In early July, users of AlphaBay, one of the largest darknet marketplaces, panicked when their go-to supplier of illegal drugs, weapons, and other illicit items unexpectedly vanished from the internet. As is often the case when darknet marketplaces go down, many were wary that the moderators may have purposefully closed the site and made off with shoppers’ money. Though AlphaBay’s moderators quickly took to Reddit to assure users that they were working to restore the site, the internet panic left many wondering more about the mysterious “dark web” and its contents. What is this hidden side of the internet really about? And can any good be found in the dark? Read on to find out.

Deep Web vs. Dark Web

When you go online to browse social media, read the news, or look up directions, you’re using what’s called the “surface web.” While most of us stick to the surface web for our daily use, the truth is that it’s just a sliver of what’s available on the internet.

The deep web, which experts estimate makes up about 90 percent of the internet’s content, is comprised of all the web pages that aren’t accessible through public search engines. Library search engines, government databases, and your personal email account are all examples of pages on the deep web.

Many internet users confuse the deep web with the dark web, but the dark web is actually a tiny subsection of the deep web. It is comprised of all the hidden content existing on darknets, or encrypted networks that require use of specific software or tools to access. Darknets are specially designed to provide anonymity to users, making user presence on the dark web undetectable.

The dark web is best known to the public as a safe haven for salacious and criminal enterprises–the drug and weapons trades, child pornography, and the sale of stolen personal information, like bank accounts. But there are individuals on the dark web with nobler intentions, like whistleblowing. Wikileaks, for example, is a notorious dark web site that allows whistleblowers to anonymously upload classified information to the site. Civilians may also use darknet software to access social media in countries where sites like Facebook and Twitter are banned, or to spread news in times of censorship and political unrest.

How to Use the Dark Web

The most common way to access the dark web is using a free software called Tor, originally short for “The Onion Router,” which allows users to anonymize their web pages and their presence on the internet.

Tor was originally created by U.S. Naval Research Laboratory employees in the mid 1990s, and receives 60 percent of its funding from the U.S. government. It hides users’ IP addresses (the unique code that attaches your internet activity to your computer) by sending traffic from their computer and server to other, random points, “like anonymous bagmen trading briefcases in a parking garage,” according to Wired.

Users of Tor can access the surface web as normal, but can also browse websites that run Tor themselves–that’s where the hidden side of the internet exists. Tor websites don’t have a normal URL like Facebook.com, but instead consist of a jumble of seemingly random letters followed by “.onion,” like wlupld3ptjvsgwqw.onion for Wikileaks. This means that to access a Tor website, you most often need to know the exact web address.

Tor is working on developing its anonymity capabilities even further, Wired reported in January. Tor Project co-founder Nick Mathewson told the tech magazine that software released later this year will allow users to keep their sites completely secret, even from other Tor users.

“Someone can create a hidden service just for you that only you would know about, and the presence of that particular hidden service would be non-discoverable,” Mathewson told Wired. “As a building block, that would provide a much stronger basis for relatively secure and private systems than we’ve had before.”

Who Uses the Dark Web?

Criminals

The anonymous sale and exchange of illegal substances is responsible for most of the dark web’s notoriety. One of the most famous darknet marketplaces is the Silk Road, which was shut down in 2013, only to re-appear in various iterations. Most sites use bitcoin, rather than PayPal or credit cards, for transactions, since the e-currency allows customers to maintain their anonymity.

In June, Interpol launched a digital forensics course for wildlife crime investigators, to crack down on use of the dark web for the illegal trade of ivory and exotic animals.

Hackers have also been known to sell personal information, like login details for bank accounts or email accounts. In March 2015, thousands of active Uber account usernames and passwords were being sold for as little as $1-$5 on darknet marketplaces AlphaBay and ThinkingForward.

Dozens of hitmen are also available for hire on the dark web, but many sites, like BesaMafia, have been proven to be scams, or set up by law enforcement to catch people plotting murder.

“Normal” People

If you are unfamiliar with the dark web, you may be surprised to learn that many of its users are “Average Joes” (i.e. not internet-based arms dealers), who are interested in maintaining their internet privacy for less malicious reasons.

Politicians conducting secret deals, internet stalking victims wishing to keep their location private, and law enforcement officials investigating crimes are a large portion of the dark web’s user population. In a 2016 post on TurboFuture, blogger Dean Walsh noted the absurdity of these various populations interacting with terrorists, cybercriminals, and hackers.

“The fact that so many of the dark web’s users are enemies also leads to a strange dynamic,” Walsh writes. “I was tickled to see website security experts and criminal hackers sharing the same forums to discuss their common interests in computer security whilst hardly recognizing that they are nemeses.”

Activists and Journalists

The anonymity provided by dark web sites can also be a force for justice. Activists have been able to shed light on dire situations while avoiding detection in countries where oppressive regimes prevent civilians from using social media, or otherwise censor content posted on the internet.

Nima Fatemi, an Iranian activist and contributor to the Tor Project, taught friends and family how to use the service during a series of riots and protests in Tehran in 2009. Fatemi told Rolling Stone that Tor allowed him and others to post information about what was actually happening, while state television was “just showing photos of flowers and stuff.” “I found Tor and thought, ‘This is the tool.’ It was peace of mind,” Fatemi told Rolling Stone. “I felt it a duty because so many people outside of Iran had no idea that we were protesting.”

Organizations like the Electronic Frontier Foundation encourage protesters and journalists to use Tor networks to protect their identity. The non-profit news organization ProPublica recently launched a Tor version of its website, which means readers can safely read the publication’s articles undetected. A ProPublica spokesman told Wired that the development will make the website safe for users in locations like China, where heavy government censorship can affect internet content. Facebook also has a Tor version, which it says many of its users access on the regular.

“Wikileaks” Courtesy of Sean MacEntee : License (CC BY 2.0)

Terrorists?

While there is some evidence of ISIS militants and supporters using the dark web and other Tor-protected services to recruit and fund their efforts, researchers at King’s College London found relatively “little militant, extremist presence” on the dark web. Thomas Rid, one of the researchers who co-authored the paper Cryptopolitik and the Darknet, told Quartz that dark web sites are not very useful for quickly and effectively spreading propaganda.

“Hidden services are sometimes slow, and not as stable as you might hope,” Rid said. “So ease of use is not as great as it could be. There are better alternatives.”

Conclusion

When dark web activities make headlines, it’s usually for something nefarious. This criminal side will continue to be newsworthy as the NSA and FBI crack down on illegal darknet marketplaces like the Silk Road, and stolen consumer data on dark web sites. But beyond the child pornography, drug sales, and hitmen for hire, there are activists, journalists, and everyday internet users making use of the dark web. As sites like ProPublica and Facebook turn to Tor for security purposes, the lighter side of the dark web could have its moment in the sun.

Avery Anapol

Avery Anapol is a blogger and freelancer for Law Street Media. She holds a BA in journalism and mass communication from the George Washington University. When she’s not writing, Avery enjoys traveling, reading fiction, cooking, and waking up early. Contact Avery at Staff@LawStreetMedia.com.

The post Unraveling the Dark Web appeared first on Law Street.

Medical information is usually viewed as a private affair. But due to the proliferation of technologically advanced devices–heart monitors, X-ray devices, and even fitness trackers–the ability to gain access to a person’s sensitive health information may be easier than most realize. Unsecured devices could lead to disastrous consequences, as any alteration to a patient’s device could be a life or death situation. Medical device hacking may be the largest cybersecurity threat faced by Americans in the coming years. This gigantic security concern is quietly lurking in citizens’ insulin pumps and pacemakers.

Despite having federal and state guidelines to protect and secure individually identifiable health information, accessing a person’s most detailed medical information may be as simple as pressing a few buttons. New Food and Drug Administration (FDA) guidelines issued at the end of 2016 may be able to combat easy access to medical devices, but only with cooperation from device manufacturers. There are also no current plans for enforcement of these guidelines by the FDA, as they are non-binding recommendations. Read on to learn about the security concerns presented by medical devices.

What is a Medical Device?

A medical device, as defined by the FDA, is “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory” that is used “in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Such devices are regulated by the FDA and may be utilized for animals as well as humans. Tongue depressors, bedpans, x-ray machines, and complex programmable pacemakers with microchip technology all fall under the broad definition of a medical device. Moreover, surgical lasers, wheelchairs, and even sutures and orthopedic pins are classified as medical devices. If the primary intended use of a product is achieved via a chemical reaction or metabolized by the body, then it will usually fall under the definition of a “drug.” The U.S. is the global leader in the medical device market, with a total market size of roughly $148 billion in 2016. The Department of Commerce determined that U.S. exports of medical devices in specific categories exceeded $44 billion in 2015. Research and development in this sector are also more than twice the average for all U.S. manufacturers.

Medical Privacy Laws

A person’s medical history is a deeply personal collection of information. Highly sensitive material ranging from mental health treatment and sexual history to genetic disorders and diseases can be contained in an individual’s medical file. Numerous laws have been passed in the U.S. on federal and state levels to ensure that Americans’ health information remains confidential and secure. The most comprehensive law ever passed in the field of medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The act required the Secretary of the Department of Health and Human Services to develop regulations to protect the privacy and security of certain medical information. Under HIPAA, the government established national standards to protect individuals’ medical records and give patients control over who can access personal health information. Essentially, without direct patient authorization, specific entities are limited on the uses and disclosures of individuals’ medical records.

“Paper files of medical records” Courtesy of Newtown grafitti : License: (CC BY 2.0)

In 2000, the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) came into effect; the guidance comprehensively explains answers to questions about the privacy requirements of HIPAA. Generally, the Privacy Rule permits that incidental uses and disclosures are permissible only if they are a by-product of a reasonable or permissible disclosure. The rule requires covered entities to take reasonable steps to limit the use or disclosure of protected health information. It applies to health plans, health care clearing houses, and any health care provider who transmits health information in electronic form. Individually identifiable health information is information that relates to: an individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for health care for the individual.

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) also established national security standards for certain health information held or transferred in electronic form. The Security Rule particularly addressed technical and non-technical safeguards that covered entities must utilize to protect individuals’ electronic protected health information (e-PHI). Entities covered by the Security Rule must ensure the confidentiality and integrity of all e-PHI being received or transmitted, as well as protect against any reasonably anticipated threats to the security or integrity of such information. Under the intricacies of HIPAA’s Privacy Rule and Security Rule, the U.S. government has clearly gone to great lengths to protect citizens’ medical records from improper use or disclosure by entities without direct patient authorization. Certain medical devices utilized today may contain information regarding a person’s medical condition that is as detailed as their medical records–what ailments a person is being treated for, or what dosage of medicine a person takes daily. Therefore, protecting these devices from unwanted intrusion and hacking should be of the utmost importance to ensure patient health and privacy.

Medical Device Security and Privacy Concerns

The FDA has been warning hospitals and health providers for years that medical devices and hospitals are vulnerable to hackers. In early 2016, the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack, which infects a computer and then encrypts files until someone pays to have it unlocked. The attackers in California held patients’ medical data hostage until the ransom was paid, roughly $17,000 in bitcoin. Ransomware also hit other hospitals around the country.

One of the largest consumer concerns regarding medical devices is that individuals can do little to protect their devices themselves. It’s up to the manufacturers of a device’s hardware and software to employ proper security measures. Another issue plaguing medical devices is that most of the laws protecting medical privacy fall under the Health and Human Services’ umbrella; however, regulating medical devices falls in part under FDA jurisdiction. The disconnect explains how the interactions between medical device regulations and privacy laws lead to administrative issues. In a cybersecurity briefing, the U.S. government warned that pacemakers were easy targets for hackers.

Furthermore, in October 2016, Johnson & Johnson notified 114,000 diabetic patients that a hacker could potentially exploit one of its insulin pumps. The pump could be attacked by either disabling the device or altering the dosage of insulin. Some medical infusion pumps in hospitals are even connected wirelessly because it makes monitoring dosages easier. Patients in the hospital could potentially have their pumps controlled remotely by a hacker, which is relatively simple to do.

While the threat to medical devices has been common knowledge for the past few years, few people have attempted to rectify the glaring holes in the current system. Security researchers have managed to remotely control medical devices including pacemakers, insulin pumps, and defibrillators. Thus, it is quite possible that hackers may start setting their sights on specific medical devices, not just entire hospital systems. U.S. officials began investigating flaws in pacemakers in August 2016, when a batch ran out of battery three months earlier than anticipated. While that particular batch simply had a rare defect that caused them to fail, the months of investigation culminated in the FDA releasing 30 pages of guidance regarding medical devices’ security flaws.

New FDA Guidelines

The FDA first issued a guidance in October 2014 that contained recommendations for manufacturers to build medical devices with cybersecurity protections. These guidelines were expanded in December 2016; however, the recommendations to manufacturers were non-binding, making the document not legally enforceable and not a particularly strong stance on securing future medical devices. As part of the new recommendations issued, the FDA encourages manufacturers to swap information with each other and consistently deploy software patches and updates to fix any security vulnerabilities. Moreover, the agency has asked manufacturers to adhere to a checklist created by the National Institute of Standards and Technology. Early product development that focuses on protecting medical devices from hackers is of the utmost importance. The FDA also suggested that manufacturers join the Information Sharing and Analysis Organization to share details about detected security risks and attacks when necessary.

