Evaluation of DHS’ Information Security Program for Fiscal Year 2013 (PDF)
Source: U.S. Department of Homeland Security, Office of Inspector General
From Spotlight (PDF):
DHS continues to improve and strengthen its information security program. During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department’s information systems through a new risk management approach. Additionally, DHS developed and implemented the Fiscal Year 2013 Information Security Performance Plan which defines the performance requirements, priorities, and overall goals for the Department throughout the year. DHS has also taken actions to address the Administration’s cybersecurity priorities, which include the implementation of trusted internet connections, continuous monitoring of the Department’s information systems, and strong authentication.
While these efforts have resulted in some improvements, components are still not executing all of the Department’s policies, procedures, and practices. Our review identified the following more significant exceptions to a strong and effective information security program: (1) systems are being operated without authority to operate; (2) plans of action and milestones (POA&M) are not being created for all known information security weaknesses or mitigated in a timely manner; and (3) baseline security configuration settings are not being implemented for all systems. Additional information security program areas that need improvement include incident detection and analysis, specialized training, account and identity management, and contingency planning.
Department of Homeland Security Privacy Office — 2013 Report to Congress (PDF)
Source: U.S. Department of Homeland Security
This report, covering the period from July 1, 2012, through June 30, 2013, catalogues the Privacy Office’s continued success in safeguarding individual privacy while supporting the Department of Homeland Security (DHS or Department) mission.
EPA Does Not Adequately Follow National Security Information Classification Standards (PDF)
Source: U.S. Environmental Protection Agency, Office of Inspector General
Our review of both originally and derivatively classified documents generated by three offices found that the EPA does not sufficiently follow national security information classification standards.
Of the two originally classified documents we reviewed, portions of one needed different classification levels and the other contained numerical data that was incorrectly transferred from another document. The National Homeland Security Research Center in the Office of Research and Development agreed to correct the documents. We also noted that the approved classification guide and the three guides under review had narrow scopes, which limits their usefulness. The three proposed guides have been in the approval process for 12 months when it must take no more than 30 days. Additionally, the declassification process needs clarity since the one pending declassification request has also been in the approval process for almost a year when it should take no more than 60 days.
None of the 19 derivatively classified documents we reviewed completely met the requirements of Executive Order 13526 and the implementing regulations. The derivative classifiers did not include some required information and did not correctly transfer information from the source documents. As a result, those who later access the information may not know how to protect it or be able to properly identify or use it as a source for their own derivative decision. A lack of training for derivative classifiers and incorrect information in the annual refresher training given to all clearance holders contributed to the classification problems noted. The EPA had not promptly updated guidance. Not all cleared employees who needed an element relating to designation and management of classified information as part of their performance evaluation had such an element.
Hat tip: Secrecy News
Integration of Civil Unmanned Aircraft Systems (UAS) in the National Airspace System (NAS) Roadmap (PDF)
Source: Federal Aviation Administration
A key activity of the FAA is to develop regulations, policy, procedures, guidance material, and training requirements to support safe and efficient UAS operations in the NAS, while coordinating with relevant departments and agencies to address related key policy areas of concern such as privacy and national security. Today, UAS are typically given access to airspace through the issuance of Certificates of Waiver or Authorization (COA) to public operators and special airworthiness certificates in the experimental category for civil applicants. Accommodating UAS operations by the use of COAs and special airworthiness certificates will transition to more routine integration processes when new or revised operating rules and procedures are in place and UAS are capable of complying with them. The FAA has a proven certification process in place for aircraft that includes establishing special conditions when new and unique technologies are involved. This process will be used to evaluate items unique to UAS. In those parts of the NAS that have demanding communications, navigation, and surveillance performance requirements, successful demonstration of UAS to meet these requirements will be necessary.
The process of developing regulations, policy, procedures, guidance material, and training requirements, is resource- intensive. This roadmap will illustrate the significant undertaking it is to build the basis for the NAS to transition from UAS accommodation to UAS integration.
Government and industry stakeholders must work collaboratively and apply the necessary resources to bring this transition to fruition while supporting evolving UAS operations in the NAS. The purpose of this roadmap is to outline, within a broad timeline, the tasks and considerations needed to enable UAS integration into the NAS for the planning purposes of the broader UAS community. The roadmap also aligns proposed Agency actions with the Congressional mandate in the FAA Modernization and Reform Act of 2012, Pub. L. 112-95. As this is the first publication of this annual document, the FAA will incorporate lessons learned and related findings in subsequent publications, which will include further refined goals, metrics, and target dates.
CRS — Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts: Select Legal Issues
Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts: Select Legal Issues (PDF)
Source: Congressional Research Service (via Just Security)
Recent revelations about the size and scope of government foreign surveillance efforts have prompted some to criticize the level of scrutiny that the courts – established under the Foreign Intelligence Surveillance Act of 1978 (FISA) – currently provide with respect to the government’s applications to engage in such surveillance. In response to concerns that the ex parte nature of many of the proceedings before the FISA courts prevents an adequate review of the government’s legal positions, some have proposed establishing an office led by an attorney or “public advocate” who would represent the civil liberties interests of the general public and oppose the government’s applications for foreign surveillance. The concept of a public advocate is a novel one for the American legal system, and, consequently the proposal raises several difficult questions of constitutional law.
High Interest GAO Report — Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace
Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace
Source: Government Accountability Office
No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, videotape service providers, or to the online collection of information about children.
The current statutory framework for consumer privacy does not fully address new technologies–such as the tracking of online behavior or mobile devices–and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. With regard to data used for marketing, no federal statute provides consumers the right to learn what information is held about them and who holds it. In many circumstances, consumers also do not have the legal right to control the collection or sharing with third parties of sensitive personal information (such as their shopping habits and health interests) for marketing purposes. As a result, although some industry participants have stated that current privacy laws are adequate–particularly in light of self-regulatory measures under way–GAO found that gaps exist in the current statutory framework for privacy. And that the framework does not fully reflect the Fair Information Practice Principles, widely accepted principles for protecting the privacy and security of personal information that have served as a basis for many of the privacy recommendations federal agencies have made.
Views differ on the approach that any new privacy legislation or regulation should take. Some privacy advocates generally have argued that a comprehensive overarching privacy law would provide greater consistency and address gaps in law left by the current sector-specific approach. Other stakeholders have stated that a comprehensive, one-size-fits-all approach to privacy would be burdensome and inflexible. In addition, some privacy advocates have cited the need for legislation that would provide consumers with greater ability to access, control the use of, and correct information about them, particularly with respect to data used for purposes other than those for which they originally were provided. At the same time, industry representatives have asserted that restrictions on the collection and use of personal data would impose compliance costs, inhibit innovation and efficiency, and reduce consumer benefits, such as more relevant advertising and beneficial products and services. Nonetheless, the rapid increase in the amount and type of personal information that is collected and resold warrants reconsideration of how well the current privacy framework protects personal information. The challenge will be providing appropriate privacy protections without unduly inhibiting the benefits to consumers, commerce, and innovation that data sharing can accord.
The Department of Energy’s Unclassified Cyber Security Program – 2013
Source: U.S. Department of Energy, Office of Inspector General
Cyber security threats are a major concern for all Federal entities, including the Department of Energy. The Federal Information Security Management Act of 2002 (FISMA) established the requirement for Federal agencies to develop, implement and manage agency-wide information security programs, and provide acceptable levels of security for the information and systems that support the operations and assets of the agency. As part of our responsibilities under FISMA, the Office of Inspector General conducts an annual independent evaluation to determine whether the Department’s unclassified cyber security program adequately protected its unclassified data and information systems.
