Friday, May 20, 2011
Cyber security was on the minds of Washington politicians long before the massive theft of personal information from 100 million Sony PlayStation Network customers occurred in April 2011. Two years ago the Obama Administration released its Cyberspace Policy Review, which emphasized concerns about the security of government information and the cyber infrastructure. Additionally, over 50 cyber security related bills were introduced in Congress last year.
New efforts to police cyber space continue. A White House Fact Sheet released May 12, 2011, declared that the United States "cannot fully defend against these threats unless certain parts of cyber security law are updated."
The Cyber Security Legislative Proposal, outlined in the fact sheet, calls for putting the Department of Homeland Security in charge of cyber crime oversight and enforcement of security standards.
Two legislators were quick to respond to the proposal. Sen. John D. Rockefeller, D-W.Va., Chair of the Senate Committee on Commerce, Science, and Transportation, likes the plan, as it incorporates many elements of a bill he introduced in 2010. Sen. Olympia Snowe, R-Maine, scolded the White House for not providing input sooner, but agrees with the administration's stance and calls for swift passage of cyber security legislation.
Alan Paller, Director of Research at the System Administration, Networking and Security Institute, believes the administration's proposal aligns with current legislation. "This gets the administration speaking to Congress using the same terms," he said. The two branches of Congress are divided on the direction cyber security legislation should take, but a bipartisan effort is underway, he added.
Paller agrees that the DHS should govern security of the entire infrastructure using a framework that has proven successful in curtailing fraud. "Several federal agencies have pilot programs where they've gone ahead and implemented much more effective security," he said. "They have had a 90 to 95 percent reduction in vulnerability in less than a year. We now have a model. We have new benchmarks we haven't had before. This proposal will bring the rest of the agencies up to the benchmark."
However, Paul Martaus, President of payments consultancy Martaus & Associates, expects the White House proposal to never gain traction in Congress. "From a technological viewpoint, the DHS is the right place for cyber crime monitoring," he said. "The problem is we live in an incredibly bipolar world. A lot of people will say this proposal by the Obama administration overreaches. They will be against the proposal more for political reasons than for policy reasons."
Martaus said the proposal would work in much the same way the Financial Services Information Sharing and Analysis Center, the operational wing of the Financial Services Sector Coordinating Council, already operates.
The FS-ISAC is a member-funded, nonprofit organization working with government and law enforcement to fight cyber crime. The FS-ISAC has more than 4,100 member organizations, including banks, trade associations, insurance companies and payment processors. The FS-ISAC reporting model allows member companies to anonymously submit threat, vulnerability and incident information so law enforcement and the financial services industry are simultaneously made aware of new cyber threats and breaches.
"What this legislation proposes to do, correctly by the way, is take the FS-ISAC structure and do it all across the infrastructure," Martaus said. "These proposals tend to codify and allow on a national scale the exact thing FS-ISAC does for the service industry."
Tim Cranny, Chief Executive Officer of Panoptic Security, said the White House proposal is "significant as a sign of the times. Unless this industry is actually doing something about these problems, it will get pushed out of the driver's seat by the government."
Cranny likes the White House proposal because it would bring national uniformity to breach reporting requirements that currently vary from state to state. "The state laws have 20 to 30 minor variations on a theme," he said. "It's like herding cats."
A debate has arisen over whether the White House proposal should do more than lay out the consequences of a data theft. Some believe the legislation should prescribe remedies. The problem with stipulating security solutions is that technology often changes too quickly for legislation to keep pace. Any legislation that attempts to mandate security procedures could be obsolete by the time it is signed into law.
While the legislative proposals don't address how to protect data, they at least lay out the consequences for not properly protecting it, according to Cranny. On the other hand, the Payment Card Industry Data Security Standard is the industry benchmark on how to protect data.
"PCI is now prescriptive and constructive," Cranny said. "One of the big questions looming out there is will the industry continue to take this approach, or will the feds be prescriptive? I don't think the feds understand the industry well enough to be prescriptive."
The FS-ISAC position is that more government interference in the industry is not desirable. "We don't need more government regulation or another set of regulators in financial institutions," FS-ISAC's Chief Executive Officer William Nelson told The Green Sheet. "A lot of good private sector companies do that. We have a good model we are sharing."
Nelson called Congress' response to the Sony breach a typical knee-jerk reaction to try to fix the problem. "Clearly, cyber security is a problem, but pure economics can solve it," he said. "If the market doesn't address cyber security in an adequate way, then the government will regulate. We have enough market forces in play to make the changes needed. There is no need for more regulation."
Nelson noted that FS-ISAC's information sharing forums have been successful in thwarting fraud attempts. FS-ISAC members use forums to share different aspects of attacks, new malware alerts, and news of new viruses infecting their systems. Users log on to the forum to add information as many as "four, five or 10 times a day," Nelson said, which has resulted in the prevention of attacks.
The security threats the industry faces are formidable. Nicholas Percoco, Senior Vice President and head of Trustwave's Spiderlabs, said cyber crime is a growth industry.
"The organized crime groups are at the top of the list," he said. "They are well funded. In the cyber crime business you go after targets anywhere money exists. They are setting their sights now on the bigger payment processors. It's a very delicate situation. The so-called 'hacktivists' are next on the list. They attack to express various political opinions, like information openness. They can shut down a website."
But these groups aren't alone. There are also spies out there.
"We're seeing a lot of malware that is a memory dump," he explained. "These are increasingly more advanced and sophisticated attacks. These new programs monitor memory on a system. When the program finds confidential information or data that is interesting, the information is siphoned off. This is not a traditional malware system. It is hard to find. It just continues streaming information out of the environment."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.