ApplyLogic has been awarded a prime contract with DHS to provide Security Engineering and Implementation Services. We are excited to continue our services and support to DHS.
GCN published an article on June 3, 2013 regarding the possible data breach of Customs and Border Protection (CBP) systems operated by third-parties for clearances. The information used to obtain clearances is not only personal identifiable information (PII), but also re-tells the past ten or more years of history of an individual. So the potential compromise of this information is a serious issue.
Now add the recent scandals regarding surveillance by the NSA and other government agencies adds to the concern. This is more than a privacy issue, but one of the capability to maintain data secure. DHS is meant to provide the “cybersecurity” component of the government in conjunction with the DoD, but if DHS and the DoD have issues with maintaining the security of their respective systems, what will the potential breach be with the new surveillance information. While granted, the information of the phone calls from the various telecoms is currently not maintaining the call content itself, the associated metadata could expose even greater risk to individuals than is being expressed. Most phones maintain GPS and cell tower information with a call. Add the additional cell phone number and owner information, it is now possible to track the patterns of the individual in addition to the various calls.
While the potential privacy issues around surveillance has its place, the ability for the government to protect the data is also equally important.
Dark Reading published an article on October 9 about the pending Executive Order on cyber security and what it will mean to an enterprise. As mentioned in a previous post, the executive order is the Obama administration’s response to the fact that Congress did not pass cybersecurity legislation, specifically the Cybersecurity Act of 2012.
Now while the Executive Order would be focused on national critical infrastructure, the article brings up some good points about what impacts and insights this could have on a business. The article noted that the Executive Order would not deal with one of the key points of the act, the sharing of information between government agencies. According to the article:
The issuance of an executive order would not address one of the key elements of the Cybersecurity Act of 2012 – information sharing between the private sector and government. According to former NSA Deputy Training Director Cedric Leighton, information-sharing has to span both sharing between the government and private sector as well as between entities in the private sector itself.
A key point about what businesses are looking for is stated in the article…more specifically three key items:
Rather than checklists, organizations are looking for three distinct things: the current state of a threat, what others are doing about security, and what are the guiding principles that should be considered when developing a security program and strategy, Granado argues. Protecting intellectual property means complicating the process of acquiring inappropriate access, detecting threats and neutralizing threats before they expand, he says.
As noted in the article, a purely defensive “knee-jerk” mentality is not enough and a pro-active stance is needed to effectively secure the information assets of the business and in turn improve the overall risk posture. The idea that the minimum is enough is not enough, that will leave business always behind a curve.
Do you ever get the feeling that at some point in the morning you should be hearing the Sonny and Cher tune “i’ve Got You Babe” and that you are in Ground hog Day. That we are reliving the same thing over and over again. Well we are again…
We all probably remember the heated debate around the Cybersecurity Act of 2012. Whether political or a security practitioner, everyone had an opinion on one side or another. Well, we will soon begin the debate again, but this tim it will not be in response to a Congressional proposal, but rather an Executive Order (EO). Friday a leaked draft of the EO posted to the techdirt.com website.
According to the proposed draft, the EO is meant to revise the federal architecture for enhanced protection of the critical infrastructure and information sharing or “information exchange framework.” The EO also places the Department of Homeland Security (DHS) as an oversight role for making and implementing the changes. What is not completely understood is the full nature of what is considered “critical infrastructure” and how commercial business will act with regards to another set of US regulatory impacts to their bottom line.
Many in the political scene and in the security industry have been vocal about the need for a defined framework beyond/improving the existing FISMA regulations adhered to by federal agencies. However, there are not as many that would agree that DHS is the federal entity to oversee the implementation. There is even more of a divide when you start discussing how this framework should be applied to private industry.
A recent SC Magazine article quoted concerns from several Republicans about the current EO based on a letter written by John Brennan, the national security advisor to the president. According to the article:
A letter released on Friday written by John Brennan, national security adviser to the president, written to Sen. Jay Rockefeller, chairman of the Senate Commerce Committee, confirms that the White House is working on the order.
“Following congressional inaction, the president is determined to use existing executive branch authorities to protect our nation against cyber threats,” Brennan wrote.
In a recent sponsored Washington Post editorial, Senators John McCain (R-Ariz.), Kay Bailey Hutchinson (R-Texas), and Saxby Chambliss (R-Ga.) blasted the idea of an executive order.
“Unilateral action in the form of government mandates on the private sector creates an adversarial relationship instead of a cooperative one,” the senators wrote.
This is interesting the impact this will have with regards to the impending elections and how security community at large will view this potential mandate. This will definitely (re)develop in the coming weeks…and remember “its going to be a cold one out there…”