The Department had taken a number of positive steps over the past year to correct cyber security weaknesses related to its unclassified information systems, including corrective actions to resolve 28 of the 38 conditions we identified during our FY 2012 evaluation. In spite of these efforts, we found that significant weaknesses and associated vulnerabilities continued to expose the Department’s unclassified information systems to a higher than necessary risk of compromise. Our testing revealed various weaknesses related to security reporting, access controls, patch management, system integrity, configuration management, segregation of duties and security management. In total, we discovered 29 new weaknesses and confirmed that 10 weaknesses from the prior year’s review had not been resolved. These problems were spread across 11 of the 26 Department locations where we performed testing.
The weaknesses identified occurred, in part, because Department elements had not ensured that cyber security requirements were fully developed and implemented. Management concurred with our findings and recommendations and has taken and/or initiated corrective actions.
In a year in which government surveillance has dominated the headlines, today we’re updating our Transparency Report for the eighth time. Since we began sharing these figures with you in 2010, requests from governments for user information have increased by more than 100 percent. This comes as usage of our services continues to grow, but also as more governments have made requests than ever before. And these numbers only include the requests we’re allowed to publish.
Cloud Computing for Small Business: Criminal and Security Threats and Prevention Measures (PDF)
Source: Australian Institute of Criminology
Compared with large organisations, small businesses operate in a distinct and highly resource-constrained operating and technical environment. Their proprietors are often time poor, have minimal bargaining power and have limited financial, technical, legal and personnel resources. It is therefore unsurprising that cloud computing and its promise of smoothing cash flows and dramatically reducing ICT overheads is attractive to small business. Cloud computing shifts the delivery and maintenance of software, databases and storage to the internet, transforming them into Pay-As-You-Go services accessed through a web browser. While providing many benefits, cloud computing also brings many risks for small business, including potential computer security and criminal, regulatory and civil liability issues. This paper, undertaken as a collaborative partnership with the ARC Centre of Excellence in Policing and Security at Griffith University, identifies these risks and offers a perspective on how they might be contained so that the benefits of cloud computing do not outweigh the risks for small businesses in the 21st century.
ACLU EYE on the FBI: Documents Reveal Lack of Privacy Safeguards and Guidance in Government’s “Suspicious Activity Report” Systems
ACLU EYE on the FBI: Documents Reveal Lack of Privacy Safeguards and Guidance in Government’s “Suspicious Activity Report” Systems
Source: American Civil Liberties Union
Government documents obtained by the ACLU show that nationwide programs that collect so-called “Suspicious Activity Reports” provide inadequate privacy safeguards and guidance on the definition of “suspicious activity,” leading to violations of Americans’ First Amendment and privacy rights, and to racial and religious profiling.
As more businesses find their way into the cloud, few engage in security measures beyond those provided by the associated cloud storage firm, a new report from Georgia Tech notes. Even fewer seek heightened data protection because of concerns that usability and access to remote data would be significantly reduced.
These concerns are among findings made by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) in today’s release of the Georgia Tech Emerging Cyber Threats Report for 2014. The report was released at the annual Georgia Tech Cyber Security Summit, a gathering of industry and academic leaders who have distinguished themselves in the field of cyber security.
In related findings, the report reveals security issues involving the “Internet of Things,” referring to the notion that the increase of Internet-capable devices could create opportunities remote hacking and data leakage. With everything from home automation to smartphones and other personal devices becoming connected to the Internet, these devices will capture more real-world information and could permit outside parties, companies, and governments to misuse that information.
In the mobile space, even though designers of mobile devices and tablets have developed a robust ecosystem to prevent large-scale device compromises, the report finds that the threat of malicious and potentially targeted use remains. Earlier this year, researchers at Georgia Tech reported that they found ways to bypass the vetting process of Apple’s App Store and subsequently showed how malicious USB chargers can be used to infect Apple iOS devices.
Report on Government Information Requests (PDF)
We believe that our customers have a right to understand how their personal information is handled, and we consider it our responsibility to provide them with the best privacy protections available. Apple has prepared this report on the requests we receive from governments seeking information about individual users or devices in the interest of transparency for our customers around the world.
This report provides statistics on requests related to customer accounts as well as those related to specific devices. We have reported all the information we are legally allowed to share, and Apple will continue to advocate for greater transparency about the requests we receive.
Open data: Unlocking innovation and performance with liquid information
Source: McKinsey & Company
Open data—machine-readable information, particularly government data, that’s made available to others—has generated a great deal of excitement around the world for its potential to empower citizens, change how government works, and improve the delivery of public services. It may also generate significant economic value, according to a new McKinsey report. Our research suggests that seven sectors alone could generate more than $3 trillion a year in additional value as a result of open data, which is already giving rise to hundreds of entrepreneurial businesses and helping established companies to segment markets, define new products and services, and improve the efficiency and effectiveness of operations.
Although the open-data phenomenon is in its early days, we see a clear potential to unlock significant economic value by applying advanced analytics to both open and proprietary knowledge. Open data can become an instrument for breaking down information gaps across industries, allowing companies to share benchmarks and spread best practices that raise productivity. Blended with proprietary data sets, it can propel innovation and help organizations replace traditional and intuitive decision-making approaches with data-driven ones. Open-data analytics can also help uncover consumer preferences, allowing companies to improve new products and to uncover anomalies and needless variations. That can lead to leaner, more reliable processes.
However, investments in technology and expertise are required to use the data effectively. And there is much work to be done by governments, companies, and consumers to craft policies that protect privacy and intellectual property, as well as establish standards to speed the flow of data that is not only open but also “liquid.” After all, consumers have serious privacy concerns, and companies are reluctant to share proprietary information—even when anonymity is assured—for fear of losing competitive advantage.
Preparing a Nation for Autonomous Vehicles: Opportunities, Barriers and Policy Recommendations
Source: Eno Center for Transportation
Preparing a Nation for Autonomous Vehicles: Opportunities, Barriers and Policy Recommendations is the second annual William P. Eno Research Paper, a competitive paper competition among Eno’s Leadership Development Conference Fellows. Authored by Daniel Fagnant, a Ph.D. candidate at the University of Texas at Austin, and Kara M. Kockelman, an engineering professor at the University of Texas at Austin, the paper focuses on the changes and benefits autonomous vehicles could bring to the nation’s transportation system. Barriers to implementation, liabilities, security and data privacy are also discussed, as well as the impacts and interactions with other components of the current transportation system. Daniel Fagnant and Kara M. Kockelman, 24 pp., 2013.
Aaron’s Rent-To-Own Chain Settles FTC Charges That it Enabled Computer Spying by Franchisees
Source: Federal Trade Commission
Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes.
According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.
“Consumers have a right to rent computers free of cyberspying and to know when and how they are being tracked by a company,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”
Information Security Weaknesses Poses Risk to Operations and the Mission of the Substance Abuse and Mental Health Services Administration (SAMHSA)
Information Security Weaknesses Poses Risk to Operations and the Mission of the Substance Abuse and Mental Health Services Administration (SAMHSA)
Source: U.S. Department of Health and Human Services, Office of Inspector General
We reviewed selected information technology (IT) security controls over the Substance Abuse and Mental Health Services Administration (SAMHSA) network management in effect as of June 2012. We assessed the IT security controls for inventory management, patch management, antivirus management, event management, logical access, encryption, web vulnerability management and Universal Serial Bus (USB) port control management.
We found that the IT security controls for SAMHSA, that are owned and managed by the Information Technology Infrastructure and Operations (HHS/ITIO), were inadequate because security protections to be provided to SAMHSA had not been implemented and adequately monitored.
