Much to the chagrin of privacy advocates, U.S. legislators have been pushing to pass a bill to improve cyberthreat intelligence sharing before discussing National Security Agency (NSA) surveillance reforms. In other recent news: Privacy proponents are also up in arms about an NSA proposal that would force tech companies to allow government access to encrypted consumer devices; and security experts warn about the increasing number of medical data thefts in recent years.
U.S. Congress hastens to pass cybersecurity bill ahead of NSA reform debate
U.S. lawmakers are rushing to pass a major cybersecurity bill before beginning the debate over reforming the National Security Agency’s surveillance programs. The NSA programs must be reauthorized by June 1. Backers of the security bill, which strives to improve companies’ cyberthreat information sharing with the government, insist that it is a separate issue from NSA surveillance. Privacy advocates, however, worry that the cybersecurity bill will allow the NSA to further collect American citizens’ sensitive data.
The cybersecurity bill is a joint effort between both the House of Representatives’ and the Senate’s intelligence committees, and appears to have garnered approval from Republicans, Democrats and the White House, The Hill reports. The Obama administration stated recently that it considers cybercrime a national emergency, and that information sharing programs are a major part of its cyberdefense strategy, according to The Wall Street Journal.
The House Intelligence Committee’s bill prohibits cyberthreat intelligence from going directly to the NSA, but privacy groups want NSA surveillance programs to be reformed before cybersecurity legislation passes to give the government more access to data, according to The Hill.
NSA director seeks front door access to encrypted devices
The debate over whether the U.S. government should have guaranteed access to encrypted data on U.S. consumer devices has reached another impasse. Adm. Michael S. Rogers, director of the NSA, is offering a “technical solution” to the problem, reported The Washington Post: legally requiring technology companies to create a digital key that can open any locked device to access the data inside, but splitting the key into pieces among multiple agencies so that not one entity could use it.
“I don’t want a back door. I want a front door. And I want the front door to have multiple locks,” Rogers said in a recent speech at Princeton University, where he outlined the proposal.
Law enforcement and intelligence officials who support the proposal warn that the growing use of data and device encryption could seriously obstruct criminal and national security investigations.
Members of the technology industry and privacy advocates, however, argue that granting government and law enforcement access to people’s private communications threatens their Constitutional right to free speech. Security experts also believe that the split-key approach creates weaknesses that hackers and foreign intelligence agencies can try to exploit. Opponents of the NSA’s proposal also argue that the scope of encryption technology usage has exceeded the reach of government control, according to the Post.
Medical data theft on the rise
The growth in the number of digital medical records has led to an increase in the theft of those records, industry experts say. This type of theft has also evolved, according to Dwayne Melancon, CTO of software company TripWire: Hackers previously stole payment card and bank information inside medical records, but now they target personal information, he told Marketplace.
Unlike payment card theft, victims of medical data theft often don’t find out that their data is for sale to the highest bidder until after a year or more has passed, healthcare information security expert Bernard Peter Robichau told Marketplace.
There’s also the risk that this stolen medical data could end up on predictive consumer scores. These scores use data collected by devices and apps to predict individuals’ likelihood to spend on healthcare, to commit fraud, to adhere to medication prescriptions and other data points highly sought after by many companies, reported Marketplace.
Following the recent streak of high-profile cyberattacks on U.S. companies, the Obama administration last week unveiled a program that would impose sanctions on individuals or groups overseas that are potential sources of cyberthreats. Also in the news: Facebook’s privacy practices face growing scrutiny in Europe; banks shed high-risk customers to avoid penalties; and more.
U.S. sanctions program aims at foreign cyberattackers
President Barack Obama last week issued an executive order that deems destructive cyberattacks a “national emergency” and allows the U.S. Treasury Department to freeze the assets and bar the financial transactions of individuals and groups that engage in such activities. The sanctions target entities outside the United States who threaten its national security, foreign policy and economy through malicious cyberactivities, according to the executive order.
The program grants the administration use of the same penalties it applies on other threats, such as the crises in the Middle East and Ukraine, Reuters reported. According to a report from Reuters, security and legal experts consider the move a promising step in light of the persistent string of attacks on U.S. computer networks. However, expert Mark Rasch, former Justice Department trial attorney, said that the breadth of power the program gives the executive branch could result in a “compliance nightmare for companies.” Additionally, security experts cited the difficulty of identifying hackers responsible for these attacks.