Conclusion

Researchers saw a rise in the occurrences of cyberattacks on a global scale in 2016. Technological advances in medical devices certainly encourage more effective health treatment, but the increasing reliance on vulnerable software potentially puts the health of citizens at risk. Thus, implementing a structured and comprehensive plan to manage cybersecurity risks is critical. While the new FDA guidelines are a respectable start to ensuring medical devices are free from cybersecurity threats, making the recommendations mandatory as opposed to voluntary may be the only way to keep individuals’ medical information safe from prying eyes. Many contend that while the recommendations could be more stringent, this is just the first step in a long road to addressing cybersecurity in the medical field. For now, the onus remains on the manufacturers to patch detected vulnerabilities in their devices and software and develop devices safe for consumers.

Nicole Zub

Nicole is a third-year law student at the University of Kentucky College of Law. She graduated in 2011 from Northeastern University with Bachelor’s in Environmental Science. When she isn’t imbibing copious amounts of caffeine, you can find her with her nose in a book or experimenting in the kitchen. Contact Nicole at Staff@LawStreetMedia.com.

The post Privacy Concerns: Can Your Medical Device Be Hacked? appeared first on Law Street.

“Trump Is a Liar,” “Climate Change Denier,” “Bad Businessman,” “Trump Is Loyal Only to Himself.” No, these are not sound bytes snatched from the primaries or the titles of Hillary Clinton campaign ads. They are subheadings found in a 211-page playbook titled “Donald Trump Report.” Compiled by the Democratic National Committee, the beefy document–which includes briefings on Trump’s “Early Life” and “Business Ventures”–was hacked and obtained by what appear to be Russian-affiliated espionage actors in April and leaked online earlier this week.

Gawker was sent a cache of files that included the DNC’s playbook from “Guccifer 2.0,” whose alias is a nod to the Romanian hacker “Guccifer” who in 2013 hacked the personal accounts of George W. Bush and Colin Powell, the former secretary of state. “Guccifer 2.0” is claiming sole credit for the hack, but the cyber security firm CrowdStrike, whom the DNC turned to to investigate the matter, claims two separate, Kremlin-linked actors (nicknamed “COZY BEAR” and “FANCY BEAR”) are responsible.

“It’s the job of every foreign intelligence service to collect intelligence against their adversaries,” Shawn Henry, president of CrowdStrike told The Washington Post. “Their job when they wake up every day is to gather intelligence against the policies, practices and strategies of the U.S. government.” Henry is also the former head of the FBI’s cyber division.

The document does not contain any previously hidden, revelatory information regarding Trump, but it is a comprehensive look at the probable Republican presidential nominee’s life, business dealings and of course, vulnerabilities. There are 42 pages of “Top Narratives,” 19 pages of “Trump’s Career Overview,” and 118 pages under the heading “Trump on the Issues.”

According to the file’s embedded metadata, the document was created December 19, 2015 by a man named Warren Flood. Flood’s LinkedIn profile says he currently works for 63 Magazine, “the premier digital magazine for progressive political organizers.” Perhaps more relevant, he is also the president of Bright Blue Data LLC, “helping campaigns, organizations, and companies implement winning strategies using data, analytics, and technology.”

But more interesting than the document’s content is the motive of the Russian hackers and what it means–or doesn’t, in a time when state-on-state data breaches are the norm–for the geopolitical sphere. According to U.S. officials and the DNC, Russian spies dug into a trove of material, including DNC emails and the computers of some Republican PACs, or political action committees. “The purpose of such intelligence gathering is to understand the target’s proclivities,” Robert Deitz, a former general counsel at the NSA told The Washington Post.

Whether this was abnormal foul play or business as usual in an age of international cyber espionage, one thing is for sure: Donald Trump is not a fan of at least one thing that bears his name–the DNC playbook.

NEW – Trump statement on Gawker report of alleged DNC oppo file – “we believe DNC did the ‘hacking” pic.twitter.com/Euwlko9Fex

— John Santucci (@JTSantucci) June 15, 2016

Alec Siegel

Alec Siegel is a staff writer at Law Street Media. When he’s not working at Law Street he’s either cooking a mediocre tofu dish or enjoying a run in the woods. His passions include: gooey chocolate chips, black coffee, mountains, the Animal Kingdom in general, and John Lennon. Baklava is his achilles heel. Contact Alec at ASiegel@LawStreetMedia.com.

The post DNC’s Trump File Leaks Online: Are Russian Spies to Blame? appeared first on Law Street.

A hospital in Los Angeles, the Hollywood Presbyterian Medical Center, recently agreed to pay a ransom of $17,000. But the ransom wasn’t paid to free some worker held hostage or to prevent the release of a catastrophic pathogen. Instead it was handed over to hackers for the safe return of its patients’ medical files. Hackers managed to penetrate the hospital’s computers and encrypt its files, and demanded a large sum to be paid in the form of Bitcoins. While this scenario sounds far-fetched, this type of crime is actually on the rise. Read on to find out more about ransomware, bitcoins, why these types of attacks are increasing, and what can be done to stop them.

What is Ransomware?

Ransomware is a type of malware employed by hackers to stop users from accessing their own information or data.  It does this in one of two ways. Either a screen is locked and instructions are provided for unlocking it, or important information is encrypted and a password or key known only to the hackers is required to reopen the essential information. While the exact date of ransomware’s origin is non-definite, it appears to have started in Russia sometime around 2006, spreading globally by 2012.

By 2013, ransomware hackers were using encryption through something known as CryptoLocker. Before encryption, ransomware typically blocked people from using their computers or tricked users into paying to regain access to their computers. An example of this is Reveton, which shows notifications claiming to be from a law enforcement agency, informing the user that a crime has been committed and a fine must be paid. But such malware could be uninstalled or removed with an antivirus program, though even that can be particularly difficult. When encryption came on the scene, hackers began encrypting files, making it impossible for users to access their own information without an encryption key. Even if the ransomware is removed, the files remain encrypted. This key element of ransomware is what makes it both very dangerous and lucrative, as it can be removed yet continue to do damage.

In 2014, ransomware hackers also began using the Tor network to remain anonymous. Tor is a unique network that does not directly plug into the internet, connecting through a series of servers instead. Hackers began using this network to communicate with command and control servers that store the encryption key, which can be sent to an infected computer after a ransom is paid. Doing so makes it nearly impossible to track an attack to an individual because their identity is concealed throughout the process.

The accompanying video gives a quick look at what ransomware is:

Payment

Paying the ransom part of ransomware is also an increasingly complex process. In the case of ransomware like Reveton, hackers often request payment through several services that are difficult to trace such as UKash, PaySafeCard, and MoneyPak. But a growing trend among these hackers has been to request the money in Bitcoins, which is how the hospital in Los Angeles paid its ransom. Bitcoin is a type of cryptocurrency that exist entirely online with no physical presence. Bitcoins are not controlled by a central bank and are based on mathematics, making it completely decentralized and not tied to the value of a commodity like gold or silver. Bitcoin is particularly attractive to hackers because of the anonymity it provides.

Growing Popularity of Ransomware

The threat of ransomware is also on the rise. As of January 2013, there had been 100,000 such attacks but by the end of that year alone that number rose to nearly 600,000, according to Antivirus software company Symantec. Symantec also looked at data from command and control servers used by ransomware hackers to estimate how profitable these scams really are. According to its calculations, hackers can earn around $33,600 per day, amounting to as much as $394,000 in a month. Two primary questions remain: how do hackers select targets and why are attacks increasing?

To answer the first question, targets so far have generally been chosen at random, although future hackers could research a target beforehand to find the most lucrative one. While targets are generally chosen at random, many victims have been infiltrated by viruses or spyware before, suggesting that certain victims may be chosen simply because their systems are easy to penetrate. Traditionally, these random targets were individuals who paid small sums, but recently, the size of the target and the requested ransoms have increased. Conventional wisdom on the use of ransomware is also changing as the payment for these random attacks has shifted more and more to Bitcoins.

Bitcoins help answer the second question–why are ransomware attacks on the rise? While Bitcoin is completely transparent when it comes to transactions, it is often very difficult to trace a Bitcoin address back to an individual, making it easy for hackers to remain anonymous. The rise of Bitcoin has given hackers a reliable and anonymous method to receive ransom payments, which likely contributes to the rise in ransomware attacks.

The video below comments on the attack in LA and the rise of such attacks:

Stopping Ransomware

So with ransomware attacks increasing, how can people avoid falling victim?  There are several steps any user can take to eliminate or, at least, mitigate their exposure to dangerous ransomware. First is to use a reputable anti-virus software to help prevent and remove malicious programs. But reputation is important, as there are many fake options that may actually give your computer a virus. Similarly, it is important to make sure your computer’s existing firewall is strong and activated.

Even with anti-virus software in place and a strong firewall, it is still paramount to be cautious. Using a pop-up blocker and being careful when opening email attachments is also an important way to avoid exposure. It is additionally important to back up files and information regularly. If you have a backup of your files in the cloud or on an external hard drive, you will still have access to your information even after it is encrypted by ransomware.

In the event of a ransomware attack, it is also important to get the authorities involved, including the FBI, as ransomware is generally beyond the scope of local police departments. In fact, the police themselves are not immune to attacks either, as police departments in both the Boston area and in Maine fell victim and paid subsequent ransoms.

So far, the FBI has actually had some success fighting ransomware.  In 2013, for example, it stopped the software platform Citadel, which was behind the Reveton-style ransomware attacks. In 2014, the FBI also disrupted a major botnet–a network of computers used to infect computers with malware– and seized control of the servers behind CryptoLocker. While the FBI has had some success fighting these hackers, in certain cases the bureau says the best way to fight ransomware is to actually pay the ransom. While this goes against the conventional wisdom of not giving into criminals’ demands, the encryption used is often nearly impossible to crack and the requested ransoms may be relatively small. Put simply, for some people its often easier to just pay up.

Conclusion

Not only is ransomware on the rise, it is becoming much harder to combat and hackers are moving to even more lucrative targets. While it is bad enough that individuals often have to deal with ransomware, hackers are now starting to go after essential institutions such as police departments and hospitals. While targets take on an ever-growing importance, the reality is that ransomware is not going away anytime soon. In many respects, ransomware is not that different from other types of malware, with the exception that it offers to restore the user’s capabilities for the right price. As is the case with other malware, ransomware shows no signs of fading. Its methods are becoming more effective and recovering payments is easier than it has ever been.

Unfortunately, potential targets and those already affected have little recourse in this battle. While the FBI has made some progress, even it suggests that paying up for relatively small amounts may be victims’ best option. An important question going forward is how to respond if hackers increasingly target important institutions. And as the profiles of these targets increase, will the ransoms increase as well?

Resources

Symantec: Ransomware: A Growing Menace

Tech Times: LA Hospital Hit By Ransomware Pays Hackers $17,000: Is It The Right Choice

Trend Micro: Ransomware

Tor Project: Tor Overview

Coin Desk: What is a Bitcoin?

Phys.org: Why Ransomware is on the rise

Norton: Beware the Rise of Ransomware

Federal Bureau of Investigations: Ransomware on the Rise

The Security Ledger: FBI’s Advice on Ransomware? Just Pay The Ransom

Michael Sliwinski

Michael Sliwinski (@MoneyMike4289) is a 2011 graduate of Ohio University in Athens with a Bachelor’s in History, as well as a 2014 graduate of the University of Georgia with a Master’s in International Policy. In his free time he enjoys writing, reading, and outdoor activites, particularly basketball. Contact Michael at staff@LawStreetMedia.com.

The post Ransomware: Holding Our Digital Lives Hostage? appeared first on Law Street.

Many countries have been victims of cyber attacks but may not realize it until long after the security breach occurred. In the recently revealed hack on the Office of Personnel Management (OPM), it took authorities four months to even realize that the hack occurred. While it may still be too early to understand the exact scale of this attack, all evidence suggests that it is likely one of the largest security breaches in United States history. With news of recent security breaches finally reaching the public, many people are wondering if the government can adequately protect itself from future attacks.

“The United States of America is under attack,” warned Rep. Elijah Cummings at a House Oversight and Government Affairs Committee hearing earlier this month. Katherine Archueta, the director of OPM, faced harsh criticism at the hearing for failing to upgrade databases despite known security issues. An OPM audit carried out last November–shortly before the breach–concluded that several databases still did not meet federal security standards, a problem that was initially identified back in 2007. Authorities had knowledge of a “significant deficiency” in OPM security governance prior to the hack, yet failed to fix security problems that have existed for nearly seven years.

According to the New York Times, federal databases have not been updated with the latest protocols and defense systems that create more barriers for hackers to break through. In the case of the OPM breach, hackers were not subject to multi-factor authentication–meaning they were not required to use an access code to verify their identification. The OPM Inspector General was also unsure if the hacked social security numbers were encrypted. When asked why hackers were not subject to multi-factor authentication, Donna Seymour of OPM told the Times the following:

Installing such gear in the government’s ‘antiquated environment’ was difficult and very time consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.

The U.S. has been a victim of hacking before, but the recent OPM hack was different because the hackers accessed the Federal Employee Database, which allowed them to retrieve federal employee information dating all the way back to 1985. Recently, officials believe that (SF) 86 questionnaires, which all individuals applying for national security positions must fill out, may have also been compromised in yet another hack. Access to such forms could provide hackers with extremely intimate information about individuals with security clearance, and in the wrong hands could lead to blackmail.

