Cyber Security Industry Alliance Newsletter •  Volume 3, Number 12  • November 2007

U.S. Cyber Security News Briefs

Nearly Every Agency's E-Gov Progress Score Drops on PMA
Cybercops: U.S. Targets Terrorists as Online Thieves Run Amok
Targeting Internet Terror
Panel Must Narrow Cybersecurity Scope
Setting a Cybersecurity Agenda for the 110th Congress
Identity Stolen? Senators Want Thieves to Pay for Your Troubles
McClellan: Feds Should Resolve Health IT Privacy, Security Issues
FTC: More Spyware-Fighting Tools Needed
Senators Aim to Bolster Fight Against Cyber Crimes


Nearly Every Agency's E-Gov Progress Score Drops on PMA
Federal Computer Week (11/05/07) Miller, Jason

Officials neglected to create and adopt a newly-required IT policy and, as a result, 21 agencies witnessed a drop in their progress grades as determined by the 2007 President's Management Agenda scorecard. The Office of Management and Budget mandated agencies to craft and adopt an information technology breach notification policy by September 2007, but the requirement was forgotten by all involved, and no such action was taken. Because OMB concentrates on status scores, agencies' progress scores typically do not decline. OMB evaluates agencies each quarter on their advances in fulfilling e-government criteria. Agencies are also scored on human capital, competitive sourcing, financial performance, and budget and performance integration. In the most recent evaluation, many agencies improved their e-government status scores, unlike the Justice Department, whose e-government status score fell. The most progress has been made in the category of human capital, followed by budget and performance integration, according to the scorecard. Overall, the agencies have made much progress over the past six years, and the OMB is now striving to ingrain the reforms so "federal agencies continue to improve each year, "says OMB's Clay Johnson.

Read More...

Cybercops: U.S. Targets Terrorists as Online Thieves Run Amok
Mercury News (11/13/07) Blitstein, Ryan

Security experts assert that the White House is focusing too much attention on the dangers of information warfare and online espionage, and is ignoring the global cybercriminals, who are prospering through online theft. There are numerous challenges to fighting cybercrime, including limited resources, the need for innovative crime-fighting methods, and federal agencies' uncoordinated and fragmented response to date. In the summer of 2007, a wave of security breaches at federal agencies prompted the administration to ask Congress for $154 million toward a large-scale cybersecurity initiative. Various agencies will play a part in the endeavor, and the FBI has been tasked with cyber law enforcement. However, the FBI classifies cybercrime as its third priority, after counterterrorism and counterintelligence. During the current fiscal year, the FBI budget has allocated 5,987 full-time FBI staffers to counterterrorism and 4,479 workers to counterintelligence, but only 1,151 employees to cybercrime. Field agents say that more money is needed to adequately manage the cybercrime threat, while those in the industry note that agencies are under-using and failing to retain personnel with cybercrime expertise. Meanwhile, tracking down cybercriminals is a difficult process, as such crimes span countries, some of which are uncooperative. Gathering physical evidence and finding witnesses is hard to do online, particularly as some victims are unaware that they have been duped. Nonetheless, federal agencies spend tens of millions of dollars annually on facilities and technologies to further cyberinvestigations. Unfortunately, many of the high-tech crime labs established by the FBI have extensive backlogs.

Read More...

