Data Breach Notifications: Too Little, Too Late

Equifax, the SEC, Deloitte. They aren’t the first, and they won’t be the last.  As the number of major data breaches continues to grow, so does the debate around whether the federal government needs to step up and regulate data breach notifications.

An article earlier this week in the Wall Street Journal summarizes the arguments for federal action.  There’s a patchwork of data breach notification laws from the states right now, but they clearly don’t get the job done. Equifax sat on the information for months before revealing it to the public.

The title of that article was,”After Equifax, Should the Government Force Companies to Report Hacks?”  The answer is easy.  Of course they should.  And I hope Congress finally drafts legislation that would implement a clear, comprehensive policy for the whole nation.

But while that debate will continue while we wait (and wait, and wait) for Congress to do something, we can’t take our eye off the ball. Data breach notification requirements do not solve the problem. People have a right to know that their data was compromised and they should receive that information in a timely manner.  But adding this law won’t increase cyber security in any way.  All it does is stop the bleeding after the fact. Wouldn’t it be better to not get cut in the first place?

Companies need to practice better cyber security across the board.  We should be focusing on how to prevent data breaches in the first place rather than what to do after they occur.  Some breaches may be inevitable.  But I don’t think we need 2 or 3 major ones being revealed every week.

Lawmakers need to evaluate the tools at their disposal and listen to those who know the field best.  The only way for everyone to benefit is by promoting better cyber hygiene to prevent attacks and breaches.  Letting us know after the fact doesn’t help anyone.

Tags: , ,

Cyber Round Up: Congress isn’t prepared for cyber attack; Chertoff likens cyber to immune system; Deloitte says very few affected

  • We’re under constant threat of cyberattack, and Congress isn’t prepared to do anything about it (Washington Post):  Brianna Wu, a software engineer by trade and now a Democratic candidate for Congress in Massachusetts, wrote a piece for the Washington Post about Congress’s lack of preparation for a cyber attack. The article points out that Congress has failed to act in the wake of several different attacks and that members of the pertinent Congressional committees are not qualified to address these issues. While clearly politically motivated, Wu criticizes both political parties is correct that most Congressmen and women do not have the technical background that she does.  She makes a strong push for civil liability that will force companies to engage in good cyber security practices. The full article can be read here.
  • Ex-Homeland Security Chief: Good cyber security is like an immune system (Yahoo):  The former Secretary of Homeland Security Michael Chertoff recently spoke on cyber issues in an interview with Yahoo.  In his comments, Chertoff compared cyber security to the human body, saying that “The human body doesn’t keep all bacteria and viruses out, but it also has an immune system and that’s what companies should have.” He also urged layered defenses and managed expectations.  Chertoff also advised that companies should not pay ransoms for data, as it only encourages hackers to repeat their behavior.  The full video can be seen here.

  • Investor group seeks probe into SEC hack, urges data rules delay (Reuters): Deloitte was the latest company to disclose a data breach.  A report from Reuters earlier today, however, includes comments from the company that claim ‘very few’ clients were affected.  The attack was discovered in March and could have started as early as October 2016, the article said.  The full report can be read here.

 

Tags: , , ,

Cross-Border Data Access Primer from Harvard’s Berkman Klein Center

One of the biggest challenges with the rapid development of technology has been figuring out how to share that data across jurisdictions, particularly internationally.  Many feel that the existing U.S. system of Mutual Legal Assistance Treaties (MLATs) is outdated and needs to be revamped.  The Berkman Klein Center for Internet & Society at Harvard University recently published a primer on this topic.  The full report is included in this post and can be found here.

SSRN-id3035563

Tags: , ,

SEC Statement on Cybersecurity

A few days late, but in case you missed it, the full statement from SEC Chairman Jay Clayton on the agency’s approach to cybersecurity is included below.  The statement can also be read here.

SEC statement

Tags: ,

Distrustful U.S. allies force spy agency to back down in encryption fight

A report today from Reuters tells the story of how the NSA’s efforts to lead the way for international encryption standards were shut down by several other members in the international community.  The story explains how several other nations were distrustful of the standards proposed to the International Organization of Standards by the U.S. because of information Edward Snowden provided that says the U.S. was hoping to establish standards with back doors for its own use.  The report highlights how the U.S. has had suspect behavior in this realm before.  The full report can be read here.