Facebook faces mounting heat from the EU over privacy
Facebook is facing mounting probes into its privacy practices from various European authorities, reported The Wall Street Journal. In recent weeks, data privacy regulators from France, Italy and Spain have joined a group of regulators from Belgium, Germany and the Netherlands that is investigating the social networking giant’s data handling practices. The group is looking into how Facebook is integrating data from its various services, including Instagram and WhatsApp, to target advertising, as well as how the company is tracking users’ browsing habits through its “like” button.
Typically, Facebook’s privacy compliance in Europe falls under the purview of the data protection authority in Ireland, where the company’s European headquarters is located. However, in advance of impending changes to the EU’s data protection regulations, European regulators from other countries have increasingly been taking on big U.S. technology companies in addition to Facebook, including Amazon, Apple and Google, according to WSJ.
Some of the regulators launching the probes say that the “right to be forgotten” ruling, made by the European Court of Justice (the top court in the EU) last year, is a precedent that justifies their right to investigate Facebook. Others, such as the Information Commissioner’s Office in the U.K., which hasn’t joined the effort, says it recognizes the role of the Irish data protection regulator over Facebook’s privacy compliance in Europe.
Regulators tell banks to rein in widespread closures of risky accounts
Banks are closing down the accounts of high-risk customers in response to a record number of penalties imposed by U.S. regulators in recent years regarding inadequate risk controls, according to The Wall Street Journal‘s Risk & Compliance blog. Moreover, some U.S. authorities have previously urged banks to stop transacting with certain customers. Now, regulators are growing concerned that the entire lines of business these banks are cutting off are turning to less regulated or underground institutions, particularly in the areas of money-transfer services and foreign-correspondent banking.
Officials ranging from Comptroller of the Currency Tom Curry to Adam Szubin, the U.S. Treasury Department’s acting undersecretary for terrorism and financial intelligence, are now advising banks to be more discerning in their decisions to leave or not take on a customer relationship because it is considered at high risk for money laundering.
It’s doubtful that regulators’ shift in tone will prompt these banks to immediately reverse their decision regarding whole categories of high-risk customers, some experts told WSJ. One reason is the vagueness of recent guidelines around risk controls; another reason, according to Rich Riese, senior vice president of the American Bankers Association’s Center for Regulatory Compliance, is that banks are unlikely to take back the high-risk customers they’ve recently shed.
U.S. Justice Department deems HSBC slow on compliance changes
British multinational bank HSBC, which in 2012 was charged with laundering money on behalf of Mexican cartels and transferring money for nations blacklisted by the U.S., such as Iran and Sudan, has been slow in meeting the requirements of its $1.9 billion deferred-prosecution agreement (DPA), according to a court filing made by federal prosecutors as part of a quarterly update on the bank’s progress.
In the filing, which summarizes the findings of Michael Cherkasky, the independent monitor who has been following HSBC’s progress for over a year, the U.S. Justice Department commends HSBC’s progress in areas such as risk assessment and compliance monitoring and testing; however, it also highlighted two areas in which the bank has been “too slow” with its progress and must do more: its corporate culture and its compliance technology.
According to the filing, the bank’s overhaul was initially met with resistance, pointing to pushback from the managers at HSBC’s U.S. unit for global banking and markets, which resulted in an internal audit report that the filing said was “more favorable to the business than it would otherwise have been,” The New York Times reported.
The filing also docks the bank’s technology systems as needing further improvement, saying it continues to “suffer from fragmentation and lack of connectivity.” These weaknesses, the filing said, could sacrifice the quality of customer data collected and analyzed by the bank. They also inhibit auditors’ view into customers’ banking history to look into potentially suspicious activity, the filing said.
The FBI’s quest to expand its hacking authority moved forward last week: A judicial advisory panel approved a rule change regarding how flexible judges can be in granting search warrants outside the bounds of their geographical jurisdiction. Also in the news recently: The Pentagon launched a research program to protect personal data while making it available to third parties to analyze; a report finds most companies fall short of PCI DSS compliance; and a House of Representatives security committee unveils a major cyber bill.
U.S. Justice Department approves rule change that could broaden FBI’s hacking authority
A judicial advisory committee voted to approve a rule change last week that would grant federal judges more leeway in how they approve search warrants for electronic records, according to the Justice Department. The panel voted to modify Rule 41, which currently allows judges to approve search warrants but limits the warrants to material that is physically located within their judicial district. Under the proposed modification, judges would be allowed to grant search warrants for data in computers located either outside their district or in unknown locations. The committee’s vote is only the first of several steps to passing the proposal; the Supreme Court has until May 1, 2016 to review and accept the change, and then Congress would have another seven months to reject, modify or defer the amendment.
The U.S. government defended the rule change, saying that the provision needed to be updated to keep up with today’s digital realities. According to National Journal, expanding its powers would allow the FBI to more easily penetrate computer networks to install tracking software and monitor suspected criminals.
Various privacy advocacy and technology groups, however, have spoken out against the ruling. The American Civil Liberties Union, Google and others warn that the change amounts to a significant rewriting of the provision that could threaten constitutional protections as well as the sovereignty of foreign countries.
Pentagon rolls out new research program to protect personal data online
The Defense Advanced Research Projects Agency (DARPA), the Pentagon’s high-tech research agency, is launching a new program that aims to protect the personal data Americans knowingly provide to companies, health care providers and the government while also making that data accessible to those third parties for analysis. The program, called Brandeis, aims to “restructure our relationship with data by shifting the mechanisms for data protection to the data owner rather than the data user,” according to a document published by DARPA. The agency will spend four and a half years on the program.
Brandeis will look at four major research areas. The first, privacy-preserving computation, involves reducing the limits to the range of privacy-preserving data mining programs so that personal data can be both protected and shared on a larger scale, outlined USA Today. The second area, human-data interaction, will focus on developing technologies to help data owners make choices about how their information is being used. The third research area, experimental systems, will provide platforms to test the success of privacy-preserving computation and human-data interaction work. Lastly, Brandeis will focus on metrics and analysis to enable systems to determine exactly how private the data is; one way to determine this is by quantifying the privacy tax, which refers to “the increase in computational time, memory and storage requirements against the degradation of accuracy of results for any given level of privacy,” according to the DARPA document.
Report finds majority of companies fail PCI compliance tests
Eighty percent of companies fail interim assessments for compliance with the Payment Card Data Security Standard (PCI DSS), according to a report released by Verizon Communications earlier this month. Verizon’s forensics team discovered that of all the data breaches it investigated over the last 10 years, not one company was compliant with all 12 requirements of PCI DSS at the time each breach occurred.
Still, compliance is up overall, rising in every PCI requirement area between 2013 and 2014, except for Requirement 11 (testing security systems), which had the lowest compliance. Additionally, almost twice as many companies were found compliant at interim assessment in 2014 versus 2013 (20% vs. 11.1%); however, the report warns that this is not necessarily good news because of the large percentage of companies that still fail. Plus, sustainability is low: The study found that less than a third of companies were still fully compliant within a year of validation.
The Verizon report also offers guidance on how companies can sustain PCI compliance and improve data security, including fully integrating compliance into their larger governance, risk and compliance strategies, as well as implementing network segmentation and data masking, according to the Wall Street Journal.
House security panel releases cybersharing bill
The Homeland Security Committee in the House of Representatives last week released a bill that would provide legal liability protections to companies that share cyberthreat information with the Department of Homeland Security (DHS). The measure, called the National Cybersecurity Protection Advancement Act, designates the DHS as the “primary interface” for any intelligence sharing between private companies and public agencies, opening the possibility of exchanges with the likes of the National Security Agency (NSA) or the Treasury Department, while not explicitly authorizing them, reported The Hill. The bill also permits sharing among government agencies.
According to the Hill, the committee’s former staff director, Alex Manning, said the language of the bill has been changed from previous iterations to reflect a stronger stance on privacy in order to appease privacy advocates. These changes include specific guidelines on how the DHS privacy office will monitor the sharing program, as well as bolstering the sections that require companies to redact personal information from the data before sharing it with the government.