Targeting Internet Terror
Baltimore Sun (11/07/07) P. 4A; Gorman, Siobhan

President Bush on Nov. 6 requested $154 million in preliminary funding for his plan to launch a program targeting terrorists and others who would attack the United States through the Internet. Former government officials say the initiative is expected to become a seven-year, multibillion-dollar project intended to track threats in cyberspace on government and private networks. The project would be run by the Department of Homeland Security, but use resources from the National Security Agency and other intelligence agencies. As many as 2,000 people would staff the initiative, and the first goal would be developing a comprehensive cyber security program. Lawmakers, who only recently received briefings on the initiative, continue to have concerns over whether the program has adequate privacy protection, as well as other questions. One former government official familiar with the project says total startup costs could reach $400 million. "The proposal may be long overdue, but there are too many questions on how it will be implemented and how it will avoid the fate of past failed plans that remain unanswered,"says chairman of the House Homeland Security Committee Rep. Bennie Thompson (D-Miss.). "I hope the answers to those questions will come shortly so that cyber security no longer remains on the government's back burner. " Thompson expressed specific concerns over the legality of the program and whether it provides sufficient privacy protections. Sen. Joseph I. Lieberman (I-Conn.), who chairs the Senate committee overseeing Homeland Security, says he is "encouraged that the Department of Homeland Security is finally taking a strong, leadership role in domestic cyber security. "He says that without knowing the details, the initiative "appears to be a step toward better protection of government computers and information."

Read More...

Panel Must Narrow Cybersecurity Scope
Federal Computer Week (11/05/07) Miller, Jason

The Commission on Cyber Security for the 44th Presidency delineated its goals at the end of October, but some question whether the panel of experts will be able to craft concrete proposals by December 2008, as planned. The panel's 31 members aim to provide the next president with "a blueprint for securing cyberspace, "according to commission co-chairman Rep. Jim Langevin (D-R.I.). Unfortunately, cyberthreats spring from a variety of exposures, including technology flaws, inadequate training, and risky use of the Internet. As a result, improving fundamental cyberdefenses is an obvious, but very challenging, aim. Still, some experts say that widespread problems can be addressed by fixing known system vulnerabilities and changing substandard security practices. Other experts believe the panel will need to restrict its scope to be successful. Panel member Bruce McConnell of McConnell International says the group's specific suggestions will be guided by a core set of principles. Langevin adds that his goal is simply "to identify the most severe vulnerabilities and close them."

Read More...

Setting a Cybersecurity Agenda for the 110th Congress
Government Computer News (10/31/07) Jackson, William

At the Congressional High Tech Caucus on Wednesday more than four dozen representatives and senators started work on an IT legislative agenda for the 110th Congress. Although numerous bills on computer crime, infrastructure protection, spyware, and data breaches have been introduced in both houses, and a number of bills are pending, few have made it to a vote, and even fewer have become law. At the caucus the Consumers Union's Jeannine Kenney pushed for a strong national breach notification law to help protect personal identification from theft or exposure. "Industry and government are not investing in cybersecurity measures, "Kenney says. "We need to create incentives to make these investments. One way to do that is requiring that consumers are always notified when their personal information is breached. "Many in the information technology industry want to see a national standard replace the 35 different state notification laws, while the Cyber Security Industry Alliance says any notification law should include safe harbors for businesses that deploy strong, pre-breach security measures. Both Consumer Data Industry Association President Stuart Pratt and Homeland Security Department chief privacy officer Hugo Teufel III say collecting personal data can improve security and the resulting risks to privacy are an acceptable trade-off, arguing that data collection has been used to prevent fraud and that security and privacy go hand in hand.

Read More...

Identity Stolen? Senators Want Thieves to Pay for Your Troubles
CNet (11/01/07) Broache, Anne

The Identity Theft Enforcement and Restitution Act of 2007 (S. 2168), which was recently approved by a Senate panel, would allow identity theft victims to request monetary compensation for the time they spent fixing errors and damages caused by identity theft. The bill would allow victims to seek criminal restitution for time "reasonably "spent correcting "actual "or "intended "harm. The bill also rewrites federal computer crime laws that are designed to make it easier for police to punish hackers, keyloggers, and spyware purveyors whose acts may not cause significant damage, changing the requirements for felony charges from $5,000 in damages to damaging 10 or more computers. Additionally, the bill would force offenders to surrender any property used to commit the crimes or gained through illegal activities. Sen. Patrick Leahy (D-V.T.), who sponsored the bill with Sen. Arlen Specter (R-Penn.), says the proposal contains "important and long-overdue steps to protect Americans from the growing and evolving threat of identity theft and other cybercrimes. "The bill is backed by the U.S. Department of Justice and the Secret Service, as well as a diverse set of groups including the AARP, the Consumers Union, the Cyber Security Industry Alliance, and the Business Software Alliance.

