November 4, 2012 By Dan Lohrmann
We currently have several important security stories and not much public attention.
As America prepares to vote in a pivotal presidential election on Tuesday, there have been several significant security stories recently. However, they are receiving minimal national attention. Between the coverage of Tropical Storm Sandy, pre-election rallies and the latest unemployment rate coverage, almost all security news has taken a back seat – unless you are talking about the September 11, 2012, Benghazi attack.
South Carolina Data Breach Reactions
Nevertheless, state and local government leaders have been quietly been scurrying around after South Carolina recently revealed the vast scope of their security breach.
From my perspective on the S.C. breach, I have never seen such a wide number of questions and urgent security checks from the business side of the house in many states. Tax officials across state and local governments nationwide seem worried as never before. Everyone is asking some variation of the questions: “Could this happen to us? Has it happened to us?”
For those who have not heard about or followed this story, more data came out mid-week with the announcement that businesses were affected:
“As many as 657,000 S.C. businesses had their tax information stolen in the massive security breach at the state Department of Revenue that also claimed the records of up to 3.6 million people, Gov. Nikki Haley said Wednesday….
The discovery came after a two-hour Senate Finance Committee hearing, where Revenue Department director James Etter pointedly was asked whether business records also had been taken by the hackers. State officials still are learning more about the data theft, which is affecting four times as many people as all previous breaches combined in the state over the past seven years.”
State governments across the U.S. reacted in a variety of ways following the announcement of what one paper called: “The mother of all security breaches,” and “The largest breach against a state tax agency in the nation.”
But while there were plenty of articles, phone calls and online discussions about what exactly happened and who is (or isn’t) to blame, the exact breach details are still not clear to those outside the sensitive Secret Service investigation in South Carolina. I am confident that we will be hearing much more on this story in the weeks and months to come.
What is clear to me is that this is a big wake-up call for government officials – even more so than after the Utah data breach earlier this year. More and more, government executives are realizing that we face serious global cyberdefense challenges that affect governments at all levels. As I said in April, there are dark clouds over technology, and we are all vulnerable and being targeted. Action cannot wait. I’ll be back with more on this story in a few weeks.
Is An Executive Order on Cybersecurity Still Coming?
There continues to be a strong chance that an executive order is coming on cybersecurity is coming soon – perhaps in the upcoming lame duck session of Congress.
“[Homeland Security Secretary Janet Napolitano] said that "when" President Obama is reelected, "I think he will have to consider an executive order that covers many of the areas that legislation would cover."
But a Heritage Foundation blog thinks this is still a bad idea as they pronounced that the more regulation is coming.
“This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.”
A similar view is shared by some of my friends over at CIO Magazine.
Still, the Chicago Tribune reported that the Senate likely to revisit cyber bill when Congress returns.
As I hinted back in March while discussing cybersecurity legislation, my guess is that some type of executive order or legislation on cybersecurity may still come in November or December after the election. I continue to hope that a bipartisan compromise can be reached.
A Treaty on Cyber?
Meanwhile, Thehill reports that the United Nations (UN) wants cybersecurity mandates to be in a new telecommunications treaty. Many countries are:
“Pushing to include cybersecurity proposals in the treaty that could lead to online censorship or put one regulatory body in charge of cybersecurity mandates….
The U.S. submitted a baseline set of proposals for the telecom treaty in August. The latest tranche of proposals it's sending to the U.N.'s International Telecommunications Union are more concrete positions that are in response to proposals discussed by other countries and trade groups.
The treaty will be reviewed for the first time since 1988 at the World Conference on International Telecommunications (WCIT) in Dubai this December....”
I find the timing of this and a variety of other cybersecurity topics to be interesting, in that new proposals are being sent the day after the election. This may just be a coincidence, but one thing is clear: whether for political reasons or more likely because other topics have a higher priority during the election season, quite a few cybersecurity issues are lining up for the November/ December 2012 timeframe.
Tropical Storm Sandy Scams
One more story to point out in this security news roundup. As can now be expected after almost every major global news event, and especially with natural disasters, there are many Tropical Storm Sandy scams being revealed.
“State attorneys general, business and consumer groups and the Justice Department are among those cautioning consumers to be wary as requests for donations start arriving via email, text message, telephone and Twitter.
‘’Fraud is an unfortunate reality in post-disaster environments,’ said Joe Wehrle, president of the National Insurance Crime Bureau, a nonprofit group which deals with vehicle sales and repairs fraud. ‘As the initial recovery from Hurricane Sandy begins, there are people right now who are planning to converge on the affected areas in order to scam disaster victims out of their money.’”
USA Today reported: Beware: Time is ripe for Hurricane Sandy scams
“A decade ago fraudsters had to rely on phone calls to deliver their high-pressure sales pitches. Then they were able to use e-mail. Now social media adds an entirely new weapon to their arsenal.”
What’s my advice as we head past election day and into the holiday season? No matter who wins the election on Tuesday, watch out for post-election scams to match or exceed the Tropical Storm Sandy scams - beginning this Weds morning. The bad guys will do anything to "tempt the click."
Also, stay informed on the security threats in your corner of cyberspace. We need to be ready – because these hot security stories won’t go away even after the election and the Tropical Storm Sandy cleanup move off of the front pages.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.