Algorithmic vulnerabilities, or the emerging hacking threat, can do a lot of damage on computer systems. It is considered as more complex, more challenging to detect and more effective at damaging different nation's computer systems.

Additionally, it is extremely hard to detect with the existing security technology according to the Dyman & Associates Risk Management Projects.

These attacks can only be achieved by hackers hired by nation states which have resources essential to mount them, but perhaps not for very long.

Computer scientists at the University of Utah and University of California, Irvine are given $3 million by the U.S. Department of Defense to produce software that will detect or fight future cyberattacks.

The University of Utah team will be composed of 10 faculty members, postdoctoral and graduate students. Of the $3 million grant, which is over four years, $2 million will go to the Utah team and $1 million to the Irvine team.

The project is funded by the Defense Advanced Research Projects Agency (DARPA) in a new program called STAC, or Space/Time Analysis for Cybersecurity.

The team is tasked with creating an analyzer that can fight so-called algorithmic attacks that target the set of rules or calculations that a computer must follow to solve a problem.

The analyzer needs to perform a mathematical simulation to predict what's going to happen in case there is an attack and it must conduct an examination of computer programs to detect algorithmic vulnerabilities or "hot spots" in the code. It is more like a spellcheck but for cybersecurity.

University of Utah's associate professor of computer science and a co-leader on the team, Matt Might said that the military is looking ahead at what's coming in regards of cybersecurity and it seems like they're going to be algorithmic attacks. He also stated that the current state of computer security is a lot like doors unlocked into the house so there's no point getting a ladder and scaling up to an unlocked window on the roof.

"But once all the doors get locked on the ground level, attackers are going to start buying ladders. That's what this next generation of vulnerabilities is all about."

Hackers will make use of programmers' mistakes while creating their programs on the software. For instance, the software will get a programming input crafted by a hacker and use it without automatically validating it first which can result in a vulnerability giving the hacker access to the computer or causing it to leak information.

Algorithmic attacks are very different since they don't need to find such conventional vulnerabilities. For instance, they can secretly track how much energy a computer is utilizing and use that information to gather sensitive data that the computer is processing, or they can secretly track how an algorithm is running within a computer. These attacks can also drive central processing unit (CPU) to overwork, or they can disable a computer by forcing it to use too much memory.

Suresh Venkatasubramanian, who is also a co-leader from the team, states that these algorithmic attacks are very devious because they could exploit weaknesses in how resources like space and time are utilized in the algorithm.

Algorithmic attacks are really complex, costly, and use the most amount of time, so most hackers these days are not using this kind of attacks however, they take the easier route of exploiting current vulnerabilities.

Study: Manufacturers Should Upgrade Risk Management Practices

A new report from Deloitte and the Manufacturers Alliance for Productivity and Innovation recommends that manufacturers convert their risk management practices to "an ongoing conversation rather than a periodic presentation."

The study, titled "Understanding Risk Assessment Practices at Manufacturing Companies," said the evolution of technology within the manufacturing sector presents vulnerabilities as well as opportunities, and that new threats can strike with unprecedented speed.

The report argued companies should improve their use of technology in risk management, consider increasing the frequency of assessments and embed those practices within all levels of company operations.

"In short, risk assessment and management techniques should advance at a rate equal to or greater than the underlying business," the report said.

Companies surveyed by Deloitte and MAPI identified cyber security as the biggest IT risk three years from now, with product design and development innovation as the top business risk over that span. The report said companies should utilize cyber security controls, but that they should also increase their insight into potential threats and how to appropriately respond to them.

They study also noted that 93 percent of companies indicated oversight of their risk management rested with the full board or an audit committee, and suggested that "given the rising complexity facing most manufacturing organizations ... it may be time to give risk management a clear subcommittee."

The involvement of a committee, meanwhile, could result in such panels becoming increasingly involved in day-to-day operations. The report called for a "proper executive champion" for that role, potentially including the creation of a chief risk officer.

Improved risk management and audit practices, meanwhile, could also help create a more resilient supply chain, as well as improve employee recruitment and retention amid ongoing concerns about a manufacturing skills gap.

Although improving risk management practices wouldn't dramatically alter a company's bottom line, the report said the potential benefit to competitive advantages and shareholder confidence "will naturally make its way into earnings."

"Organizations should establish a risk assessment program that fits into its unique culture and risks," said MAPI deputy general counsel Les Miller. "Since change is constant and can occur suddenly, ongoing efforts to enhance the sophistication and variety of risk assessment techniques are needed."

The study conducted an online poll of 68 members of MAPI's Internal Audit and Risk Management Councils in June of 2014. The respondents ranged from less than $1 billion in annual revenue to more than $25 billion; the majority ranged between $1 billion and $10 billion.

Melissa Sexton, CFA is the head of Product and Investment Risk for Morgan Stanley MS -0.48% Wealth Management. Prior to this, she spent nearly a decade serving as Chief Risk Officer at two different hedge funds in New York. Most of Melissa's 25 years of experience has been in a variety of risk management roles, though she has also traded derivatives and worked in operations, and has continuously worked on projects which integrate risk management with information technology. Ms. Sexton is a member of PRMIA New York's steering committee, received a BA in Mathematics and Economics from Boston University, and was awarded her CFA charter in 2001.

Christopher Skroupa: You started your career in risk management in the 1990s, a decade notable for rapid changes in information technology combined with extraordinary growth and development of financial products. How have these changes affected the risk management function over your career?

Melissa Sexton: The changes have been significant and continue to be. When I started in the field, the most sophisticated financial instrument was an exchange-traded option - a standardized product with fully transparent pricing and contract terms. Software for standardized products can be commoditized and developed fairly quickly, but products with multiple triggers and non-standard underlyings meant that technology and risk models needed to be flexible and much more complex. And risk managers needed to be knowledgeable not only about valuation models and the nuances of different financial markets, but needed to have more of an enterprise view of risk. The risk function in the early nineties was largely focused on managing market and credit risks, but the massive growth of over-the-counter (OTC) derivatives, also known as off-exchange trading, led to increased counterparty, operational and liquidity risks. It also led to a need for enhanced Know your Customer (KYC) controls, which support a business in verifying the identity of its clients, to manage reputational risk.

Prior to the modernisation of industry, managers were understandably primarily concerned with performance and cost.

Workplace safety (WHS) unfortunately was often only considered when it affected any goals associated with performance and cost. With the passage of time and gradually increasing awareness of worker rights, employee health, safety and well-being has of course also gained additional attention.