Cybersecurity Experts believe China wanted this information to build a network of current and former government employee information to conduct future attacks. This shows the U.S. government’s inability to protect 14 million people’s personal information and keep Americans safe from cyber attacks. The hackers involved are believed to be a Chinese group, the same one responsible for hacking Anthem Insurance earlier this year.

Not only is the United States ill-equipped to prevent these attacks, it often does a poor job of responding to them after the fact. In response to the recent hack, OPM has notified four million current and former federal employees who may have had their personal information stolen and offered 18 months of free credit monitoring and $1 million in identity theft protection. But is that enough if identities are already compromised? Many federal employees do not believe so and took to commenting on OPM’s Facebook page to express their anger. Federal employees are demanding higher security standards and better responses from the agency because so many people’s personal information is at stake.

This is not the first time that the government failed to learn from past attacks. Back in April, officials revealed a cyber attack that penetrated the White House computers, reportedly tracing its origins to Russia. According to the White House, attackers managed to penetrate the unclassified system of White House computers giving them important details about the president’s schedule. Investigators believe the Russians used a tactic called “spear phishing,” where hackers pretend to be a friend or coworker and ask for account information. Authorities believe the OPM hackers used similar methods.

While officials believe the hack was not on behalf of the Chinese government, the government seems to be doing little to crack down on hackers within its borders. The United States indicted five senior Chinese officials last year for stealing trade secrets from computers of American companies and passing them on to Chinese competitors. In retaliation for the indictments, China said it suspended a working group on cyber-related matters, further preventing collaboration between the two countries.

With cybercrimes becoming more prevalent, strengthening government security by updating U.S. systems with the latest defense technology must be done to prevent future attacks. Government officials have knowledge of significant security weaknesses, yet little has been done to secure important systems. It is likely these attacks will continue in the future, and unless the United States is able to bring security measures in line with established standards, the government’s ability to protect itself will continue to falter.

Jennie Burger

Jennie Burger is a member of the University of Oklahoma Class of 2016 and a Law Street Media Fellow for the Summer of 2015. Contact Jennie at staff@LawStreetMedia.com.

The post Can the Government Protect Itself from Cyber Attacks? appeared first on Law Street.

There’s been a lot of talk over the potential shutdown of a crucial government agency–the Department of Homeland Security (DHS). But for a lot of Americans, exactly what DHS does isn’t really known. What would the effects of shutting it down be, and how could it affect daily life in the United States? Read on to learn about DHS’s inception, history, functions, and the current debate in Congress over its future.

What is the Department of Homeland Security?

DHS is a department under the Executive Branch of the Government. As a result, the Department reports to the President of the United States.

The Department of Homeland Security was created just after the terrorist attacks on September 11, 2001, when Tom Ridge was appointed to serve as the first Secretary of Homeland Security. However, it was not considered to be an independent office until November 2002, when the Homeland Security Act passed Congress. The first day of business for the new office was March 1, 2003.

The DHS states its mission as follows:

The vision of homeland security is to ensure a homeland that is safe, secure, and resilient against terrorism and other hazards.

Since then the Department has evolved due to acts of Congress or through actions made by its leadership. Often these changes have been made with the intention of streamlining how DHS deals with various areas of national security.

Why did 9/11 spark the creation of DHS?

On September 11, 2001, 19 members of a terrorist group known as Al-Qaeda took control of four United States passenger airplane flights and pointed them at various locations inside America. The targets of the first two flights were the Twin Towers located in New York City. The target of the third flight was the Pentagon in Washington, DC. The target of the fourth flight has not been determined, but many believe that the aircraft was aimed at the White House; however, the plane did not reach its target because it was forced down in a field located in western Pennsylvania. Between the four aircraft and their targets, roughly three thousand people died that day. The video below briefly shows what happened on the fateful day.

Prior to 9/11, an attack on American soil had been virtually unthinkable. The U.S. responded in part by creating the DHS to address the new challenges of terrorism and security in a changing global environment.

What is the Homeland Security Act?

The Homeland Security Act was a bill sponsored by former Congressman Richard Armey (R-TX) to create a department that could fulfill a threefold primary mission:

(A) Prevent terrorist attacks within the United States;

(B) Reduce the vulnerability of the United States to terrorism; and

(C) Minimize the damage, and assist in the recovery, from terrorist attacks that do occur within the United States.

Who runs DHS?

The Department is overseen by the Secretary of Homeland Security. Currently that position is held by Jeh Johnson, who was appointed by President Obama in 2013. Prior to Johnson, the Homeland Security secretaries were Tom Ridge, Michael Chertoff, and Janet Napolitano, although James Loy and Rand Beers also served in acting capacities. The Secretary of Homeland Security is a member of the President’s cabinet, and is 18th in the order of Presidential succession.

What kind of a budget does the Department of Homeland Security run on?

DHS is funded by taxpayers, and granted its budget by the United States Congress. For fiscal year 2015, the Department of Homeland Security requested $38.2 billion from Congress. The funding request to Congress was increased to forty one billion, two hundred million dollars for fiscal year 2016.

What does the Department of Homeland Security do?

DHS is involved in a number of initiatives, which cover a wide scope. The big four are known by the acronyms FRG, HSARPA, CSD, and RDP. There are also two other areas, known as SAFECOM and the Blue Campaign. Read on for more information about each of these initiatives.

First Responders Group

The First Responders Group (FRG) is a group of many programs that deal with First Response–or the government reaction to any sort of catastrophe such as the 9/11 terror attacks. The programs run by FRGs range from implementing First Responder training, to improving public safety, to conducting research into technology to help prevent or protect the public and those who are involved in dealing with disasters. One example is the website FirstResponder.gov. The purpose of this website is to keep all information on First Response in one place.

Homeland Security Advanced Research Projects Agency

HSARPA is a group of different programs that aim to protect America’s borders, be they land or sea, from a range of threats. These threats can include chemical, cyber, biological, or conventional explosives. An example of the steps undertaken by HSARPA is the Air Cargo Program, which aims to develop better technology to check luggage for any signs of explosives.

Cyber Security Division

The Cyber Security Division is a branch of HSARPA that deals specifically with cyber threats to America. As it is a branch and not a standalone program, it includes a smaller group of programs. One of the biggest of which is the Rio Grande Valley System’s Analysis Project, which aims to help with the environmental and immigration challenges that are presented by the Rio Grande Valley.

Research and Development Partnerships Group

The Research and Development Partnerships Group is a newer branch of DHS, created in 2010. This group focuses on working with 30 other laboratories around the country focused on keeping America safe. An example of what RDP does is the Disaster Assessment at Harbors and Ports: The Unmanned Port Security Vessel project. The aim of this project is build a ship that functions like a drone to patrol U.S. ports for signs of danger.