DoD Evaluation of Over-Classification of National Security Information (Redacted)
Source: U.S. Department of Defense, Office of Inspector General
What We Did
This is the first of two reports that Public Law 111-258, Section 6(b) requires, mandating Inspectors General of Federal departments, or agencies with an officer or employee who is authorized to make original classifications, to: (A) assess whether applicable classification policies, procedures, rules, or regulations have been adopted, followed, and effectively administered; and (B) identify policies, procedures, rules, regulations, or management practices that may be contributing to persistent misclassification of material. In this report, we address eight areas associated with classification management and control marking programs. For the second report due under Public Law 111-258 on September 30, 2016, we will focus on follow-up efforts to recommendations outlined in this report.
What We Found
We found that applicable classification policies, procedures, rules, and regulations have been adopted; however, in some circumstances, they had not been followed or effectively administered.
We also concluded that some policies, procedures, rules, regulations or management practices may be contributing to persistent misclassification of material. While we did find some instances of over-classification, we do not believe that those instances concealed violations of law, inefficiency, or administrative error; prevented embarrassment to a person, organization, or agency; restrained competition; or prevented or delayed the release of information not requiring protection in the interest of national security. However, we did find several instances where the inaccurate use of dissemination control and handling markings could unnecessarily restrict information sharing.
Many of the issues we found were similarly reflected in organizational selfassessments and fundamental classification guidance review results, demonstrating that DoD is aware of weaknesses and is striving to improve. The most common discrepancy was incorrect marking of documents. Many of our interviewees commented on the availability and robustness of training.
While room for improvement still exists, DoD continues to make advances in program management, reporting costs, reporting of security classification activities, and in advancing policies that will help constrain overclassification.
What We Recommend
We recommend that the Under Secretary of Defense for Intelligence and for Acquisition, Technology, and Logistics carry out the recommendations outlined in this report and continue to leverage the new Defense Security Enterprise, especially with regard to ensuring that Original Classification Authorities are fully engaged and accountable.
Management Comments and Our Response
Both the Under Secretary of Defense for Intelligence and the Under Secretary for Acquisition, Technology, and Logistics concurred with the recommendations; however, management did not provide information to identify what actions will be taken and the date on which recommendations will be completed. Therefore, we request additional comments. Please see the recommendations table on the back of this page.
Joining the Surveillance Society? New Internet Users in an Age of Tracking
Source: New America Foundation
Recent digital inclusion policies that aim to increase digital literacy of new Internet and computer users, promote civic engagement, and improve economic development do not currently address the privacy needs of new users. This paper presents an in-depth look at surveillance and privacy problems faced by individuals who turn to digital literacy organizations for training and Internet access, including low income individuals, people of color, immigrants, the elderly, and non-English speakers. These individuals are coming online without adequate skills, know-how, and social support to confront digitally enabled government surveillance and corporate intrusions of personal privacy. The paper also details the challenges, such as limited resources, time, and expertise, that providers face when teaching users how to stay safe online. New Internet users should not have to choose between going online and feeling safe, secure, and free from surveillance. Now, more than ever, digital inclusion policies need to pay greater attention to developing providers’ expertise and capacity to handle privacy and surveillance concerns of new Internet users. Privacy advocates and developers also have a role to play. Expanding “digital literacy” to include privacy education requires that privacy protecting tools become easier to use. Until then, the benefits of digital inclusion are at odds with the potential harms wrought by a surveillance society.
What the Government Does with Americans’ Data
Source: Brennan Center for Justice
After the attacks of September 11, 2001, the government’s authority to collect, keep, and share information about Americans with little or no basis to suspect wrongdoing dramatically expanded. While the risks and benefits of this approach are the subject of intense debate, one thing is certain: it results in the accumulation of large amounts of innocuous information about law-abiding citizens. But what happens to this data? In the search to find the needle, what happens to the rest of the haystack?
For the first time in one report, the Brennan Center takes a comprehensive look at the multiple ways U.S. intelligence agencies collect, share, and store data on average Americans. The report, which surveys across five intelligence agencies, finds that non-terrorism related data can be kept for up to 75 years or more, clogging national security databases and creating opportunities for abuse, and recommends multiple reforms that seek to tighten control over the government’s handling of Americans’ information.