Uncle Sam Prefers to Receive Than to Give Security Information
The White House's new policy on sharing and safeguarding national security information, released last week, is receiving sideways looks from the private sector. Business sees the policy as a one-way street running toward Washington and has concerns about its provisions regarding the ownership of any information that's shared with the government.
Dec 27, 2012 5:00 AM PT
The White House last week released its National Strategy for Information Sharing and Safeguarding without much fanfare. The document attempts to address a common complaint lodged against government when it comes to information sharing with the private sector: Uncle Sam likes to receive, but isn't so keen on giving.
"This National Strategy for Information Sharing and Safeguarding (Strategy) aims to strike the proper balance between sharing information with those who need it to keep our country safe and safeguarding it from those who would do us harm," President Barack Obama wrote in an introduction to the policy.
"While these two priorities -- sharing and safeguarding -- are often seen as mutually exclusive, in reality they are mutually reinforcing," he continued. "This strategy, therefore, emphasizes how strengthening the protection of classified and sensitive information can help to build confidence and trust so that such information can be shared with authorized users."
Start Making Sense
The policy makes sense, according to John C. A. Bambenek, a handler with the SANS Internet Storm Center.
"Everyone realizes that when it comes to cyberthreats, we all need more information and the ability to act on that information," Bambenek told TechNewsWorld. "We all agree that it has to be done. It's just not happening."
The reason it's not happening is because the private sector believes sharing information with Uncle Sam is a one-way street.
"The government is happy to take whatever you give them, but it's hard for them to return anything of value," Bambenek said.
Security experts have seen these kinds of initiatives from government before so some of them are taking this latest one with a grain of salt.
"This is a befuddling document wrapped in soft language with strong consequences," Richard Stiennon, chief research analyst for IT-Harvest, told TechNewsWorld.
One of the more interesting aspects of the policy is its treatment of information as a "national asset," he noted. "If that is the case, then individual property rights come into play quickly."
"While the document pays its respects to privacy and civil liberties, it only assures us of the government's good intentions, not any counterbalancing controls that could protect those rights," he added.
Writers of malicious software have been known to customize their wares for their clients, but in recent times, the practice has been taken to the extreme, according to AlienVault Labs manager Jaime Blasco.
Pernicious programs are being tailored for individual companies. "If a program is used against one company, it makes it very difficult to detect," he told TechNewsWorld.
Although a sinister software program may be aimed at an individual company, he continued, the payloads delivered by such programs have common characteristics.
"They deliver remote access tools," he said. "They give the attackers command of your system. It can include stealing documents, getting your passwords, capturing your keystrokes and turning on your webcam to spy on you."
Verizon Releases Threat Forecast
What will be the major threat trends in the coming year? Many security experts are seeing compromises of the cloud and runaway mobile malware in their crystal balls, but not Verizon.
At the top of Big V's list are attacks and failures related to authentication. Nine out of 10 intrusions involve compromised identities or authentication systems, Verizon says. If a company wants to avoid data breaches, they'll be wise make sure they have sound process for creating, managing and monitoring the accounts and credentials of their users.
Next on its threat list are Web application exploits, although those are more likely to affect larger organizations, especially governments. The chances of a Web app attack being launched on an enterprise is 75 percent. Outfits that gamble with their security by ignoring secure application development and assessment practices will be asking for trouble in 2013, Verizon predicted.
Corporations will also be a prime target of another cyberbandit forte: social engineering. Social tactics, like phishing, increase threefold for larger organizations, Verizon noted. While it's impossible to eliminate all human error, it acknowledged, vigilance and education can help blunt the effectiveness of such schemes.
- Dec. 18: NASA Inspector General estimates data breach in October that compromised personal information of some 10,000 employees could cost U.S. taxpayers almost US$960,000.
- Dec. 18: Information Week reports that the European Union's executive committee has begun circulating to members a draft proposal of rules that would require European businesses that provide critical infrastructure services, including banks, stock exchanges, telecommunications firms and utilities, to disclose to authorities any data breaches they suffer.
- Dec. 18 U.S. House and Senate conference committee report on the National Defense Authorization Act for 2013 which includes provisions requiring defense contractors to report data breaches to the Pentagon.
- Dec. 20: Verizon RISK (Research Intelligence Solutions Knowledge) team releases threat predictions for 2013.
Upcoming Security Events
- Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
- Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: Jan. 25 and before, $1,895. After Jan. 25, $2,295.