|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
THE COST OF PRIVACYSource: Forbes.comPosted on May 19, 2008 The cost of trying to clean up the mess in US federal cybersecurity now has a price tag: $40 billion in new funding over the next six years. That's what analysts say President George W. Bush proposed to spend to put in place his new "Cyber Initiative," a program that aims to protect government systems left naked and vulnerable in the wake of a now largely discredited federal cybersecurity management program. Federal agencies' track record in managing cybersecurity isn't good: Over the past seven years, agencies wasted more than a billion dollars trying to earn higher grades on pointless metrics such as the number of reports they wrote about security - reports that were never used and usually never even read. Meanwhile, nation states and criminal groups thoroughly exploited the holes those agencies left in their defenses, penetrating federal computers, stealing sensitive information that they later used for military and economic advantage and leaving remote-control software on federal systems. Equally victimized have been the government contractors that build the nation's weapons systems. Even organizations that have no relationship with the government are being infiltrated by nation states seeking economic advantage. The penetrators have already proven they can use stolen data about our own technological advances against us. By using remote-control tools to change the content of messages, malevolent hackers can change what federal executives think they know and can even disseminate false information to the public in the government's name. It is worth $40 billion to find those infections and get rid of them - and to try to inoculate federal systems against future infections. But how do you do that? You can, of course, search systems for malicious code - but that process almost never finds malicious software that has been hidden by skilled people. In extreme cases, you can reload an entire operating system. But although that might clean up systems riddled with problems, it still leaves the system vulnerable to future infections. I know of only one possible way to improve the chances of finding malicious code deeply hidden within computer systems. It involves a comprehensive program of monitoring the network, looking for evidence that malignant code is "phoning home" for instructions. That is, indeed, one of the most important aspects of President Bush's new cyber initiative: it will deploy massive computer monitoring of all electronic traffic, in and out of government agencies. It certainly has a chance of making a significant difference in improving security. I think many commercial organizations will also opt in. When they learn that mischief-bent nation states have penetrated their systems and stolen information, they will ask to be included in government's monitoring process to help improve their defenses as well. So what's the down side? Privacy.Privacy advocates rightly point out that such monitoring will involve looking at the content of messages as well as the "envelopes" that carry the messages. They will also argue that the government's right to look at all that data may severely damage citizens' rights to privacy. Some have suggested that the cyber initiative's threat to privacy is great enough that it should be scaled back, limiting what the network monitors can watch. That type of knee-jerk reaction to the cyber initiative completely misses the fundamental connection between privacy and security: You cannot ask for privacy if you are unwilling to pay for security - there is no privacy without security. This is true in the private sector as well as in the government. Consider, for instance, the databases of personal information maintained by a medical insurance processor. It's very sensitive information: who has taken HIV tests, drugs for depression, pregnancy tests and so on. When criminal groups control those computers, they have access to all that personal data. They can disclose it on the Internet (when the insurer refuses to pay extortion to keep the information loss secret). They can use it to put pressure on patients - and that could be you or your family. You deserve to demand that the insurers do whatever is necessary to protect those systems. The government has a lot of sensitive data about you as well. Most of those details are economic ones, but the federal government also warehouses surprising amounts of other information about you and your family and the businesses you have. You have a right to demand that that data is protected. Without far more effective electronic monitoring, most of that data is at risk. Organized crime groups are relentless in their methods - wrecking a few people's economic lives along the way is just collateral damage. Rather than trying to limit network monitoring, people who understand the nexus between privacy and security - including privacy advocates - should be pushing government forward with all deliberate speed. The faster we can develop techniques that find the criminal penetrations, the stronger will be our defenses against breaches of private data. by Alan Paller, director of research at the SANS Institute in Washington, D.C. He was selected by President Clinton as one of the initial members of the National Infrastructure Assurance Council and by the Federal CIO Council as the 2005 Azimuth Award winner.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |