U.S. Cyber Security News Briefs
New Senate Bill Focuses on Identify Theft
Bill Sought to Shield Medical Data
Threats to Power Facilities on the Rise
Cyber Wars
GTISC Releases Emerging Cyber Threats Forecast
Panelists Cite Threats to U.S. Computer Networks
PCI and Other Breach Laws Under Assault
Survey Finds Gap Between Perceived and Actual IT Security
U.S. Cyber Security Briefs
New Senate Bill Focuses on Identify Theft
Network World (10/17/07) Garretson, Cara
Sens. Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.) introduced the Identity Theft Enforcement and Restitution Act of 2007 (S. 2168) on Oct. 16. The measure proposes expanding the existing data privacy and security bill approved by the Senate Judiciary Committee in May with additional protections for consumers who fall prey to identity thieves. The bill would grant identity theft victims the right to pursue restitution for the time and money spent on attempting to restore their credit; expand the coverage of current federal computer fraud ordinances to include small businesses and corporations; eliminate the rule that data must have been stolen from another state or country, so that prosecutions can proceed when the victim and the thief are localized in the same state; expand the definition of cybercrime to include threatening to acquire or disclose information from a protected computer and demanding money to facilitate extortion; criminalize the use of spyware or keyloggers that damage 10 or more computers, irrespective of the level of resulting damage; and eliminate the $5,000 minimum loss requirement threshold. Leahy and Specter based the new proposal on their Leahy-Specter Personal Data Privacy and Security Act. The senators cited estimates that 8.4 million people fell victim to identity theft last year, and said their bill was updated in collaboration with the Justice Department.
Bill Sought to Shield Medical Data
Washington Times (10/18/07) P. A4; Pfeiffer, Bill
A bipartisan coalition of lawmakers and industry members believes that Congress should pass legislation to protect medical records from identity theft and abuse. "Medical information is probably the most sensitive and personal information that we have about ourselves," says Rep. Edward J. Markey (D-Mass.), who says that without strong privacy safeguards a medical records database would become an open invitation for identity thieves, fraudsters, and extortionists. Critics say that the electronic medical record legislation currently in Congress would allow data-mining companies and "4 million other individuals and entities" to secretly access millions of private medical records. "If you think we've got a problem with identity theft now, just wait," says Deborah Peel, chair of the Patent Privacy Rights coalition. Supporters of the push to make medical records available electronically say that such data would have "secondary uses" and would allow health care professionals to cross-check patient records. The Patent Privacy Rights coalition is concerned that potential employers or insurance providers could use private medical information to discriminate against people who have received mental-health treatment or suffer from chronic illnesses. Peel says she supports making medical information available electronically, but that Congress must simultaneously establish the same types of privacy protections that are given to members of the military.
Threats to Power Facilities on the Rise
Associated Press (10/17/07) Hebert, H. Josef
Cybersecurity threats to the nation's power plants, electricity grid, and refineries are increasing and a successful attack could cause economic chaos, say congressional investigators. Control systems are more vulnerable to hackers and terrorists today than they have been in the past, says the Government Accountability Office, who along with other security groups is working to close loopholes that might allow hackers to disrupt the U.S.'s energy infrastructure. Greg Wilshusen, the agency's director of information security issues, told the House Homeland Security subcommittee that power lines, nuclear plants, refineries, and power stations are more secure but admitted that there is "no overall strategy to coordinate the various activities across federal agencies and the private sector." Greg Garcia, assistant secretary for cybersecurity, recently spoke to legislators about efforts involving the Department of Homeland Security and other groups to raise standards and tighten security on crucial control systems. "The cyber-risk to these systems is increasing," says Rep. James Langevin (D-R.I.), chairman of the subcommittee on emerging threats, cybersecurity and science and technology. "If this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty."
Cyber Wars
Government Executive (10/01/07) Vol. 39, No. 17, P. 16; Brewin, Bob
Alleged attacks against Pentagon computer systems by Chinese hackers, and subsequent accusations by the Chinese of Western state-organized cyber intrusions, are symptoms of what SANS Institute director Alan Paller terms "cyber espionage," or probes to rate the security of networks. He says government policies "keep attacks so secret that top government executives do not know how bad the problem really is." Director of the Federation of American Scientists' Project on Government Secrecy Steven Aftergood reports that the cyberattacks, regardless of who orchestrated them, should function as a warning that there is a heavy price to be paid for shoddy computer security. Over the past year the Department of Defense has mounted an effort to develop offensive information warfare capabilities, and Strategic Command commander Marine Gen. James Cartwright informed the House Armed Services Committee in March that if "we apply the principle of warfare to the cyber domain, as we do to sea, air, and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests." The Air Force and Army began moving toward the acquisition of cyber warfare technology this year, but Center for Defense Information adviser Philip Coyle argues that countries should instead devise a code of "best behavior" for the Internet. "It wouldn't be any easier to negotiate such arms control than it has been where nuclear weapons are concerned," he notes. "But it may become necessary just the same."
GTISC Releases Emerging Cyber Threats Forecast
Georgia Institute of Technology (10/02/07)
The Georgia Tech Information Security Center has published the GTISC Emerging Cyber Threats Report for 2008, its annual forecasting report that describes the five key areas of security risk for enterprise and consumer Internet users. In 2008, cyber security threats are anticipated to grow and evolve in the areas of Web 2.0 and client-side attacks, such as social networking attacks and targeted messaging attacks, including malware proliferation through video-sharing online and instant messaging attacks. Botnets, particularly the expansion of botnet attacks into peer-to-peer and wireless networks, are another significant area of concern. Threats aimed at mobile convergence, including vishing, smishing, and voice spam, are anticipated to be substantial, as are threats targeting RFID systems. The primary driver behind all five major threat categories in 2008 continues to be financial gain. GTISC recommends improved synchronization among the security industry, the user community, application developers, Internet service providers, and carriers. GTISC director Mustaque Ahamad anticipates that enterprise and consumer technologies will continue to converge in 2008, making it even more essential to protect new Web 2.0-enabled applications and the IP-based platforms they increasingly depend upon.
Panelists Cite Threats to U.S. Computer Networks
CongressDaily (10/10/07) Kreisher, Otto
The United States' ability to protect its electronic networks from cyberattacks is hampered by "policy restraints" and a dearth of coordination, a panel of experts said Tuesday. "Cyberspace has become a really big deal," says Lt. Gen. Robert Elder, commander of the Air Force's Cyberspace, Global Strike and Network Operations command. "We do our banking, our commercial activities over the Internet." However, the country's interconnected electronic networks are under constant attack, analysts say. The military Web and computer networks are attacked thousands of times each year, reports military analyst Rebecca Grant. In June 2007, one such attack brought some of the Pentagon's unclassified computer systems to a halt and interrupted the Defense Secretary's office email system. The major denial-of-service attack that paralyzed Estonia's government and commercial communications for weeks further revealed the capacity of a cyberassault. Because the U.S. Air Force uses cyberspace to transmit satellite and aircraft data and convey global communications, the Air Force has designated cyberspace as one of its "warfighting domains." Elder plans to use Air National Guard staff to develop a force of "cyberwarriors" who can safeguard America's networks and, if needed, bring down an enemy's systems. Elder plans to establish a cyber security unit in every U.S. state within one year. In addition, Elder and other Air Force officials believe the country needs to adopt a comprehensive policy on cyberwarfare operations.
PCI and Other Breach Laws Under Assault
InfoWorld (10/05/07) Hines, Matt
The Payment Card Industry Data Security Standard was criticized by the National Retail Federation, which released a statement from CIO David Hogan noting that credit card companies typically require retailers to retain card numbers for prolonged periods to satisfy "card company retrieval requests." He said if merchants had the option to stop saving such information, they would reduce their own vulnerability to data breaches and guarantee better customer security. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them." Some experts say numerous card processors and retailers have a long way to go before they can technologically comply with PCI regulations. Meanwhile, California legislation that requires retailers who experience data breaches to refund any costs incurred by banks and card companies for re-issuing cards to affected customers is awaiting the governor's signature [California Gov. Arnold Schwarzenegger vetoed the legislation], and merchants are understandably upset. Capitol Hill lobbyists report that the interest in the various data measures currently in committee comes and goes, with one anonymous lobbyist remarking, "It's one of those things where a lot of these bills might get done this session, or maybe they won't get done at all."
Survey Finds Gap Between Perceived and Actual IT Security
National Journal's Technology Daily (10/01/07) Greenfield, Heather
Consumers frequently believe they have protected themselves against online security risks better than they actually have, reveals a new McAfee survey. Though 93 percent of those polled thought they had antivirus programs on their PCs, almost half had expired virus protection. Computer checks also showed that only 21 percent of survey respondents had protection against unsolicited commercial emails, though 61 percent believed they possessed such protection. Software to battle "phishing" scams was installed on only 12 percent of respondents' computers, though 27 percent thought they had such software. McAfee's Bari Abdul notes that consumer awareness of security risks has improved significantly, though consumers still have a long way to go in terms of understanding current risks and their own computers' levels of security. Experts say the issue is significant because poor security anywhere in cyberspace can endanger everyone. The private sector, which manages 80 percent of the country's key infrastructure, is not fully protected against cyber threats either, according to a survey of corporate leaders by Business Roundtable. Michael Witt of the U.S. Computer Emergency Readiness Team cautions executives that their companies are "highly likely" to be involved in some type of cybersecurity incident. Old equipment and limited security budgets are two problems that businesses need to overcome, says Witt. Cyber crime is on the rise and improved cybersecurity is "vital to national security, public safety, and economic prosperity," says Greg Garcia, chief of cybersecurity for the Homeland Security Department.
News Abstracts © Copyright 2007 INFORMATION, INC.