Is It Time to Appoint a Data Security Czar?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.newsweek.com/it-time-appoint-data-security-czar-368252

The increasingly alarming news about government-held data security breaches
should cause Americans to seriously question whether the U.S. government at
all levels is doing everything it could—and should—to protect the data it
collects.

In May, we learned that cybercriminals had stolen approximately 100,000
records of taxpayer information from the IRS; as of August, the number of
records stolen had risen to over 300,000.

In June, it was disclosed that malicious hackers (likely state-sponsored)
had carried off over 4 million pieces of data like Social Security numbers
from systems maintained by the Office of Personnel Management (OPM).

In July, it was revealed that more than 21 million records had actually
been stolen from OPM, and that the stolen data provided access to highly
sensitive and personal data on federal employees and individuals who have
applied for or maintained security clearances over the last decade.

Much of the discussion surrounding these crimes has centered on who the
perpetrators could be, why and how they did it, who has been victimized,
and whether and how the government will pay for identity-theft protection
coverage.

There has also been speculation about what the perpetrators could do with
such sensitive data. The release of Social Security numbers and other
personal information is highly distressing to victims because the stolen
information could lead to identity theft, medical and tax fraud and other
serious financial harm perpetrated by cybercriminals. Just as worrisome is
the possibility of blackmail, advanced social-engineering attacks, and more
sophisticated intelligence targeting and espionage by state-sponsored
actors.

Also important is the conversation about whether the government could and
should have done more to prevent such events in the first place, what level
of accountability the government should be held to and whom should be held
responsible.

The federal government’s public response to the government breaches mirrors
the response typical of other hacks: notifying the public (when required,
since only 47 states and Washington, D.C., have data breach notification
laws, and there is no federal notification law); providing free credit
monitoring; promising to revamp its security posture and give a good, hard
look at the current state of things; and firing or publicly reprimanding a
top official (whether or not the person is responsible).

The type of information stolen from OPM goes beyond traditional personal
information such as name, date of birth and Social Security number. Data
taken from OPM includes information on the citizenship of relatives and
housemates, foreign contacts and financial interests, foreign travel,
psychological and emotional health, illegal drug use and previous addresses.

Some argue that this warrants remediation measures much more aggressive
than the two years of free identity-theft protection coverage being offered
to victims, and a stronger examination of how these breaches were allowed
to occur in the first place.

The information security risks on government systems are similar to those
in the corporate world: Absence of a mature vulnerability scanning program,
inadequate system monitoring and no multifactor authentication. For systems
that hold such sensitive data, the lack of these relatively basic security
solutions is concerning.

Americans should continue to raise their voices and ask why this sensitive
information was kept on a server connected to the Internet in an insecure
fashion, without encryption, and with poor authentication and access
control; who approved this approach and how such decisions are made; what
data protection options have been considered and how those will change in
light of recent breaches.

More generally, Americans should be asking whether government
data-protection protocols are up to the challenge. Many government agencies
collect and maintain information about U.S. citizens, and it is reasonable
to expect that this information should be treated with the utmost of care.
When dealing with public sector entities, consumers often have little
choice but to comply with requirements and use their online systems.

The increased disclosure of data breaches suggests that such intrusions are
becoming the norm, and that defensive software cannot win this arms race.
Government officials will not be able to claim they are doing everything
they can to protect personal data if they continue to put it on
Internet-accessible computers. (The OPM admits it wasn’t doing everything
it could because of concerns about the costs of upgrading systems.)

The public trusts the government to take care of some of its most personal
and sensitive data. As such, should the government simply be held to the
same laws and regulations about the security of sensitive data that it
requires of private sector organizations that hold sensitive data? Or
should the public demand more?

Perhaps it’s time to appoint a data security czar who can establish
guidelines and oversee how government agencies manage sensitive data. Or
perhaps all citizens, companies and government officials should place
greater importance on security, no matter the cost or inconvenience—real or
perceived.

This may mean spending more resources on hiring talent, paying for more
tools, taking the time to immediately upgrade systems when patches are
released or promoting secure coding and product development.

Cybersecurity needs to become more of a priority for the government and
private corporations. Whatever the solution, public and private officials
need to do a better job of weighing the risk-benefit calculation of storing
data on Internet-accessible computers and justifying data-handling
protocols. Otherwise, continued breaches of databases containing sensitive
personal information could very well lead to more strident public demands
for a change in the status quo.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!