My kneejerk reaction was that this was just another story highlighting how the Snowden leaks are still hurting the U.S. several years later. But after considering the narrative a little more, I realized that Snowden doesn’t matter for this scenario. Nation-states are always going to be skeptical of each other when this type of technology is on the line.  The U.S. certainly isn’t the only nation who would want to provide itself with an advantage when it comes to access to protected information.  If, for example, China proposed encryption techniques, the U.S. would be just as skeptical, even without a Snowden type leak to use as support for their thinking.

A tiger can’t change its stripes. International actors will never change their behavior and decide to put blind faith in other nations.  Even if there was a new, strong standard that was developed and agreed upon, any one actor that found a vulnerability would keep that information to itself.   As the article points out, the result of this is lower encryption standards.  These lower standards don’t really help anyone, but don’t expect it to change anytime soon.

Tags: , ,

Cyber Round Up: A Manhattan Project for Cybersecurity, EU Scales Up Cyber-Attack Responses, Senate Defense Bill Calls for Blockchain Cybersecurity Study

  • Time for the US to Develop a Manhattan Project in Cybersecurity (The Hill): Opinion contributor Greg Clark poses the question, “If cybersecurity is one the greatest challenges facing our nation today (and few would question that it is), why are we helping our adversary defeat billions of dollars in cyber defenses?” Clark discusses how the Freedom of Information Act allows anyone to ask the government what it’s purchasing, and proposes tactics for making cyber-defenses unknown to adversaries. Some suggestions Clark voices include next-generation security tools, and to cease purchasing “commercial-off-the-shelf” security tools. Read the full article here.
  • Cybersecurity: Commission Scales Up EU’s Response to Cyber-Attacks (European Commission): European Union President Jean-Claude Juncker’s State of the Union Address on Sept. 13, 2017, called for better equipping Europe for cyber-attacks. This included proposing an EU Cybersecurity Agency to assist EU Member States in combating cyber-attacks. This press release from the European Commission explains how the EU is building resilience, stepping up it’s cybersecurity capacity, and creating a criminal law response focused on detecting, tracing, and prosecuting cyber criminals.
  • $700 Billion Senate Defense Bill Calls for Blockchain Cybersecurity Study (CoinDesk): The Senate recently passed a bill that massively increases military spending. Included in the bill is a mandate for the Department of Defense to conduct a blockchain study. While the House of Representatives still needs to approve the bill, Ohio Senator Rob Portman included the amendment requiring the blockchain study. If the bill is passed into law, the study would follow six months later. Read the full article here.

Tags: , , , , , ,

Cyber Round Up: A Better Way to Teach Cybersecurity; Take Cybersecurity Away from Spies; EU-US Privacy Shield Review

  • A Better Way to Teach Cybersecurity to Workers (WSJ): Companies have found out that punishing employees for poor cyber hygiene is not effective, according a recent report in the Wall Street Journal.  The general consensus is that most people dread cyber security training.  Instead, companies are making progress when switching out the stick for the carrot, the article says.  Research has shown that companies using games, competitions, and the like have had better results when it comes to employees’ cyber habits.  The full article can be read here.
  • Take cybersecurity away from spies…for everyone’s sake (Wired): Commentary in an article last week addressed the inherent flaws and conflict of interests when intelligence agencies are the ones who find cyber vulnerabilities.  The post highlights statistics about the British signals intelligence agency, but also mentions the NSA.  For example, according the post, the core exploit in the WannaCry attack was engineered by the NSA. Instead of informing Microsoft of the vulnerability, the intelligence agency chose to hold on to the information for its own use.  The article discusses how these competing interests hinder cyber security.  The full post can be read here.
  • EU-U.S. data pact faces first major test of credibility (Reuters): The EU-U.S. Privacy Shield data pact is set to be reviewed this week after its first year in place, a report over the weekend said.  The deal was meant to provide greater privacy protections for Europeans whose data ends up on U.S. servers.  The big question, according to the article, is whether the U.S. is holding up its end of the deal.  While the deal was viewed as an improvement for privacy in some respects, it has also been challenged as not going far enough, the author reports.  The full post can be read here.

Tags: ,

Lessons Learned from Equifax

In the wake of the Equifax Data breach and the litany of issues regarding potential insider stock sales, insecure database applications, and finger-pointing between Apache and Equifax, there are some valuable lessons we should all take heed of.

  1. Trust no one, and no entity: I hate to sound overly dire but even the old “trust, but verify” adage is insufficient in the world of cyber.  One should assume that their information is insecure, that it has been breached, and mitigation then becomes the name of the game;
  2. data: both in-flight; and at-rest should be encrypted.  Seriously, who puts data on an accessible server and then leaves the data unencrypted.  While given enough time and resources encryption can (generally) be broken, companies should at least try to appear as though they are interested in making hackers earn their keep;
  3. humans continue to be one of the weakest links in any cybersecurity chain. Take a look at the Argentinian Equifax web portal connected to a RDBMS accessed using admin/admin credentials.  Seriously?
  4. with respect to point #3, above: companies really need to embrace the fact that IT and IS are equal, yet separate disciplines.  While one is focused on availability and uptime, the other is (should be) focused on protecting data and ensuring that proper access controls are implemented and continuously monitored;
  5. in the infantry the common mantra is “embrace the suck”.  In cyber, the mantra should be “embrace the SOC.”  Build one in-house, or use an outsourced Security Operations Center but please, please allocate the necessary resources to identify, assess, secure, and monitor your data and information flows.

 

For our continuing Equifax breach coverage, please check here.

Tags: ,

Cyber Round Up: Cybersecurity Market Projected to Reach New Highs; Law Firms Lacking Cybersecurity; The Equifax Hack’s Wide Reach

  • Growing Cybersecurity Threat Projected to Push Cybersecurity Market to New Highs (Business Insider): The cybersecurity market size is expected to reach $231.94 billion by 2022, an approximate 160% increase from its current size of $137.85 billion, according to a recent Business Insider article. The article summarizes a Markets and Markets research report, indicating security types most in focus. It also delves into recent cybersecurity advancements for companies such as FireEye Inc. and Symantec Corporation. The full article can be read here.
  • What You Need to Know About Law Firm Cybersecurity (Above the Law): Law firm in-house practices often include cybersecurity, but many don’t practice what they preach, leading to insecurities within the law firm’s own cybersecurity. A recent article looked at an ALM Legal Intelligence study which found, “22% of law firms did not have an organized plan in place to prepare for or respond to a data breach,” and “only 50% of law firms included in the study [had] cyber security teams in place” in the event of a data breach. The full piece can be found here.
  • Equifax Hack Likely Impacted All US Adults, Cybersecurity Expert Warns (Fox Business): The Equifax hack has left 143 million customers at risk of having their information stolen. However, Hiep Dang, director of Product Management at Cylance told Fox Business, “conservatively, maybe 75% [of us were affected], aggressively, probably all of us.” The article explains what makes this breach “particularly damaging.”
    You can also follow Crossroad’s Equifax hack coverage here.

Tags: ,

Cyber Round Up: Extortion is Hackers’ Latest Weapon; Kaspersky Making Changes in U.S.?; North Korea and Bitcoin

  • Hackers’ Latest Weapon: Cyber Extortion (WSJ):  Nefarious actors in cyber space have another tool in their toolbox. Hackers are not just stealing information or holding it ransom, an article in the Wall Street Journal says, but are now digging for sensitive information that could be used to extort companies and their executives.  The article explains that exposing intellectual property or embarrassing emails can be much more damaging than other forms of attacks.  Victims of extortion from hackers include HBO, Netflix, medical clinics, casinos, and energy companies. The full article can be read here.
  • Under scrutiny, Kaspersky Lab considers changes to U.S. subsidiary (Reuters):  The Russian company is considering making changes to its subsidiary in the United States after repeated allegations that it is subject to the influence of the Russian government.  A bill that the Senate is scheduled to vote on this week includes language that would ban U.S. government agencies from using Kaspersky software, the article said.  Conflicting reports have emerged as to whether the company will be expanding in North America or completely shutting down, the article points out.  The full report can be read here.
  • North Korea is trying to amass a bitcoin war chest (CNN):  North Korea is attempting to circumvent recently imposed sanctions by building up its stock of cryptocurrencies, recent reports suggest.   A CNN report quotes one FireEye officer who explains that “Attacks on cryptocurrency exchanges can be a great vehicle to obtain what is ultimately hard currency.”  FireEye, according to the article, has linked several attacks on cryptocurrency exchanges to North Korean hackers in the months since the U.S. announced it would be taking a stronger stance against the nation. The full article can be read here.

Tags: , ,

« Previous PageNext Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories