Archive

Archive for the ‘privacy and security’ Category

Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation

October 29, 2014 Comments off

Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation
Source: Heritage Foundation

Recent high-profile private-sector hacks have once again put a spotlight on the issue of cybersecurity. This is a serious problem that requires legislation to improve the United States’ cybersecurity posture, but the U.S. should not reflexively adopt government regulation of cyberspace as a solution. There are concerns that such a response would not be cost-effective and would have an adverse effect on innovation. It could also potentially create a mindset of compliance rather than of security. Additionally, the government’s own cybersecurity track record raises questions about the effectiveness of government cyber regulations.

The following is a list of federal government cybersecurity breaches and failures, most of which occurred during 2013 and 2014. This list is part of a continuing series published by Heritage that serves as a long-term compilation of open-source data about federal cybersecurity breaches dating back to 2004.

This list is in no way complete: Some hacks might not be reported or are classified, and others have yet to be realized. In September 2014, Robert Anderson, executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI told the Senate Homeland Security Committee that if a federal department believes it hasn’t been hacked, it is likely that they are simply unaware of the hack. When Senator Coburn asked for a list of all the government hacks the panelists were aware of, he acknowledged that they may have to be discussed in a closed Senate hearing. Furthermore, the list below does not include the large number of private-sector failures. Nevertheless, the seriousness and number of known U.S. government cybersecurity failures undercut the argument for a government-led regulatory approach to cybersecurity.

About these ads

Cyber Attacks on U.S. Companies in 2014

October 29, 2014 Comments off

Cyber Attacks on U.S. Companies in 2014
Source: Heritage Foundation

The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security. According to FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”

A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.

This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.

This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.

The data breaches below are listed chronologically by month of public notice.

HHS OIG — Penetration Test of the Food and Drug Administration’s Computer Network

October 29, 2014 Comments off

Penetration Test of the Food and Drug Administration’s Computer Network
Source: U.S. Department of Health and Human Services, Office of Inspector General

We conducted an external penetration test of the Food and Drug Administration’s (FDA) network and information systems. Although we did not obtain unauthorized access to the FDA network, we identified the following issues: Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not performed on all external servers, error messages revealed sensitive system information, and demonstration programs revealed sensitive information. These could have led to (1) the unauthorized disclosure or modification of FDA data or (2) FDA mission critical systems being made unavailable. We recommended that FDA implement necessary corrective actions to address the specific cybersecurity vulnerabilities that we identified during this audit.

Big Data and the Future for Privacy

October 29, 2014 Comments off

Big Data and the Future for Privacy
Source: Social Science Research Network

In our inevitable big data future, critics and skeptics argue that privacy will have no place. We disagree. When properly understood, privacy rules will be an essential and valuable part of our digital future, especially if we wish to retain the human values on which our political, social, and economic institutions have been built. In this paper, we make three simple points. First, we need to think differently about “privacy.” Privacy is not merely about keeping secrets, but about the rules we use to regulate information, which is and always has been in intermediate states between totally secret and known to all. Privacy rules are information rules, and in an information society, information rules are inevitable. Second, human values rather than privacy for privacy’s sake should animate our information rules. These must include protections for identity, equality, security, and trust. Third, we argue that privacy in our big data future can and must be secured in a variety of ways. Formal legal regulation will be necessary, but so too will “soft” regulation by entities like the Federal Trade Commission, and by the development of richer notions of big data ethics.

Protecting Mail Covers in Law Enforcement Investigations

October 28, 2014 Comments off

Protecting Mail Covers in Law Enforcement Investigations
Source: U.S. Postal Service, Office of Inspector General

The outside of an envelope can be an effective tool in law enforcement investigations. In fiscal year 2013 alone, the Postal Inspection Service processed about 49,000 mail covers that were used to protect national security, locate fugitives, obtain evidence, or help locate stolen property.

But significant privacy issues govern the handling of mailpieces and the information on them. For that reason, the Postal Service and Postal Inspection Service must follow detailed procedures before allowing a mail cover.

The U.S. Postal Service Office of Inspector General recently reviewed 196 external mail covers and found some controls lacking. For example, 21 percent of the covers we examined were approved without the required written authorization and 13 percent were not adequately justified. Inadequate controls could impede investigations, raise public concerns about the privacy of the mail, and harm the Postal Service’s brand. The OIG made a number of recommendations to improve the management and integrity of the mail cover program.

Identity Theft: Who’s At Risk?

October 27, 2014 Comments off

Identity Theft: Who’s At Risk?
Source: AARP Research

This AARP Fraud Watch Network study aimed to assess Americans’ habits around protecting their personal and financial information. Overall, the study finds that many are not taking precautions necessary to reduce their risk of identity theft.

TIGTA — Additional Measures Needed to Provide Greater Assurance That Tax Information Provided to Health Exchanges Is Protected

October 27, 2014 Comments off

Additional Measures Needed to Provide Greater Assurance That Tax Information Provided to Health Exchanges Is Protected
Source: Treasury Inspector General for Tax Administration

The Internal Revenue Service (IRS) is authorized to disclose limited tax information to Affordable Care Act Exchanges when an applicant seeks financial assistance in obtaining health insurance. To protect the confidentiality of Federal Tax Information (FTI), the IRS has established safeguards the Exchanges must employ.

While the IRS has provided staff to facilitate the readiness of ACA Exchanges to receive FTI, additional procedures are needed to provide greater assurance that FTI will be protected prior to the IRS approving its release. That is the conclusion of a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).

Follow

Get every new post delivered to your Inbox.

Join 944 other followers