There are various reasons for managing WHS risk. Typically they are summarised into one of four main groups:

- Ethical and moral: accident prevention is undertaken to prevent injury to personnel purely as the result of humane considerations.
- Legal: legislation places a number of duties on various persons and failure to carry out these duties can result in fines and, in extreme cases, imprisonment.
- Financial: the costs of an injury are made up by two parts the direct cost (cost associated with medical treatment, and damage) and the indirect cost (time spent on investigations, lost production retraining).
- General business considerations: these could be considered as financial, but given the difficulty in quantifying them, they are best kept separate. They generally relate to the organisation's corporate image and reputation. Poor health and safety systems and outcomes affect many stake holders including employees, customers, insurance companies, as well as investors and financiers.

WHS risk management is concerned with providing a structured systematic approach to decision making with respect to WHS issues. The strength of applying a systematic risk management approach to WHS issues is that it combines technical, consultative and managerial approaches into processes that support informed, consistent and defensible decision-making.

The WHS Risk Management Process can be introduced at any time, but good practice dictates the process should be commenced at the earliest possible time. Whether designing a piece of plant or a whole facility, the risk management process of hazard identification, risk assessment, control, and review should be incorporated at the design / planning stage.

WHS Risk Management includes the process concerned with identifying, analysing and responding to WHS risk. The primary objective is to eliminate or minimise the consequences of adverse effects (injury, illness or property damage) on employees or the workplace. This consists of the following major steps also known as the Risk Management Process Model:

- Establish the context: establish the strategic, organisational and risk management context in which the rest of the process will follow.
- Identify risks: identify what, why and how thinks can arise that will be the basis for further analysis.
- Assess risks: determine the existing controls and analyses in terms of consequences and likelihood in the context of those controls. Typically, the analysis should take into account a number of potential consequences and how likely those consequences are to occur.
- Evaluate risks: compare the levels of risk against a pre-established criteria. This allows risks to be ranked so to identify management priorities.
- Treat risk: allow for the development of specific management plans to control the risk by way of elimination or minimisation strategies.
- Monitoring and review.
- Communication and Consultation.

By implementing systematic WHS Risk Management activities, organisations are able to better understand operations and their associated hazards as well as afford greater flexibility with regard to the methods used to control risks and the costs of implementing those controls.

With the increased ability to respond effectively to organisational changes, both internal and external to the organisation, WHS risk management may lead to a myriad of direct benefits including:

- Reducing injury and illness to employees and the community
- Saving money and adding value by more effective allocation of resources
- Improving the quality of information available for making decisions
- Improving the understanding of WHS risks throughout the organization
- Complying with WHS legislation and the ability to better to demonstrate this
- Improving the organization's image and reputation
- Improving accountability and transparency of decision-making

Possible broader and longer term benefits of an effective OHS risk management program are:

- Effective strategic planning as a result of increased knowledge and understanding of key risk exposures
- Lower workers' compensation costs because undesirable OHS outcomes are foreseen and addressed
- Improved audit processes
- Better outcomes in terms of the effectiveness, efficiency, and appropriateness of OHS programs, i.e. programs targeting key risk areas
- Improved communication, both within the organization and between the organization and its external stakeholders

WHS Risk Management is a foundation of an organisation and it touches all facets of an organisation's activities. For this reason, careful planning is required in the development and implantation of a WHS Risk Management program.

Successful WHS risk management requires a sensible and straight forward approach. The purpose of implementation should not only be seen as a compliance requirement but also as a key business tool in adding value to the organisation objectives.

WHS Risk Management should include regular reviews of all WHS aspects of an organisation's activities. The effectiveness of the WHS Risk Management Process should be monitored and documented in order to ensure that the risk management strategies continue to be relevant to the organisation's activities that affect WHS.

If your company has a Point of Sale (POS) terminal anywhere in its infrastructure, you are no doubt aware from the active media coverage that malware attacks have been plaguing POS systems across the country.

Just within the past week, the New York Times has reported that:

- Companies are often slow to disclose breaches, often because of the time involved in immediately-required investigations;
- Congress is beginning to make inquiries of data breach victim companies; and
- Even those companies who have conducted cybersecurity risk assessments still get attacked, often during the course of implementing new solutions to mitigate potential problems and protect their customers' payment cards or other personal information.
- Former employees can be a source of information to the media about your efforts to investigate and secure your POS systems.

No Quick Fix

Even the best intentions, most competent efforts and unlimited budgets cannot fix a problem such as this overnight. These fixes take time, and have become an unavoidable symptom of having POS terminals.

What should your company do?

(1) Launch a cybersecurity risk assessment, if you have not yet done so.

(2) Protect your risk calculations by engaging outside counsel and qualified cybersecurity experts to provide legal risk advice protected by the attorney-client privilege. Keep C-suite executives and Boards of Directors informed. The outside counsel, together with experts, should:

- educate and advise directors and executives on legal and business risks associated with your company's particular threats and vulnerabilities;
- engage a qualified, experienced external cybersecurity team to review technical infrastructure and identify vulnerabilities stratified and prioritized by risk, likelihood of being exploited, and costs and time involved in remedying each one;
- review operational procedures across a multi-disciplinary team in your company, which are often overlooked and can have the greatest impact on the overall health of your risk profile;
- help identify the most sensitive categories of information in your organization and develop data governance procedures tailored to your organization to add yet another layer of protection for your most sensitive assets;
- regularly remind your team members, including from your third-party vendors engaged by counsel, about privilege and confidentiality obligations.

(3) Treat cybersecurity risk assessments and remediation efforts as an iterative process. Constantly review your multi-disciplinary team's recommendations as they change week by week or day by day. Re-evaluate the spend allocated based on updated information about your risk landscape as the investigation and assessment progresses.

(4) Stay informed about updated regulatory requirements and case law on cybersecurity and privacy. Ensure stakeholders understand these updates and charge them with implementing appropriate changes in their domains.

(5) Recognize that there is no such thing as perfect security, but that there is a tipping point over which your company will move outside the category of high-risk operations and into a safe zone.

(6) Allocate the necessary resources to get the job done - and done well. If your company goes an extra mile in building security policies, procedures and technology that are better than industry standard, you can use your low risk profile as a market differentiator. In addition to reducing litigation and reputational risks, validated strong security will increase customer confidence and loyalty.

(7) Review your insurance policies for adequate coverage to address interim risks. While reputational risk cannot be insured against, insurance can be very valuable in the event of a breach.

In the retail industry in particular, the widespread compromises in Point of Sale Terminals resulting in staggering amounts of payment card theft is a hallmark of 2014. A decrease in brand reputation alone is too high a cost to ignore. If your company is - very understandably - not equipped to tackle the daunting task of finding and prioritizing vulnerabilities and choosing the best cybersecurity governance and technical plans, find someone who is.

The Importance of Risk Management to Business Success

Risk management is an important part of planning for businesses. The process of risk management is designed to reduce or eliminate the risk of certain kinds of events happening or having an impact on the business.

Definition of Risk Management

Risk management is a process for identifying, assessing, and prioritizing risks of different kinds. Once the risks are identified, the risk manager will create a plan to minimize or eliminate the impact of negative events. A variety of strategies is available, depending on the type of risk and the type of business. There are a number of risk management standards, including those developed by the Project Management Institute, the International Organization for Standardization (ISO), the National Institute of Science and Technology, and actuarial societies.

Types of Risk

There are many different types of risk that risk management plans can mitigate. Common risks include things like accidents in the workplace or fires, tornadoes, earthquakes, and other natural disasters. It can also include legal risks like fraud, theft, and sexual harassment lawsuits. Risks can also relate to business practices, uncertainty in financial markets, failures in projects, credit risks, or the security and storage of data and records.

Goals of Risk Management

The idea behind using risk management practices is to protect businesses from being vulnerable. Many business risk management plans may focus on keeping the company viable and reducing financial risks. However, risk management is also designed to protect the employees, customers, and general public from negative events like fires or acts of terrorism that may affect them. Risk management practices are also about preserving the physical facilities, data, records, and physical assets a company owns or uses.

Process for Identifying and Managing Risk

While a variety of different strategies can mitigate or eliminate risk, the process for identifying and managing the risk is fairly standard and consists of five basic steps. First, threats or risks are identified. Second, the vulnerability of key assets like information to the identified threats is assessed. Next, the risk manager must determine the expected consequences of specific threats to assets. The last two steps in the process are to figure out ways to reduce risks and then prioritize the risk management procedures based on their importance.

Strategies for Managing Risk

There are as many different types of strategies for managing risk as there are types of risks. These break down into four main categories. Risk can be managed by accepting the consequences of a risk and budgeting for it. Another strategy is to transfer the risk to another party by insuring against a particular, like fire or a slip-and-fall accident. Closing down a particular high-risk area of a business can avoid risk. Finally, the manager can reduce the risk's negative effects, for instance, by installing sprinklers for fires or instituting a back-up plan for data.

Having a risk management plan is an important part of maintaining a successful and responsible company. Every company should have one. It will help to protect people as well as physical and financial assets.

Dyman Associates Risk Management - As a management process, risk management is used to identify and avoid the potential cost, schedule, and performance/technical risks to a system, take a proactive and structured approach to manage negative outcomes, respond to them if they occur, and identify potential opportunities that may be hidden in the situation [4]. The risk management approach and plan operationalize these management goals.

Because no two projects are exactly alike, the risk management approach and plan should be tailored to the scope and complexity of individual projects. Other considerations include the roles, responsibilities, and size of the project team, the risk management processes required or recommended by the government organization, and the risk management tools available to the project.

Risk occurs across the spectrum of government and its various enterprises, systems-of-systems, and individual systems. At the system level, the risk focus typically centers on development. Risk exists in operations, requirements, design, development, integration, testing, training, fielding, etc. (see the SE Life-Cycle Building Blocks section of this Guide). For systems-of-systems, the dependency risks rise to the top. Working consistency across the system-of-systems, synchronizing capability development and fielding, considering whether to interface, interoperate, or integrate, and the risks associated with these paths all come to the forefront in the system-of-systems environment. At the enterprise level, governance and complexity risks become more prominent. Governance risk of different guidance across the enterprise for the benefit of the enterprise will trickle down into the system-of-systems and individual systems, resulting in potentially unanticipated demands and perhaps suboptimal solutions at the low level that may be beneficial at the enterprise level. Dealing with the unknowns increases and the risks associated with these—-techniques in the Guide's section on Enterprise Engineering, such as loose couplings, federated architectures, and portfolio management-—can help the MITRE SE alleviate these risks.

Risk Management in System-Level Programs

System-level risk management is predominantly the responsibility of the team working to provide capabilities for a particular development effort. Within a system-level risk area, the primary responsibility falls to the system program manager and SE for working risk management, and the developers and integrators for helping identify and create approaches to reduce risk. In addition, a key responsibility is with the user community's decision maker onwhen to accept residual risk after it and its consequences have been identified. The articles in the Risk Management topic area provide guidance for identifying risk (Risk Identification), mitigating risks at the system level with options like control, transfer, and watch (Risk Mitigation Planning, Implementation, and Progress Monitoring), and a program risk assessment scale and matrix (Risk Impact Assessment and Prioritization). These guidelines, together with MITRE SEs using tools such as those identified in the Risk Management Tools article, will help the program team deal with risk management and provide realism to the development and implementation of capabilities for the users.

Risk Management in System-of-Systems Programs

Today, the body of literature on engineering risk management is largely aimed at addressing traditional engineering system projects—those systems designed and engineered against a set of well-defined user requirements, specifications, and technical standards. In contrast, little exists on how risk management principles apply to a system whose functionality and performance is governed by the interaction of a set of highly interconnected, yet independent, cooperating systems. Such systems may be referred to as systems-of-systems.

A system-of-systems can be thought of as a set or arrangement of systems that are related or interconnected to provide a given capability that, otherwise, would not be possible. The loss of any part of the supporting systems degrades or, in some cases, eliminates the performance or capabilities of the whole.

What makes risk management in the engineering of systems-of-systems more challenging than managing risk in a traditional system engineering project? The basic risk management process steps are the same. The challenge comes from implementing and managing the process steps across a large-scale, complex, system-of-systems—one whose subordinate systems, managers, and stakeholders may be geographically dispersed, organizationally distributed, and may not have fully intersecting user needs.

How does the delivery of capability over time affect how risks are managed in a system-of-systems? The difficulty is in aligning or mapping identified risks to capabilities planned to be delivered within a specified build by a specified time. Here, it is critically important that risk impact assessments are made as a function of which capabilities are affected, when these effects occur, and their impacts on users and stakeholders.

Lack of clearly defined system boundaries, management lines of responsibility, and accountability further challenge the management of risk in the engineering of systems-of-systems. User and stakeholder acceptance of risk management, and their participation in the process, is essential for success.