While the American Civil Liberties Union backed a version of the bill last year, some privacy advocates may still have objections regarding certain gaps in the current version, such as the possibility of sharing within the government or with the NSA, The Hill speculated.
Data breaches have been intensifying in recent years, but security expert Benjamin Dean argues that many companies still lack motivation to invest in more robust information security. Also in headlines from the past few weeks: The U.S. and European governments set their sights on data processing and consumer privacy; and Forrester Research predicts that a stricter governance, risk and compliance (GRC) environment will result in more regulatory failures for companies.
Companies lack incentives for stronger cybersecurity
Despite numerous high-profile cyberattacks, there is little motivation for companies to invest in better information security, according to Benjamin Dean, a Fellow for Internet Governance and Cybersecurity at Columbia University’s School of International and Public Affairs.
Dean examined the net expenses that Sony Pictures, Target and Home Depot incurred in response to recent data breaches, taking insurance reimbursements and tax deductions into account. In the case of Sony, Dean also factored in investigation and remediation costs. Dean found that these breach-related expenses amounted to 0.9%, 0.1% and 0.01%, respectively, of the companies’ total 2014 revenue. Investments in cybersecurity are also slight even among financial institutions like JPMorgan Chase that rely heavily on robust information security, he said.
Dean attributes these companies’ failure to adequately invest in information security to “moral hazard,” or when one person or organization takes greater risks because others bear the brunt and costs of these risks. For instance, credit and debit card providers sustained most of the costs related to the Home Depot breach, spending some $60 million replacing customer cards in September 2014 alone.
Moral hazard, combined with insurance reimbursements and tax deductions, weaken companies’ incentives to make large cybersecurity investments, Dean argues. As a result, greater government intervention is needed, he said. While there are currently policy proposals that address data breach protection, most of them don’t focus on moral hazard or providing incentives to these companies. Instead, these proposals focus on information sharing with intelligence agencies, something Dean and other infosec experts contend will not significantly reduce breaches.
U.S., European governments target consumer data processing
The Obama administration released draft legislation in late February that would give consumers greater control of how their personal information is collected and used by companies. The proposed bill aims to fill the gaps among already existing federal laws that address how consumer information is used, including the Fair Credit Reporting Act and the Video Privacy Protection Act.
The legislation will allow industries to create their own codes of conduct on how to handle consumer data. The Federal Trade Commission will enforce the bill by making sure these codes fulfill the baseline data-processing requirements of the bill, such as furnishing consumers with notices about how their personal information will be collected, used and shared.
The draft has already encountered opposition from privacy rights advocates, who say it does not go far enough to protect consumers and gives companies too much latitude. One of these advocates, Sen. Edward J. Markey, argues that instead of these industries developing varying codes of conduct, U.S. policy makers need to draft legislation that is uniform and legally enforceable.
In the meantime, European legislators are proposing a new data protection law that would require U.S. companies like Google and Facebook to embed data privacy standards in their products and Internet services before being able to sell them in the European market.
The new rules, which are being negotiated in the European Parliament, could include stricter requirements around the processing of personal data, which could involve re-engineering data collection processes and applications, according to one U.K. data privacy expert.
Forrester forecasts more corporate regulatory failures in 2015
A new report by Forrester Research predicts that in 2015 there will be more corporate failures to address regulatory enforcement and customer-facing risks than in 2014. The report predicts that these failures will lead to losses that could amount to $20 billion.
Sizable regulatory settlements by top banks such as Bank of America ($16.7 billion), Citigroup ($7 billion) and JPMorgan Chase ($13 billion) were among the grievous “corporate mistakes” the report cited. It also pointed to failures by companies like Borders and RadioShack to keep up with digital and consumer technology trends, both of which Forrester said”violate customer trust or fail to meet changing customer expectations.” One of the reasons these corporate blunders keep getting worse, according to Forrester, is because of a gap between many of these companies’ customer-centric business strategies and the risks associated with them.
The firm advises companies to review their current risk registers and incorporate language on how relevant risks will impact customers. Companies not only need to understand these risks — which include privacy breaches, payment fraud and product failures — but also make mitigation plans a high priority and collaborate with marketing to mitigate customer-facing exposure to these risks, Forrester recommends. The report also urges companies to continuously monitor the software market for opportunities to improve how they implement GRC platforms.