SAFECOM

SAFECOM is a program that is designed to help to develop safer communication lines, be it improving already existing methods of communication, or helping to create new methods. One example is  FirstNet. This is an organization that DHS sponsors whose purpose is to set up and maintain a high quality network that is only available for first responders.

The Blue Campaign

The Blue Campaign is a program that was created by the Department of Homeland Security, which works in partnership with law enforcement agencies as well as other government agencies to spot, take down, and prevent human trafficking. It also seeks to provide relief and protection to those who have been victimized by human trafficking.

 What happens if the Department doesn’t get its funding?

If the Department of Homeland Security does not receive the funding that it needs to keep the doors open, all non-vital programs will be shut down and many of its employees–roughly 15 percent, or 30,000–will be furloughed. The rest–approximately 200,000–will still work, but will not necessarily receive anything for their work. While 15 percent doesn’t seem like too many, any reduction in DHS staff is a concern for our national security and first response capabilities. The video below explains not only how America arrived at this situation, but also what will happen if the money doesn’t make it to DHS in time.

Crisis Averted?

The deadline has been postponed, and the DHS is now funded through March 19, 2015. That being said, the argument still isn’t over. There are still a lot of things that Congress will have to sort out before DHS is guaranteed to stay funded. Arguments over President Obama’s immigration plans are first and foremost. The Department of Homeland Security is a vital tool that the United States uses to make sure its borders are secure and that its citizens are safe. If the funding keeps getting held up, the viability of all of these programs is at risk.

Resources

Primary

Department of Homeland Security: Blue Campaign

Department of Homeland Security: Creation of the Department of Homeland Security

Department of Homeland Security: DHS Budget

Department of Homeland Security: First Responders

Department of Homeland Security: Homeland Security Act of 2002

Department of Homeland Security: RDP

Department of Homeland Security: SAFECOM

Department of Homeland Security: Secretary Jeh Johnson

Additional

HISTORY.com: 9/11 Attacks – Facts & Summary

USA Today: Homeland Security Shutdown: What’s It All About?”

MSNBC: A DHS Shutdown by Any Other Name

CNBC: Congress Pursues Funding to Avert DHS Shutdown

Politico: GOP Leaders Set to Swerve DHS Off the Cliff

Chris Schultz

Chris Schultz is a Midwestern country boy who is a graduate of Dordt College in Sioux Center, Iowa and holds a bachelors degree in History. He is interested in learning about the various ocean liners that have sailed the world’s waters along with a variety of other topics. Contact Chris at staff@LawStreetMedia.com.

The post Department of Homeland Security: The Rise of National Security After 9/11 appeared first on Law Street.

Hacking attacks are estimated to cost the global economy a whopping $400 billion each year. With recent attacks on Sony and U.S. Central Command, it seems like nothing online is completely safe. The United States is scrambling to improve cybersecurity and prevent attacks that could otherwise have major impacts on national security, the economy, and personal safety. Here’s what you need to know about cybersecurity policy, government efforts, and what to expect in the future.

What is cybersecurity?

In the increasingly digital world with an ever-growing e-commerce sector, cybersecurity is of vital importance. Cybersecurity is a broad concept that resists a precise definition; it involves protecting computers, networks, programs, and data from cyber threats. Cybersecurity can help protect privacy and prevent unauthorized surveillance and use of electronic data. Examples of cyberattacks include worms, viruses, Trojan horses, phishing, stealing confidential information, and control system attacks. Because of it loose definition, it is hard for the government to regulate how businesses should protect their systems and information. A number of different measures are used to ensure at least a basic level of cybersecurity.

How does cybersecurity work?

Cybersecurity helps to prevent against the risks associated with any cyber attack, which depend on three factors:

1. Removing the threat source. Determining who is attacking can indicate what kind of information or advantage they are seeking to gain. Cyberattacks may be carried out by criminals, spies, hackers, or terrorists, all of whom may do it for different reasons.
2. Addressing vulnerabilities through improving software and employee training. How people are attacking is important in trying to set up the best cybersecurity possible. This can be likened to an arms race between the attackers and defenders. Both try to outsmart the other as the attackers probe for weaknesses in their target. Examples of vulnerabilities include intentional malicious acts by company insiders or supply chain vulnerabilities that can insert malicious software. Previously unknown, “zero day” vulnerabilities are particularly worrisome because they are unknown to the victim. Since they have no known fix and are exploited before the vendor even becomes aware of the problem, they can be very difficult to defend against.
3. Mitigating the damage of an attack. A successful attack may compromise confidentiality, integrity, and even the availability of a system. Cybertheft and cyberespionage might result in the loss of financial or personal information. Often the victims will not even be aware the attack has happened or that  their information has been compromised. Denial-of-service attacks can prevent legitimate users from accessing a server or network resource by interrupting the services. Other attacks such as those on industrial control systems can result in destruction of the equipment they control, such as pumps or generators.

Examples of common cybersecurity features include:

• Firewall: a network security system to control incoming and outgoing network traffic. It acts as a wall or barrier between trusted networks and other untrusted networks.
• Anti-virus software: used to detect and prevent computer threats from malicious software.
• Intrusion Prevention System: examines network traffic flows to prevent vulnerability exploits. It sits behind the firewall to provide a complementary layer of analysis.
• Encryption: involves coding information in such a way that only authorized viewers can read it. This involves encrypting a message using a somewhat random algorithm to generate text that can only be read if decrypted. Encryption is still seen as the best defense to protect data. Specifically, multi-factor authentication involving a two-step verification, used by Gmail and other services, is most secure. These measures (at least for the time being) are near impossible to crack, even for the NSA.

Watch the video for a basic overview of cybersecurity.

What is the role of the federal government in cybersecurity?

Most agree the federal role should include protecting federal cyber systems and assisting in protecting non-federal systems. Most civilians want to know online shopping and banking is secure, and the government has tried to help create a secure cyber environment. According to the Congressional Research Service, federal agencies on average spend more than 10 percent of their annual IT budget on cybersecurity measures.

There are more than 50 statutes that address various issues of cybersecurity. While much legislation has been debated in recent years, no bills have been enacted. The most recent and significant cybersecurity legislation came in 2002 with the passage of the Federal Information Security Management Act (FISMA), which requires each federal agency to implement and report on cybersecurity policies.

Over the past several years, experts and policymakers have shown increasing concern over protecting systems from cyberattacks, which are expected to increase in both severity and frequency in the coming years. Most proposed legislation and executive branch action with regard to cybersecurity focus on immediate needs, such as preventing espionage and reducing the impact of successful attacks. Historically there has been an imbalance between the development of offensive versus defensive capabilities. Coupled with slow adoption of encryption technologies, many programs were vulnerable to attack. While the cybersecurity landscape has improved, needs still exist with regard to long-term challenges relating to design, incentives, and the environment. Overcoming these obstacles in cybersecurity remains a challenge.

Design

Developers of software or networks are typically more focused on features than the security of their product. Focusing primarily on the product’s features makes sense from an economic standpoint; however, shifting the focus away from security makes these products more vulnerable to cyberattacks.

Incentives

The distorted incentives of cybercrime make it hard to prevent. Cybercrime is typically cheap, profitable, and relatively safe for criminals. In contrast, cybersecurity is expensive, often imperfect, and companies can never be certain of the returns on the investments they make in cybersecurity.

Environment

Cybersecurity is a fast-growing technology. Constantly-emerging properties and new threats complicate the cybersecurity environment. It is very difficult for the government or private companies to keep up with the pace of changing technology used in cyberattacks. What laws and policies do exist are almost always out of date given the rapid pace of change in cybersecurity.

Watch the video below for an overview of the difficulties of cybersecurity policy.

Has President Obama taken any action on cybersecurity?

With recent attacks and data breaches at Sony, Target, Home Depot, and the Pentagon’s Central Command, the need for toughened cybersecurity laws has been highlighted. Cybersecurity is an issue where both sides of the political aisle see the need to work together. It is clear that a comprehensive policy playbook is needed to guide the government’s response to such serious cyberattacks.

On January 13, 2015, President Obama announced a new cybersecurity legislative proposal, which consists of three parts:

1. Enabling cybersecurity information sharing: The proposal enhances collaboration and cybersecurity information within the private sector and between the private sector and the government. The proposal calls for the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Sharing information about cyber threats with the NCCIC would shield companies from liability. The bill would require the Department of Homeland Security to share threat information as quickly as possible with other agencies like the FBI or NSA. The proposal would also require private entities to comply with privacy restrictions like removing unnecessary personal information and taking measures to protect any personal information that must be shared.
2. Modernizing law enforcement authorities to fight cybercrime: This ensures that law enforcement has the proper tools to investigate and prosecute cybercrime. These provisions would criminalize the sale of stolen U.S. financial data, expand authority to deter selling of spyware, and shutdown programs engaged in denial-of-service attacks. Other components criminalize various cybercrimes.
3. National data breach reporting: Many state laws require businesses that have suffered from breaches of consumer information to notify consumers. The proposed legislation would simplify and standardize these existing state laws. The proposal would also put in place a timely notice requirement to ensure companies notify their customers about security breaches.

Watch the following video for an outline of President Obama’s plan.

On January 16, 2015, President Obama and British Prime Minister David Cameron promised to cooperate with regard to cybersecurity. Cameron expressed concerns about encryption technologies that might make it easier for would-be terrorists to avoid detection. Cameron hopes to outlaw certain forms of encryption. President Obama did not as easily dismiss privacy concerns, but did state that he believes the government can do a better job of balancing both privacy and security.

Why is it hard to implement effective cybersecurity policy?

Congress has tried for years to pass legislation encouraging companies to share information from cyberattacks with the government and with each other; however, liability issues and privacy concerns stopped such laws from passing. Many privacy advocates are speaking out against President Obama’s proposed legislation for the same reasons. They fear that such information-sharing legislation could further the government’s surveillance powers. Some groups caution that substantial National Security Agency reform should come before considering any information-sharing bill. Privacy concerns such as these have made it difficult to pass cybersecurity packages in Congress in the past; however, the recent Sony attack may prove to be a game changer in passing new cybersecurity bills.

Even if President Obama and Congress can implement the above changes, it will still be difficult for the government to enact more effective policy changes. Technology can easily mask the identity or location of those organizing cyberattacks. This can make identifying and prosecuting those responsible near impossible. Justifying an appropriate response to attacks is even harder.

Legislatures and citizens also tend to be kept in the dark due to extreme security regarding a country’s cyber capabilities. Edward Snowden’s revelations about the NSA sparked public interest in cybersecurity and in the extent of the government’s capabilities. But still, information regarding the U.S.’ cyber policies remains classified and not open to general discussion. Without transparency, it is hard to exercise oversight or explain to the public the government’s cybersecurity activities.

Critics also contend that President Obama’s proposal leaves large gaps in cybersecurity policy. The policy fails to establish ground rules for responding to cyber attacks once they have occurred and it remains unclear how the United States might respond to cyberattacks against government networks or even private sector entities like Sony. While attacks may be criminalized, prosecuting these cases with limited evidence is difficult.

A recently uncovered 2009 U.S. cybersecurity report warned that the government was being left vulnerable to online attacks because encryption technologies were not being implemented fast enough. While the country has come a long way since 2009 there is still much room for improvement. A 2015 review of the Department of Homeland Security stated that:

DHS spends more than $700 million annually to lead the federal government’s efforts on cybersecurity, but struggles to protect itself and cannot protect federal and civilian networks from the most serious cyber attacks.

Conclusion

More needs to be done in the realm of cybersecurity to prevent against cyberattacks. While less legislation may have worked in the past, the scale of recent cyberattacks shows the vast potential for damage to the government, companies, and individuals. President Obama’s recent proposal may be a good start, but more long-term policies are needed to protect citizens from serious cyberattacks. No cybersecurity solution is permanent, so public policy must constantly evolve to suit the needs of its citizens in the cyber realm.

Resources

Primary

Department of Homeland Security: Federal Information Security Management Act

White House: Securing Our Cyberspace: President Obama’s New Steps

Homeland Security and Governmental Affairs Committee: A Review of Missions and Performance

Additional

Congressional Research Service: Cybersecurity Issues and Challenges

National Journal: Obama’s New Cybersecurity Proposal Facing Skepticism

UMUC: Cybersecurity Primer

Forbes: Why a Global Security Playbook is Critical Post-Sony

Guardian: Secret U.S. Cybersecurity Report

Reuters: Obama Seeks Enhanced Cybersecurity Laws to Fight Hackers

NPR: Obama, Cameron Promise to Cooperate on Cybersecurity

Yahoo: Obama Says Hacks Show Need for Cybersecurity Law

Huffington Post: What’s Wrong with America’s Cybersecurity Policy?

Alexandra Stembaugh

Alexandra Stembaugh graduated from the University of Notre Dame studying Economics and English. She plans to go on to law school in the future. Her interests include economic policy, criminal justice, and political dramas. Contact Alexandra at staff@LawStreetMedia.com.

The post Cybersecurity: Will We Ever Be Safe? appeared first on Law Street.

Security breaches among major companies such as Target, eBay, and Neiman Marcus dominated news headlines this past year and led many to wonder about the safety of the information stored with organizations throughout the United States. The statistics from the May 2014 US State of Cybercrime Survey are far from reassuring.