Given the above, a program needs to establish an environment where the reporting of risks and their potential consequences is encouraged and rewarded. Without this, there will be an incomplete picture of risk. Risks that threaten the successful engineering of a system-of-systems may become evident only when it is too late to effectively manage or mitigate them.

Frequently a system-of-systems is planned and engineered to deliver capabilities through a series of evolutionary builds. Risks can originate from different sources and threaten the system-of-systems at different times during their evolution. These risks and their sources should be mapped to the capabilities they potentially affect, according to their planned delivery date. Assessments should be made of each risk's potential impacts to planned capabilities, and whether they have collateral effects on dependent capabilities or technologies.

In most cases, the overall system-of-systems risk is not just a linear "roll-up" of its subordinate system-level risks. Rather, it is a combination of specific lower level individual system risks that, when put together, have the potential to adversely impact the system-of-systems in ways that do not equate to a simple roll-up of the system-level risks. The result is that some risks will be important to the individual systems and be managed at that level, while others will warrant the attention of system-of-systems engineering and management.
Read full Article

Security officers who view threat intelligence and risk management as the cornerstone of their security programs may have advantages over peers who face constraints when it comes to taking advantage of the available data. CISOs are generally tasked with evaluating security controls and assessing their adequacy relative to potential threats to the organization, and its business objectives. Their role in cybersecurity risk management -- the conscious decisions about what the organization is going to do and what it is not going to do to protect assets beyond compliance -- is still hotly debated. The transition towards risk management is more likely for the 42% enterprises whose security officers report to executives (the board of directors or chief risk officers) outside of the IT organization, according to Gartner. The firm's analysts advise security officers to achieve compliance as a result of a risk-based strategy, but admit that "organizations have not kept pace." Equinix started to build a customized threat intelligence program about five years ago. The International Business Exchange data center provider uses threat intelligence along with risk assessment to do its "homework" before the company invests its resources in information security or agrees to IT requests from departments with different priorities.

Leaders in Software as a Service (SaaS), Mobile Device Management (MDM) & Bring Your Own Device (BYOD) Security Mobile devices have become an intrinsic part of everyday life, for individual consumers and large organizations alike. Consequently, the popularity of smart devices is an increasingly attractive target for cybercriminals with regards the potential value of personal data found on a device. The increasing demand for mobile security software is seeing the emergence of security specialists offering solutions aimed at mobile as well as PC. Established market players in internet security are adapting their services to mobile, while a number of new companies are specializing specifically in smartphone and tablet security. Solutions including software, device management and security as a service are looking to answer this nascent security demand. The complex nature of the mobile ecosystem and the close affinity to the broader cyber security market has made the mobile security sector a relatively fragmented market, with overlaps between the different submarkets. . As a result, vision gain has determined that the top 20 companies in the global mobile security market account for $2.06 billion, or 58.9% of annual market revenue which illustrates a highly competitive and fragmented market.

As fresh graduates descend from the ivory tower (bearing their unstained diplomas), many will eventually encounter "real world" interactions for the very first time, and they run the risk of being eaten alive out there. Identity-connected scams, dark schemes and credit status traps litter the way to financial success. And for many of those new graduates who confidently say, "It will never to me," get ready for you bubble to burst.

Information violations and the identity-theft crimes that arise from them have become realities in life, next only to death and taxes. But there are a few things you can undertake to improve your protection against them, identify the problems and reduce the effects in case the inevitable happens. However, if you believe a compromise to your identity or credit will never cause you to incur a good amount of money, you will be surprised to realize the emotional turmoil and endless moments of annoyance spent regretting things which are non-refundable.

New grads must bear this in mind: Your personal identity and credit are significantly precious assets. And whereas it might be quite early in the game to seriously consider your investment portfolio, you now have a built-in two investment-grade portfolios that you ought to manage well: your identity portfolio and your credit portfolio.

Take a look at a few general rules in the game that will aid you to protect your identity that, if you observe them, could make it easier for you to succeed.

1. Credit Cards

If you are newbie to the world of credit cards, you tend to make some beginner's errors that may lead to identity risk.

First, be wary as to where you divulge your credit card data. Consider yourself as your worst enemy when it concerns credit card scams if you fail to observe proper security steps when sharing your credit card information over the websites, to companies and even to friends. And while scammers have a way of stealing your account numbers, taking extra care if you live with roommates will protect you in a big way.

Make sure to check your account statements as often as you can, even daily, for unauthorized withdrawals or purchases. If anyone steals your debit or credit card number and goes out to spend like a king, and you fail to discover it early enough to prevent more damage, you could find yourself back to zero.

Keep track of your credit report and note how your credit standing moves. This will allow you ascertain that all the accounts listed there belong to you. Usually, the first sign that says you have fallen victim to a new account fraud arises from these reports. Being aware lets you face and deal with the issue way before a collection firm asks for money you did not spent. Check your credit reports without being charged yearly from all three credit reporting agencies through this site: AnnualCreditReport.com. Likewise, you can check two of your credit scores for free with a Credit.com account - in case you observe an unexpected reduction in your credit scores, check your reports for any issues, including fraudulent accounts.

2. Utilities

What about utilities? You phone a customer service agent who gets your name, address and phone number, and when your bill comes on the last day of the month, you pay accordingly. Sounds so simple, even a child could do it - which is exactly the problem. Identity thieves are so good at stealing electricity in your name, and since it is that easy for anyone to set up an account using your name, you may not be aware of it until you receive a notice from a collection agency for unpaid utilities bills and your credit status falls.

Here is what you need to do: Take extra time assessing your bills and immediately check on any doubtful items, pay your bills on time always, (think of enrolling in a direct debit plan), safeguard your personally identifiable data (which means protecting your Social Security number from everyone except the select few who have to know it), and keep in mind that monitoring your scores and your reports often can warn you of any issue soon enough. One could never be too paranoid when it comes to monitoring nowadays.

3. Applying for Jobs

Many fresh graduates are not aware that a significant number of firms and institutions will check credit reports (not credit scores) prior to offering anyone a job. They are required to obtain a permission from you (often in writing) before looking at your reports and most of them will ask for your Social Security number, a primary asset in your identity portfolio, for them to do so.

Obviously, you have to be sure the employer is authorized, and if you feel uneasy about divulging your Social Security number to a potential employer, conduct a little research before you give it. Many job scammers will take your SSN upfront, before they even interview you.

4. Filing Your Taxes

For a few new graduates, taxes have never entered their vocabulary or their limited world. It may be that their parents filed taxes for them, or they have never worked at a job to make it necessary.