AT&T’s has begun rollout of a fiber-optic Internet service that furnishes customers with high-speed access, but they must pay an extra monthly charge if they want to keep their browsing habits private. In other data privacy news, Google accepted the terms of an agreement drawn up by an Italian data privacy regulator, and U.K. security experts found that older Samsung smart TVs don’t encrypt voice-related data.
AT&T charges privacy fee for fiber-optic Internet service
AT&T’s fiber-optic Internet service, called GigaPower, touts access speeds of up to 1 gigabyte per second, but it comes with a catch: Customers must pay a monthly fee to opt out of being monitored by the company and keep their browsing habits private.
Online monitoring expert Jonathan Mayer told the Wall Street Journal that the service’s privacy option was “troubling” because it allows AT&T to perform relatively wide-ranging user tracking, while customers aren’t necessarily in a position to prevent it. Furthermore, Mayer questioned whether the fee was really a penalty meant to discourage customers from opting out of tracking, particularly because many online companies allow their users to do so free of charge.
An AT&T spokeswoman claimed that this was not the case, however. “We can offer a lower price to customers participating in AT&T Internet Preferences because advertisers will pay us for the opportunity to deliver relevant advertising and offers tailored to our customer’s interests,” she said.
Google agrees to privacy inspections by Italian regulators
Older Samsung smart TVs do not encrypt voice data
After U.K.-based cybersecurity experts disclosed that some of Samsung’s smart TVs upload users’ voices online without encrypting the data, Samsung told the BBC that it will equip its latest models with data encryption. A software update will also be available for download on previous models.
Samsung’s oversight, according to the experts, makes it easier for hackers to spy on users. The cybersecurity experts made the discovery during their testing of one of Samsung’s older smart TV models. They found that the TVs were uploading audio files of their voice commands in an unencrypted form, along with data about the TVs and their MAC addresses, which could function as an identifier. The transcription of the voice commands, which was sent back to the TVs so their screens could act on the commands, was also unencrypted. According to the experts, the flaw was serious because intercepting those communications could be done over Wi-Fi, or be carried out by Internet service providers, governments and law enforcement.
In a bold effort to ensure net neutrality, FCC Chairman Tom Wheeler has proposed a new set of rules that would treat the Internet as a public utility and prohibit pay-to-play fast lanes. Also in recent GRC news: Experts warn that Anthem’s breach could lead to more attacks on other healthcare organizations; and President Obama announced minor changes to private data collection rules that would still keep NSA bulk collection efforts intact.
FCC chairman proposes new net neutrality rules
Last week, Federal Communications Commission (FCC) Chairman Tom Wheeler proposed a new set of rules to ensure net neutrality. The proposal comes after President Obama’s recommendation last November that the FCC adopt “the strongest possible rules” to maintain net neutrality and to apply Title II of the Telecommunications Act to the Internet by reclassifying it as a telecommunications service.
Wheeler is urging the Title II approach in his proposal that, if passed, would give the FCC the legal authority to regulate the Internet as a public utility. This would ensure that no content is blocked and would prohibit Internet providers from providing “fast lanes” to customers who can afford it and slower speeds to everyone else.
Wheeler’s proposal will be voted on by the entire commission on Feb. 26 and, if approved, would likely be challenged in court by cable and telecommunications companies.
Anthem breach draws attention to healthcare data security
Anthem, the second-largest health insurance company in the U.S., last week suffered what security experts say is the industry’s largest cyberattack in history. Personal information of 80 million customers were exposed — including Social Security numbers, medical identification numbers and email addresses — that could be used for fraud.
Experts warn that more healthcare companies are likely to be targeted due to hackers’ success in breaching Anthems’ systems, as well as the high value of patient data on the black market. Medical records fetch higher prices than credit card records, especially due to the credit card black market being inundated after numerous data breaches at large retailers.
The Anthem breach and the fact that the data stolen from its database was not encrypted also raised questions about the lack of clear healthcare data security standards. The Health Insurance Portability and Accountability Act, for instance, encourages data encryption, but doesn’t require it. This could weaken public confidence, experts say, as greater numbers of medical records are digitized and the government increasingly promotes electronic data sharing. Encryption mandates remain controversial, however, because it can make daily operations more burdensome and potentially increase costs.
White House makes changes to data collection practices
Last Tuesday, the Obama administration announced changes to how private data is collected for intelligence purposes. The changes tighten rules that govern how intelligence agencies use foreigners’ Internet and phone communications collected by the National Security Agency (NSA) — although the agency’s bulk collection of data would be allowed to continue.
Under the new set of rules, data must fall under one of six threat categories to allow for its collection, and irrelevant data must be purged after five years. The new rules also place more scrutiny on how intelligence agencies use the data they acquire from American citizens without a warrant, and state that this type of data can only be used to prosecute someone for such serious crimes as kidnapping, murder or threats to national security.
Critics contend that the new policy still does not go far enough to protect Americans’ privacy against the NSA’s surveillance techniques. “The reforms are far from sufficient and they really do tinker around the edges. It’s clear the administration is going to continue to stand by a lot of the mass surveillance policies,” Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, told CBS News.
Hackers may have found a way to commercialize their services as individuals begin to seek “hackers for hire” to carry out low-profile cyberintrusions. In other recent governance, risk and compliance (GRC) news, President Barack Obama has introduced proposals to strengthen companies’ customer data governance processes, and new research finds that regulatory compliance costs and intricacies prove difficult for small and medium-sized asset management firms to tackle.
Website offers hackers for hire, toes the legal line
A new website called Hacker’s List opened for business in November, offering hackers’ services to people looking to accomplish various acts of low-profile hacking, The New York Times reported. The hacking jobs range from gaining access to email or social media accounts, to removing embarrassing photos or stories from a website, to changing a school grade, to obtaining client lists from a competitor’s database.
The website matches hackers with clients by having both parties bid on any of more than 500 hacking jobs posted on the site. The deed is then done anonymously. Offers from clients all over the globe have ranged from $100 to $5,000.
Whether Hacker’s List violates any laws is difficult to discern. The site’s founders argue that they are exempt from legal liability because they don’t explicitly encourage any illegal acts, and because the website requires users to agree to terms and conditions that forbid the use of the site for illegal purposes. However, some of the jobs posted on Hacker’s List, such as hacking into someone’s email account, are illegal.
President Obama calls for new data privacy laws
President Obama has unveiled a new set of proposals that will govern how companies collect, protect and use customers’ data. The suggested Consumer Privacy Bill of Rights legislation would require companies to inform customers within 30 days if their information has been stolen, make it illegal to sell customers’ identities overseas, and mandate protection of students’ personal data.
President Obama urged Congress to pass the legislation, calling identity theft and other types of cyberattacks “a direct threat to the economic security” of U.S. citizens. Currently, different states have different disclosure regulations, some of which date back 10 years. According to the National Conference of State Legislators, most of these laws only cover certain types of personal information, such as Social Security numbers and driver’s license numbers.
While this is a promising step toward pushing security and privacy to the forefront, Adam Levin, chairman of Credit.com and Identity Theft 911, asserts in an opinion piece that the legislation doesn’t provide a clear roadmap for addressing the widespread vulnerabilities that exist in many federal agencies. A recent study of the Defense Department’s security programs and practices found that many of these agencies lack effective guidelines. These lacking processes have resulted in incidents such as the hacking of the U.S. Army Corps of Engineers’ network and the breach of the Federal Communications Commission’s emergency broadcast system.
Shortly after President Obama’s announcement, New York Attorney General Eric Schneiderman proposed a data security bill to curb increasing incidents of identity theft. The new law broadens the definition of personal information to include any data that grants access to online accounts.
Regulatory compliance costs hinder startup asset management firms
Small and medium-sized investment firms are held back by the costs and complexities of compliance, according to research by think tank New City Initiative. Regulatory costs not only make it more difficult to enter the asset management field and compete with the largest firms, but are also potentially detrimental to clients by limiting their investment options, the research found.
Regulatory compliance can serve as a competitive advantage for large institutions because they are able to staff in-house lawyers, while startups have to resort to hiring third-party consultants. Additionally, the several months it takes for the Financial Conduct Authority to process an application is an extra obstacle for smaller firms as they struggle to earn revenue in the interim, the research found. These heightened costs associated with increased regulations could ultimately stifle innovation in the asset management industry, said Stephen Black, co-founder of Tier One Capital.
Business cybersecurity — or the lack thereof — continued to make headlines in the past few weeks as more U.S. private-sector firms consider counteroffensive tactics against attackers. Also in cybersecurity news, North Korea slammed new U.S. sanctions in response to the Sony hack, and a new report found that last year’s massive JPMorgan Chase data breach was the result of a basic security flaw.
After Sony breach, more firms consider hacking back
A growing number of private-sector companies — including some large U.S. banks — have been targeted by hackers in recent months and are frustrated with a perceived lack of follow-up from the federal government. These companies have started looking to outside options to strike back at their attackers, some security specialists and former law enforcement officials told Bloomberg.
These anxieties have only intensified after the breach of Sony Pictures’ network, according to the article. Some of these businesses have employed cybersecurity firms to advise them on various counteroffensive tactics, including disrupting hacker operations and peering into foreign-based networks to find out what data was stolen.
“Hacking back” efforts gained a higher profile after President Obama’s promise to mount a response against North Korea for the Sony data breach, but many companies don’t actually follow through with such measures, said some of the cybersecurity professionals. These experts and the FBI also discourage companies from retaliating because it might entice hackers still lurking in their networks to ramp up their attacks.
North Korea blasts U.S. sanctions; FBI stands behind its Sony breach assessment
North Korea has publicly criticized new sanctions authorized by President Obama last week, calling them “hostile” and “repressive.” The U.S. sanctions were imposed against three North Korean organizations and 10 government officials, and enacted in response to the Sony Pictures breach.
North Korea’s foreign ministry continues to deny responsibility for the cyberattack. The U.S. government has not offered any public evidence linking North Korea to the Sony breach, which has left many in the cybersecurity community unconvinced that the nation-state was responsible. Many cyberintelligence firms investigating the attack said they have not observed concrete evidence that confirms that North Korea backed the breach.
Security experts’ skepticism has only intensified after the FBI attended a three-hour briefing by a security firm whose research indicates the perpetrator was laid-off Sony staff. After the meeting, the FBI was steadfast in its assertion that North Korea was behind the attack, and officials stated there was “no credible information” to suggest otherwise. One U.S. official told Politico that the discrepancy could be due to the FBI having access to intelligence sources that others don’t.
JPMorgan hack could have been quelled with simple security fix
Last year’s breach at JPMorgan Chase, the largest cyberintrusion on a U.S. bank reported thus far, could have been prevented by updating one of the bank’s servers to include two-factor authentication, according to a report by The New York Times. JPMorgan spends $250 million on computer security annually to prevent sophisticated cyberattacks, but the security hole overlooked by the bank’s security team was a very basic one, people who have been briefed on the investigation into the attack explained to the Times.
Most large financial firms use two-factor authentication, and sources said the oversight is seen as an embarrassment inside JPMorgan as the company conducts an internal review to see if there are other weak spots in its large network.
Security experts say that one reason the vulnerability in JPMorgan’s network has gone so long without being addressed is because the bank’s size made it difficult to secure its information, especially as it acquires more companies and incorporates new networks.
President Barack Obama declared that the U.S. government will respond to North Korea’s actions after the FBI announced that the nation-state was behind last month’s calamitous cyberattack against Sony Pictures. In other recent IT security and privacy news, U.S. Senator Ron Wyden introduced a bill to forbid the government from wiretapping users’ mobile devices, while dozens of technology companies — including Amazon and Apple — announced support for Microsoft in its ongoing legal battle against the U.S. government over search warrants.
Obama promises response against North Korea for Sony hack
President Obama announced at a news conference last Friday that the U.S. will “respond proportionally” against North Korea for the cyberattack that crippled Sony Pictures’ computer systems and leaked staffers’ personal information online.
The president was not specific regarding how the U.S. government will respond, only saying that his administration is working on possible options. Obama also reprimanded Sony Pictures, saying it made a mistake by pulling the release of The Interview, its satirical film about a fictional plot to assassinate North Korean leader Kim Jong Un. He said the studio should have consulted him before responding to the hackers’ threats against theatergoers, and warned against getting “into a pattern in which you’re intimidated by these kinds of criminal attacks.”
The White House announcement came hours after the FBI released an update on the Sony hack investigation that concluded North Korea was behind the attack. The FBI added that the attack stands out from other cyberintrusions because of its “destructive” and “coercive” nature, and that it shows cyberthreats are one of the “gravest national security dangers to the United States.”
Senator introduces Secure Data Act to ban ‘back doors’ in products
Senator Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, has introduced the Secure Data Act legislation to prohibit government mandates that manufacturers create “back doors” into people’s mobile applications and devices for targeted surveillance purposes.
In an opinion column for the LA Times, Wyden argues that creating these “security holes” is bad for customer security and businesses’ bottom line because they deliberately create vulnerabilities that hackers and foreign governments can infiltrate. He also contended that Americans should demand more data encryption technology.
Apple and other tech giants back Microsoft in legal battle
Twenty-eight technology and media companies, including Amazon, Apple, Verizon Wireless and AT&T, joined computer scientists, trade associations and civil rights advocacy groups to sign friend-of-the-court briefs filed on Microsoft’s behalf last week.
The briefs are a show of the support for Microsoft as it battles a federal judge’s ruling that the company surrender individual user emails stored in Ireland to the U.S. government after being issued a search warrant for the files. Microsoft later appealed the ruling.
On Microsoft’s blog, General Counsel Brad Smith wrote that these briefs show the scope of the case no longer just focuses on legality, but is now a “broad policy issue that is fundamental to the future of global technology.” Microsoft also argues that the U.S. government’s subpoena disrespects international laws. Requiring Microsoft to turn over emails through a U.S. court order, without input from the Irish government, flouts the treatises the U.S. has established with other countries that deal with these types of situations, Microsoft contends.
Sony is the latest big-name company to have its computer network hacked. Corporate information and entire films were leaked online in what some suspect is retaliation by the North Korean government. In other governance, risk and compliance (GRC) news, a growing number of U.S. law schools are offering compliance courses or programs, and specialized security startups are drawing the eye of Silicon Valley investors.
North Korea calls Sony hack a ‘righteous deed’
The North Korean government this week denied any involvement in last week’s hack of Sony Pictures’ computer systems, but said its “supporters and sympathizers” may have carried out the “righteous deed.”
An article published by the North Korean government-run KCNA news agency accused Sony of “abetting a terrorist act” by producing The Interview, a movie starring James Franco and Seth Rogen as journalists enlisted by the CIA to assassinate North Korean leader Kim Jong-un. The attackers posted films online that have not yet been released, and disclosed the salary information, email addresses and Social Security numbers of thousands of Sony employees, including celebrities. Sony Pictures said it is currently working with law enforcement to investigate the breach, and the FBI is also probing the attack.
More U.S. law schools offer compliance-centric programs
A dearth of U.S. law schools offer courses or degrees tailored to the compliance officer job, but Reuters reports the landscape is slowly changing. A major driver is the thriving compliance industry: The base salary of compliance offers has been rising 3.5% every year since 2011, and companies such as JPMorgan Chase are bolstering compliance functions even as they make cuts in other areas.
One such program featured by Reuters is New York University Law School’s Corporate Compliance and Enforcement (PCCE), wherein students build compliance expertise through relevant coursework and insight from leading practitioners and guest teachers. Another institution, George Washington University Law School in Washington, D.C., offers a compliance and ethics course focusing on the legal issues that surround anticorruption regulations.
Security startups attract more investor funds
As data breaches become the norm, security startups are increasingly drawing attention from Silicon Valley investors, The New York Times‘ Bits blog reports. According to research firm CB Insights, last year there were 240 investments in these startups with a combined worth of $1.7 billion, up from 83 investments worth $340 million in 2009.
All types of security startups are garnering money from investors, including those dedicated to access control and identity management, the creation of secure spaces on computers for different processes, and network monitoring and alerts if anything suspicious occurs.
Established security companies such as Symantec and Juniper are striving not just to compete with the more specialized products and services these startups offer, but also to attract and retain talent as their lucrative and well-paying smaller rivals hire much sought-after security engineers.