Read More...

McClellan: Feds Should Resolve Health IT Privacy, Security Issues
Government Health IT (11/07) Vol. 2, No. 6, P. 10; Ferris, Nancy

Former administrator of the Centers for Medicare and Medicaid Services Dr. Mark McClellan, who now directs the Engelberg Center for Health Care Reform, recently told a Washington audience that the federal government needs to take charge in resolving the privacy and information security uncertainties surrounding health care information technology. "Now is the time to really move forward on these privacy and security issues, "McClellan says. A report by the Health and Humans Services Department's American Health Information Community accompanied the House's Health and Human Services appropriation bill for fiscal 2008 and asked for a "privacy and security framework that will establish trust among consumers and users of electronic personal health information and will govern all efforts to advance electronic health information exchange. "The report outlines specific elements lawmakers want included in the framework, including allowing individuals to have a say in who can access their data and how that information can be used. IBM's Ned McCulloch notes that Rep. Anna Eshoo (D-Calif.) has introduced a bill, Promoting Health Information Technology Act (H.R. 3800), in the House that resembles the Senate's Wired for Health Care Quality Act (S. 1693). EHealth Initiative's Christine Bechtel says more state governments are taking action on health IT because Congress has failed to do so, with 15 health IT bills becoming law at the state level this year.

Read More...

FTC: More Spyware-Fighting Tools Needed
IDG News Service (10/29/07) Gross, Grant

The U.S. Federal Trade Commission recently reported that while organizations and law enforcement agencies are making progress in the fight against spyware, new tools in an antispyware bill stalled in Congress could further improve efforts. The Spy Act (S. 1625) would give the FTC authority to impose civil fines on companies that distribute spyware to consumers' computers, but the bill, along with the Internet Spyware Prevention (I-SPY) Act (H.R. 1525), has stalled in the Senate since passing in the House. FTC commissioner Job Leibowitz says the FTC has the authority to collect profits from spyware operations and collect money for consumer redress, but lacks the authority to impose other fines. Leibowitz says assigning a dollar figure to consumer harm is tricky in spyware cases. The Spy Act would allow the FTC to fine spyware vendors up to $3 million for hijacking computers and delivering unwanted adware, among other violations, and $1 million for collecting personal data without permission. Leibowitz says companies know that the FTC can only take away their profits and not impose any real penalty, and the additional authority to impose civil fines would give the FTC an enormous deterrent.

Read More...

Senators Aim to Bolster Fight Against Cyber Crimes
National Journal's Technology Daily (10/26/07) Poulson, Theresa

The Cyber-Crime Act of 2007 (S. 2213) aims to close gaps in current federal laws regarding cyber crimes, including hacking, stealing confidential information, and deploying computer worms and viruses. The bill makes it illegal to create botnets and to threaten to reveal confidential information obtained illegally from computers. "Botnets have the ability to grow exponentially, and the potential damage from these networks grows accordingly, "says Sen. Orrin Hatch (R-Utah), who sponsored the bill. The legislation would also alter felony requirements so hackers could be charged for damaging 10 or more computers. The bill would also allow investigators to seize equipment used in computer crimes and would authorize funds for local and federal authorities to investigate and prosecute such crimes. "Although these crimes are virtual, their impact is measured in real dollars and occasionally in physical injury or death, "says bill co-sponsor Sen. Joseph Biden (D-Del.). Biden also introduced the Crime Control and Prevention Act of 2007 (S. 2237), which seeks to fight child exploitation, computer crimes, and violations of intellectual property rights by authorizing $350 million per year for police departments to acquire technology and equipment to track and fight crime. The bill also targets Internet pharmacies that illegally provide prescription drugs.

Read More...


News Abstracts © Copyright 2007 INFORMATION, INC.