If you are new at dealing with taxes, be aware of this: Not every person who offers to assist you will be trustworthy. Thieves abound everywhere, so take a careful look before getting an accountant or a tax-preparation service provider. Tax-connection identitytheft is one more reason why you must check who has access to your personally identifiable data. If a scammer files a tax return in your name before you do, you will spend six months or more waiting for the IRS to rectify the error and give you a refund.

Last Word on Identity Protection

In the realm of personal finance, many kinds of fraudulent people will try to take advantage of you, snatch your personally identifiable data and possibly decimate your credit. They revel in feasting over fresh-graduate meat. Not surprising as most new graduates still have a clean credit record and may not know the possible harm that identity thieves waiting at a dark corner can do. But if you carefully manage and attentively check your identity portfolio, it will be a real asset and not a liability.

One of the main involvements of Dyman & Associates is in the field of Project Management. Here is a brief Q&A that will provide essential information about this service:

Q: What particular aspects of Project Management does Dyman & Associates engage in?

A: Here is a list of Dyman's involvement in project management:

Remediation Project Management - Dyman assists companies comply with audit-process requirements to make them stay viable.

Data Center Transfer - Dyman reduces downtime risks on clients' systems and unmet goals during data-center relocation within one site.

Business Continuity - Dyman assures clients of unhampered delivery of their methods and materials during disruptions in vital operations.

Business Impact Analysis - By measuring the viability of each application through extensive interviews within the organization and analyzing the internal and external Service Level Agreements, Dyman can determine the overall health of a company and provide ways for improvement.

Big-scale Technology Resets - Dyman helps clients avoid non-delivery of committed materials by improving cable plant, routers, switches, desktops, Wide Area Network, and others.

(Washingtonpost) - One of the most difficult challenges of cybersecurity is that it enables private actors to play a significant role in international security. Both security officials and international relations scholars tend to assume that states are the most important security actors. With a couple of minor exceptions (mercenary forces and the like) private actors simply don’t have the firepower to play a substantial role. Even terrorist groups with international ambitions usually require some kind of state to provide them with safe haven or to back them. Many (although certainly not all) experts argue that cybersecurity is different. Computers and Internet access are all that you need to carry out many kinds of attack, allowing private actors to become a real force in international cyber politics.

This potentially presents two problems for traditional understandings of international security. First, many argue that the world will be less stable if private actors can affect international security. For example, Joseph Nye, a prominent scholar and former policymaker, argues (PDF) that states have not been displaced by private actors in cybersecurity, but now have to share the stage with them. This creates greater volatility in world politics. The more actors there are, the greater the chance of unpredictable accidents, events, attacks or misunderstandings. Furthermore, private actors may have widely varying motivations and be more difficult to discipline. They are less likely to be concerned with the stability of the international system than states are.

There is also a more subtle problem. The existence of empowered private actors in cybersecurity presents temptations to states. It is easier for states to attack other states while blaming hackers, rogue elements or others for the attacks, thus making retaliation less likely. In cyberspace, it is often hard to figure out who precisely is responsible for an attack. These problems are multiplied when states can e.g. use clandestine relationships with private actors to carry out attacks by proxy.

For example, there is still vigorous debate over whether or not the Russian state mounted cyber attacks on Georgia during a dispute a few years ago. Certainly, the major attacks appear to have been mounted from within Russia. However, Ron Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that the likely perpetrators were patriotic Russian cyber criminals (who had already created “botnets” of compromised computers for purely criminal attacks) rather than the Russian state itself. While it is possible that the Russian state (some elements of which maintain clandestine contact with the Russian underworld) was using these criminal networks as a cutout to blur responsibility, it is nearly impossible to prove one way or another.

This has led some experts to call for new norms about responsibility. Jason Healey of the Atlantic Council proposes a sliding scale under which states would effectively be required to take responsibility for any major attacks organized from their territory or carried out by their citizens. This would change the incentives, so that states would both be less inclined to cheat by acting through hidden proxies, and more inclined to tidy up rogue elements on their territory that might mount international attacks and land them in hot water. They suggest that the best way for the U.S. to protect its national security interest is to push for such norms.

In this context, yesterday’s New York Times story about the relationship between the FBI and the loosely-knit hacker culture/collective Anonymous raises some problems. The FBI identified a key Anonymous member, Sabu, and turned him so as to identify other hackers. Sabu then appears to have shared a list of foreign Web sites (including sites run by the governments of Iran, Syria, Poland, Turkey, Brazil and Pakistan) with vulnerabilities, and encouraged his colleagues to try to hack into them, uploading data to a server monitored by the FBI.

The Times says it is unclear whether he was doing so on direct orders from his FBI handlers. It is also unclear what happened to the information after it was uploaded (the Times raises the possibility that it was shared with other intelligence agencies, but it may have been left there to sit as evidence). Either way, this report is sure to be interpreted by other countries (including U.S. allies like Poland and Turkey) as strong circumstantial evidence that the U.S. has used independent hackers to conduct attacks in the past, and very possibly is doing so at present.

This obviously makes it harder for the U.S. to push for the kinds of norms that Healey and others advocate. If the U.S. appears to have dirty hands, it will have a more difficult time getting other states to believe in the purity of its actions and intentions. U.S. allies  will be disinclined to believe its protestations. Countries that are more or less hostile to the U.S., and which have dubious relations with their own hacking community (such as Russia), are sure to point to the FBI’s decision to run Sabu as evidence of U.S. hypocrisy if the U.S. tries to get them to take responsibility for attacks mounted from their soil.

This will also have consequences if and when U.S. hackers (who are smart, talented and sometimes politically motivated) mount a successful public attack on a target in a third country. The U.S. administration will likely come under sustained suspicion as the hidden culprit behind such an attack, even if it has had absolutely nothing to do with it. Apparent past history will guide other states’ judgment (especially if these other states themselves have clandestine but systematic relationships with hackers, and assume that countries do the same). It’s doubtful that these issues of international policy were foremost in the thoughts of FBI officials when they decided to run Sabu (the FBI is a domestically focused agency, primarily concerned with criminal enforcement). Even so, their decisions may turn out to have important, and likely unfortunate, international ramifications.

Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. But it doesn’t do a good job of covering the reputation damage and business downturn that can be triggered by a security breach.?

CIO — Cybersecurity insurance does mitigate some financial damage should you suffer an attack, but it's not a complete solution. Here are five things CIOs need to know.

1. It’s a risk-management strategy. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm.

Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. Cyberthreats are so broad that the cost of protecting against them all would be prohibitive. The best approach is to identify and secure the company's digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers.

2. American and European markets differ. The cybersecurity insurance market is more mature in the U.S. than in the E.U., primarily because of U.S. states' mandatory data-breach-notification laws. Third-party insurance is more common in the U.S., and first-party is more popular in Europe, but that may change if the E.U. starts requiring breach notifications, Barn says.

The U.S. market is growing about 30 percent per year, says Richard Betterley, president of Betterley Risk Consultants. Some surveys estimate that 30 percent of large U.S. companies have cybersecurity insurance, but among companies of all sizes, Betterley says, the number is probably under 10 percent.

3. Clear wording is essential. Before you buy, investigate what risks are covered by existing insurance packages, because there may be overlaps with a cyber-insurance policy. "Make sure the cyber policy wording covers your true cyber exposure," Barn says. "Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response."

4. Coverage is inadequate in some areas. Cybersecurity insurance doesn't do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach, Betterley says. Meanwhile, the industry is debating whether state-sponsored cyberattacks, to the extent they can be identified as such, are covered by cybersecurity insurance policies.

5. There's room for improvement. Ideally cybersecurity insurance should encourage companies to improve security so they can negotiate lower premiums. However, insurers don't have enough actuarial data to adjust premiums based on what security controls and products are most effective, says Andrew Braunberg, research director at NSS Labs.

(japantimes) - With China a suspected source of cyberattacks, Prime Minister Shinzo Abe and European Union leaders will agree at a summit in Brussels on May 7 to launch a dialogue to boost cybersecurity, according to a draft of a statement to be issued after the meeting.

“Facing more severe, widespread and globalized risks surrounding cyberspace . . . protection of a safe, open and secure cyberspace is needed,” according to the draft, a copy of which was obtained Sunday.

Abe and the EU leaders, European Council President Herman Van Rompuy and European Commission President Jose Manuel Barroso, will also agree to hold an inaugural meeting of a Japan-EU dialogue on the stable use of outer space in the latter half of this year in Tokyo, the draft says.

Tokyo appears poised to proactively contribute to international rule-making over cyberspace. The launch of a Japan-EU dialogue to promote cooperation on cyberspace would follow similar consultations Japan has held with the United States, Britain and other countries.

In recognition of the threat posed to national security, Japan said in its National Security Strategy adopted in December that it will strengthen information sharing and promote cyberspace defense cooperation with relevant countries.

In the first meeting of the Japan-EU Space Policy Dialogue, the two sides are expected to discuss creation of international norms to reduce space debris caused by anti-satellite tests, satellite collisions and other reasons.

“We affirm the importance of safety, security and sustainability of outer space activities,” the draft statement says.

In 2007, China destroyed one of its aging satellites via a missile-driven anti-satellite test, creating a mess of fragments fluttering through space and sparking concern that such debris could seriously damage other satellites nearby.

In the summit, Abe and the EU leaders will reaffirm their shared view that international disputes and issues “should be resolved peacefully and in accordance with international law, not by force or coercion,” the draft says.

The wording apparently refers to the intrusions by Chinese patrol ships into Japanese waters around the Senkaku Islands in the East China Sea in aimed at undermining Japan’s administration of the islets, claimed as Diaoyu by Beijing and Tiaoyutai by Taiwan.

Turning to Ukraine, the Japanese and EU leaders will “strongly condemn” and “will not recognize” Russia’s annexation of Crimea in March, while urging Moscow and other parties concerned to “refrain from any steps to further destabilize Ukraine,” the draft says.

The leaders will call for ensuring freedom of navigation in and flight over the open seas, according to the draft, in an apparent criticism of China’s unilateral declaration in November of an air defense identification zone overlapping Japanese airspace over the Senkaku Islands.

Beijing announced rules requiring aircraft entering the zone — which covers an extensive area above the high seas separating China, Japan, South Korea and Taiwan — to file flight plans in advance and follow instructions of Chinese controllers or face “defensive emergency measures.”

Policymakers and experts outside China, however, say Beijing is not in line with international norms.

Among other issues, the EU leaders will welcome an expanded role for Japan in promoting and sustaining global peace and security, as set out in Abe’s policy of proactively contributing to peace based on the principle of international cooperation, it says.

Japan will study the possibility of participating in EU peace missions in Africa and elsewhere, it says.

Brussels will be the last leg of Abe’s six-nation European tour starting Tuesday, following visits to Germany, Britain, Portugal, Spain and France.

(computerweekly) - Global IT association ISACA has launched its Cybersecurity Nexus (CSX) programme to help address the global security skills shortage.

According to the Cisco 2014 Annual Security Report, more than one million positions for security professionals remain unfilled around the world.

CSX is aimed at helping IT professionals with security-related responsibilities to "skill up" and providing support through research, guidance and mentoring.

A recent ISACA survey found that 62% of organisations have not increased security training in 2014, despite 20% of enterprises reporting they have been hit by advanced persistent threats.

"Unless the industry moves now to address the cyber-security skills crisis, threats such as major retail data breaches and the Heartbleed bug will continue to outpace the ability of organisations to defend against them," said Robert Stroud, ISACA international president-elect.

CSX is designed as a comprehensive programme that provides expert-level cyber-security resources tailored to each stage in a cyber-security professional's career.

The programme includes career development resources, frameworks, community and research guidance, such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5.

There is also a Cybersecurity Fundamentals Certificate that is aimed at entry level information security professionals with zero to three years of practitioner experience.

The CSX program marks the first time in its 45-year history that ISACA will offer a security-related certificate.

The certificate is for people just coming out of college and for career-changers now getting into IT security. The foundational level is knowledge-based and covers four domains:

• - Cybersecurity architecture principles


• - Security of networks, systems, applications and data


• - Incident response


• - Security implications related to adoption of emerging technologies


• - The exam will be offered online and at select ISACA conferences and trainingevents beginning this September.


• - The content aligns with the US NICE framework and was developed by a team of about 20 cyber-security professionals from around the world.


• - ISACA plans to add more to the CSX programme, including: A cybersecurity practitioner-level certification with the first exam in 2015, Cybersecurity Training courses, SCADA guidance and digital forensics guidance.


• - A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.


• - A recent global poll of members of ISACA student chapters shows that 88% of the ISACA student members surveyed say they plan to work in a position that requires some level of cybersecurity knowledge.

However, fewer than half say they will have the adequate skills and knowledge they need to do the job when they graduate.

"Security is always one of the top three items on a CIO's mind, yet IT and computer science courses at university level are not allocating a proportional amount of training to cybersecurity," said Eddie Schwartz, chair of ISACA's Cybersecurity Task Force.

"Today, there is a sizeable gap between formal education and real world needs. This, in itself, is an area requiring immediate focus so that the industry can get better at detecting and mitigating cyber threats," he said.

According to Tony Hayes, ISACA international president, enterprises cannot rely on just a handful of universities to teach cybersecurity.

"With every employee and endpoint at risk of being exploited by cyber criminals, security is everyone's business. We need to make cybersecurity education as accessible as possible to the next generation of defenders," he said.

The Microsoft logo is seen at their offices in Bucharest March 20, 2013.CREDIT: REUTERS/BOGDAN CRISTEL

(Reuters) - The U.S. and UK governments on Monday advised computer users to consider using alternatives to Microsoft Corp's Internet Explorer browser until the company fixes a security flaw that hackers used to launch attacks.

The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.

The Department of Homeland Security's U.S. Computer Emergency Readiness Team said in an advisory released on Monday that the vulnerability in versions 6 to 11 of Internet Explorer could lead to "the complete compromise" of an affected system.

The recently established UK National Computer Emergency Response Team issued similar advice to British computer users, saying that in addition to considering alternative browsers, they should make sure their antivirus software is current and regularly updated.

Versions 6 to 11 of Internet Explorer dominate desktop browsing, accounting for 55 percent of global market share, according to research firm NetMarketShare.

Boldizsár Bencsáth, assistant professor with Hungary's Laboratory of Cryptography and Systems Security, said the best solution was to use another browser such as Google Inc's Chrome or Mozilla's Firefox.

DELAYED UPGRADES

Security experts have long been warning Windows XP users to upgrade to Windows 7 or 8 before Microsoft stopped supporting it at the beginning of this month.

The threat that emerged over the weekend could be the wakeup call that prompts the estimated 15 to 25 percent of PC users who still use XP to dump those systems.

"Everybody should be moving off of it now. They should have done it months ago," said Jeff Williams, director of security strategy with Dell SecureWorks.

Roger Kay, president of Endpoint Technologies, expects several hundred million people running Windows XP to dump those machines for other devices by the end of the year.

They will be looking at Windows machines as well as Apple Inc's Macs and iPads along with Google's Chrome laptops and Android tablets, he said.

"Not everybody will necessarily go to Windows, but Microsoft has a good chance at getting their business," he said. "It's got to be a good stimulus for the year."

News of the vulnerability surfaced over the weekend. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed "Operation Clandestine Fox."

 

There's no denying that in this day and age, technology has taken over a considerable portion of our lives. Aside from cellphones, the most prominent technology to have hit our generation is the Internet. Now information, news and even people are literally a Google search away.

Back in 2011, the United Nations (UN) released a statement that said the UN has recognized that Internet access is a human right.

We here at the Sundial believe that Internet access is as of now a privilege, since we have to pay to have access to the net. Given the precedence of the Internet, we believe that the internet should become a human right. Even so, there are some precautions to understand if we were to hand universal control of the Internet to a single power.

The Internet is a resource

To us Matadors, and even more so for those of us at the Sundial, the Internet has become an indispensable tool necessary to do almost all of our daily tasks. Whenever the Internet at school goes down, we freak out.

From just perusing the Internet to using Google Documents to put together an essay for class, the Internet has surgically embedded itself into our daily lives. Many who live in this era can no longer imagine what life would be like without the Internet.

Think about it. In developed nations, nearly everything is found or done online now. The Internet has become the new classifieds, as friends use social media to broadcast a job opening, or when job-seekers use Craigslist, Monster or the company site itself to search and apply for a job. These job searches more than likely lead us to an online application, a print-out of an application or the instructions to email a resume.

But the Internet is more than just a gigantic classified ad. For college students, it's become a necessity.

Media convergence of the classrooms is taking place, as evidenced by the various my CSUN tablet classes, Moodle and online classes. There's no denying that the Internet and technology is taking our learning environment beyond the traditional classroom.

Now, tests, quizzes and sometimes even finals are being facilitated through Moodle. Electronic submissions of essays are commonplace, and emailing professors for help or to schedule office hours is often taken for granted.

Not only is that, but reminders and notifications constantly sent to students through the use of the Internet. Applying for FAFSA now takes place online, as well as registering for our classes.

Navigational apps on our smartphones have become common, as people will now say that they will just "navi it." Now, reaching places we've never been to before is easier than ever with the Internet and our phones.

These things that have become second-nature will fall if the Internet goes down.

Internet is a wealth of information

The Internet is an informative and vital tool. It is the source and form of information for billions. Not only does it serve to keep the global community up to date with world events at a swift rate, but it also serves as a worldwide platform built for interactive communication.

From research papers to just reading the news, the Internet has the capacity to hand us information within seconds. Google Search takes literally less than one second to give you results that can number within the millions.

To localize the impact the Internet has on our access of information, look at our own Oviatt library. Books have become searchable online to check for their availability and location. Some texts have even become an online-only text and online resources from other libraries can be pulled by the Oviatt for us to use.

On a global scale, the spread of information has led to various uprisings throughout the world. Just look at Julian Assange, founder of Wikileaks. Wikileaks was able to release over 700,000 documents of classified United States military proceedings. One of the documents included a video in which US soldiers shoot suspected Iraqi rebels from a helicopter. The leak caused to the US Military to review the video.

The Internet spreads word of injustices that happen all around the world. Take the situations happening in Syria, Venezuela and Ukraine. Without the Internet allowing for citizens within those nations to pass information, the world wouldn't have much knowledge as to what's really going on.

To a large degree, the Arab Spring revolutions throughout the Middle East and parts of North Africa wouldn't have gained momentum without the Internet. The revolutionaries during the Arab Spring used social media to organize their communities, and thus inform and mobilize the global community to help support these revolutions.

Control of the Internet

While we support the belief that the Internet should become a human right, there are dangers if governments worldwide were to take control of the Internet.

Making the Internet a human right should not make it a public resource. The physical infrastructure such as cell towers and wiring already laid out by independent companies as well as technical developments are vital in advancing our understanding of what we're capable of on the web. If the Internet becomes a government utility without competition, it risks stagnation.

Having a market of competitive providers keeps rates reasonable and technology fluid, which could prove beneficial as entrepreneurial companies expand into less-connected areas. Keeping Internet connectivity diversified, as opposed to the way our water is handled, also ensures that no one has definitive control over access and available content.

This is essential when issues like censorship and privacy come into play. For example, during Egypt's revolution, the internet was censored by the government in order to suppress information and quell the uprisings.

