithm takes data inputs, processes it and then delivers a certain output or decision. Therefore, one aspect of such a service is to understand whether the algo has "processing integrity" (i.e. as the authors put it, to attest to the "accuracy or validity of big-data predictions"), which is something the profession established a while back through its SysTrust offering."

What I saw to be the challenge at the time I penned that blog post is market demand for this type of service. The answer appears to be that SEC could mandate such audits and leverage the CPA firms the same way they do for financial audits. However, instead of rendering opinion on the financials, such audit firms would render an AlgoTrust opinion on the algorithms to ensure that they are in-line with Generally Accepted Algorithmic Principles instead of Generally Accepted Accounting Principles (sorry I couldn't resist!).

Beyond WebTrust for Certification Authorities, companies are currently leveraging SysTrust which has been subsumed into the SOC 2 and SOC 3 audit reports. For example, gets an audit opinion that provides reasonable assurance that its systems are secure, available and that it maintains confidentiality of the information they are provided with.

The AlgoTrust standard should address issues such as the ones raised in WSJ (i.e. as it relates to trading algos) as well ensuring the preservation of privacy. But it should not stop there. In the original post, Chris Steiner explains how algos are invading all parts of life, including things like robot pharmacists.

We have at least three experts from three different fields: finance, data, and information security that all see the value in auditing algorithms. If the CPAs don't take the lead on this, who will? As Bruce Schneier notes it won't be easy, but it is something that will eventually be tackled by either the CPA profession or someone else.