The survey, a combined effort of PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the US Secret Service, states that the number of cybercrime incidents and the fiscal losses they incur are rapidly rising. The findings reveal that this is mainly because the companies could not adequately defend themselves from cyber-attacks. According to the 2014 survey, the top five methods for cyber-attacks involve malware, phishing (the attempt to acquire sensitive information such as usernames or passwords), network interruption, spyware, and denial-of-services attacks.

The report covered information from 500 different corporations and government agencies, including law enforcement, and stated that “three out of four had had some kind of security breach just in the last year, and the average number of incidents per organization was 135.”

Fourteen percent of those surveyed reported that monetary losses attributed to cybercrime have increased in the past year. The actual costs are generally not known, as the majority of those who reported a cyber attack were unable to estimate the associated financial costs. Of the few survey respondents that could, the average yearly loss was around $415,000. Businesses are beginning to feel that cyber security is an issue that is out of their control and that cyber attacks are costing them an increasing amount of money.

 Why the Rising Rate?

One of the major problems associated with the rising rate of cybercrime is that few companies, only 38% according to the survey, are adequately prepared to combat cybercrime. These rising rates are not simply due to inadequate defenses, but also increasingly sophisticated techniques used by cyber criminals. According to an article on Time.com, the most pertinent threats to cyber security in the United States come from Syria, Iran, China and Russia.

There are two kinds of big companies in the United States: those who’ve been hacked by the Chinese and those who don’t yet know that they’ve been hacked by the Chinese.

-FBI Director James Comey

The 2014 report lists major reasons why these attacks are on the rise. It claims that a few reasons are that most organizations do not spend enough on cybersecurity and do not properly understand cyber security risks. According to the survey, there is also a lack of collaboration among companies that have experienced a breach or other form of cyber attack, specifically that “82% of companies with strong protection against cybercrime collaborate with others to strengthen their defenses.” Other pertinent issues leading to increased cybercrime are insufficient security of mobile devices and lack of proper evaluation of attacks within organizations.

What can be Done to Lower the Rate of Cyber Attacks?

According to the 2014 survey, one major way for corporations and agencies to prevent cybercrime is through company-wide employee training which has been shown to be effective but is no currently used frequently enough. According to an article on CSO’s website, many organizations aren’t running information security training programs that are up to date. The 2014 survey recommends that the main focus of companies should be protecting the private financial information of their consumers. Perhaps as companies continue to strengthen the efforts of their cybersecurities, the rate of attacks from online adversaries will begin to lower, causing the 2015 report to reflect a decrease in cybercrime.

—

Marisa Mostek (@MarisaJ44) loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

Featured image courtesy of [geralt via Pixabay]

Marisa Mostek

Marisa Mostek loves globetrotting and writing, so she is living the dream by writing while living abroad in Japan and working as an English teacher. Marisa received her undergraduate degree from the University of Colorado in Boulder and a certificate in journalism from UCLA. Contact Marisa at staff@LawStreetMedia.com.

The post Criminals Availing in Cyberspace appeared first on Law Street.

In response to Target’s massive data breach affecting nearly 110 million consumers, the Data Security and Breach Notification Act has been introduced in the U.S. Senate. Both Target and its customers were victims of the 2013 cyberattack, which increased susceptibility to identity theft for customers, and tanked profits for the company. The new legislation attempts to increase the security of consumer information, and to set requirements for companies to notify consumers and government agencies of security breaches.

The Act will establish six requirements for companies to increase data security protection: 

1. Create a security policy with respect to the collection, use, sale, dissemination, and maintenance of personal information.
2. Identify a point of contact who is responsible for the management of information security.
3. Create a process to identify and assess possible vulnerabilities within the security systems maintained by the company, including regular monitoring for breaches.
4. Create a process to make necessary changes to security practices used to maintain personal information including architecture, installation, and operating software.
5. Create a process to dispose data in electronic form by destroying, erasing, or encrypting the information.
6. Implement a standard method(s) to destroy paper and other non-electronic data that contains personal information.

While some companies maintain their own security of personal information, others contract this responsibility to third party groups. In the event of a security breach, this legislation requires any group responsible for maintaining personal information to contact the Federal Trade Commission, and to contact all consumers whose information may have been compromised. Consumers must be contacted either by mail, email, or telephone, and it is the company’s responsibility to create a hotline or website to provide additional information to those affected by the breach. If a security breach affects more than 5,000 people, companies are required to notify all major credit reporting agencies. Also, some companies will be responsible for providing at least one free credit report per quarter for each consumer with compromised personal information, for up to two years.

Some covered companies, like small businesses and non-profit organizations, that are unable to provide free credit reports due to cost may be exempt from this practice.  Additionally, companies that find other correspondence methods too costly may employ alternative notification methods like contacting print and broadcast media to inform the public. If a company does not follow the reporting requirements and are not exempted from certain practices, they can be fined.

If this legislation is passed, a company’s data security will not improve as a result of it, but rather in spite of it. Companies are improving security to combat the threat of class-action lawsuits and enormous financial losses as a result of a security breach without federal action. The Data Security and Breach Notification Act fails to understand that companies are also victims when dealing with cyberattacks, and no matter what security measures are in place, all electronic information is vulnerable to being hacked. The bill also fails to acknowledge the role bankcards play in the insecurity of personal information. As noted by David French, Vice President of The National Retail Federation, the bankcard industry prefers magnetic strip cards over PIN-and-Chip technology, which is more secure. Retail companies cannot be the only group held accountable for the actions of cyber criminals.

Requiring companies to notify government organizations, credit reporting agencies, and consumers is a more effective policy.  Although companies are improving cybersecurity, a breach in that security could cause companies to hide or delay informing consumers. This delay may impede a person from contacting their financial institution in time to prevent the misuse of his personal information. Another benefit of requiring companies to inform the public of a breach is that it reduces the consumer burden of proving identity fraud. Consumers need to be protected, and when companies fall short of providing that protection, they have a responsibility to assist consumers in correcting the company’s mistake; however, lawmakers should consider that consumers and companies are victims of data security breaches, and that different industries influence the ability to effectively secure data.

—

Teerah Goodrum (@AisleNotes), is a graduate student at Howard University with a concentration in Public Administration and Public Policy. Her time on Capitol Hill as a Science and Technology Legislative Assistant has given her insight into the tech community. In her spare time she enjoys visiting her favorite city, Seattle, and playing fantasy football.

Featured image courtesy of [Chris Potter/StockMonkeys.com via Flickr]

Teerah Goodrum

Teerah Goodrum is a Graduate of Howard University with a Masters degree in Public Administration and Public Policy. Her time on Capitol Hill as a Science and Technology Legislative Assistant has given her insight into the tech community. In her spare time she enjoys visiting her favorite city, Seattle, and playing fantasy football. Contact Teerah at staff@LawStreetMedia.com.

The post Security Breach: The Senate Wants to Protect Your Information appeared first on Law Street.