Instead of becoming the source of public Internet access, governments should strive to become a hub for them by brokering contracts and working with private providers to create a public network. There should be regulations on the providers to ensure a diverse market, but not much government interference beyond that. Providers seeking to win public favor would then have to continue to improve their product, theoretically improving the options available to consumers.

As of now, the Internet is a privilege. About two billion people have access to the net, according to the Internet World Stats. However there will come a time where the Internet will become a right. The Internet is changing our society, and has the potential to bring even greater change to this world.

Revelations about U.S. digital eavesdropping have fanned concerns about Internet privacy and may complicate U.S. attempts to write rules enshrining the free flow of data into trade pacts with European and Pacific trading partners.

As more and more consumers and businesses shop and sign up for services online, the IT industry is working to fend off rising digital protectionism it sees as threatening an e-commerce marketplace estimated at up to $8 trillion a year.

"Restrictions on information flows are trade barriers," Google's executive chairman, Eric Schmidt, said at a Cato Institute event last month, warning that the worst possible outcome would be for the Internet to turn into "Splinternet."

The unease of U.S. technology companies has mounted in lockstep with rising worries overseas about data privacy.

German Chancellor Angela Merkel - a target of U.S. spying - has called for a European Internet protected from Washington's snooping. Brazil and the European Union plan to lay their own undersea communications cable to reduce reliance on the United States. And other countries are showing a preference for storing data on local servers rather than in the United States.

President Barack Obama acknowledged this week that it would take time to win back the trust of even friendly governments.

Trade experts predict the United States will have to make concessions on data privacy in the Transatlantic Trade and Investment Partnership talks (TTIP) with the EU, and will probably not get all it wants in Pacific Rim trade talks either.

"It is unfortunate because there were some good nuanced conversations happening before the spying allegations," said Adam Schlosser, director of the Center for Global Regulatory Cooperation at the U.S. Chamber of Commerce.

"But there is now a tendency to inappropriately conflate national security and law enforcement with ... commercial privacy practices, which has put a damper on rational debate."

The TTIP and the Trans-Pacific Partnership (TPP) talks are billed as next-generation trade negotiations, covering not only tariffs and goods trade but also common standards and goals in areas ranging from labor standards and environmental protection to intellectual property and data flows.

The last two issues are key for digital trade, which encompasses everything from U.S. cherry farmers selling direct to Chinese families via Alibaba Group Holdings' Tmall electronic shopping platform to plane maker Boeing monitoring in-flight diagnostic data on-line.

$8 TRILLION QUESTION

A 2011 report by the McKinsey Global Institute found almost $8 trillion changed hands each year through e-commerce, something that explains the keen interest IT firms and industry associations are taking in the trade agreements.

According to data compiled by the Sunlight Foundation, the computing and IT industry has been the second-biggest lobbyist on the TPP, after the pharmaceutical industry.

Industry groups such as the Software & Information Industry Association say free exchange of data is the key focus.

"For SIIA and its members, the most crucial issue in the trade agreements under negotiation is to get provisions permitting cross-border data flows," said Carl Schonander, international public policy director at SIIA, whose members include Reuters News parentThomson Reuters.

BSA the Software Alliance, an advocacy group for the software industry has warned that TPP partners Australia, Canada, Chile, Mexico, Peru and Vietnam are among countries adopting or proposing rules banning or limiting companies from transferring personal information off-shore. This might mean U.S. companies have to set up local servers in every country.

"Data flows are the lifeblood of the digital economy," said BSA policy director David Ohrenstein. "Trade agreements (must) ensure borders are open to data flows."

CONCESSIONS EYED

In an ideal world for IT companies, countries signing the TPP would promise not to impede cross-border data flows or make companies set up local servers.

U.S-based lobbyists expect those provisions to make it in, possibly with exceptions, but say work is still needed to convince trading partners to promise that any new regulations - including on privacy - will not restrict trade unnecessarily.

In Europe, where the backlash against U.S. spying has been the strongest, policymakers want changes by mid-2014 to the Safe Harbor Agreement, which allows U.S. companies with European-level privacy standards access to European data.

An opinion poll by the Atlantic Council and the Bertelsmann Foundation found rules governing cross border data flows and the alignment of privacy protections were among the most contentious and important, issues in the U.S.-Europe talks.

Atlantic Council Vice President Fran Burwell said it would be hard to get support from theEuropean Parliament or countries like Germany without an agreement on data protection.

"I think the big concession that (the U.S.) will have to make will be in the data privacy area," she said.

Tension is also brewing over intellectual property. U.S. music, book and software companies see piracy of copyright material as the biggest threat to their exports, while companies like Google worry about being held responsible for the actions of clients on their networks.

Data privacy group Electronic Frontier Foundation said proposals in draft TPP chapters would restrict flexibility in allowing fair use of copyright materials and encourage low-quality software patents by setting the bar too low.

A group of 29 smaller tech companies wrote to U.S. Senate Finance Committee ChairmanRon Wyden last week and warned against including harsher criminal penalties for minor copyright infringements in the TPP. The committee has jurisdiction over trade issues in the U.S. Congress.

"Reddit is a platform the same way that the telephone is a platform," said Erik Martin, general manager of on-line news hub Reddit, one of the signatories to the letter.

"To put so much burden on the providers to deal with problems from individual users is just really going to put a chill on investment and put a chill on innovation."

WASHINGTON - Revelations about U.S. digital eavesdropping have fanned concerns about Internet privacy and may complicate U.S. attempts to write rules enshrining the free flow of data into trade pacts with European and Pacific trading partners. As more and more consumers and businesses shop and sign up for services online, the IT industry is working to fend off rising digital protectionism it sees as threatening an e-commerce marketplace estimated at up to $8 trillion US a year. "Restrictions on information flows are trade barriers," Google's executive chairperson Eric Schmidt said at a Cato Institute event last month, warning that the worst possible outcome would be for the Internet to turn into "Splinter net."

The unease of U.S. technology companies has mounted in lockstep with rising worries overseas about data privacy. German Chancellor Angela Merkel - a target of U.S. spying - has called for a European Internet protected from Washington's snooping. Brazil and the European Union plan to lay their own undersea communications cable to reduce reliance on the United States. And other countries are showing a preference for storing data on local servers rather than in the United States.U.S. President Barack Obama acknowledged this week that it would take time to win back the trust of even friendly governments.

Trade experts predict the United States will have to make concessions on data privacy in the Transatlantic Trade and Investment Partnership talks (TTIP) with the EU, and will probably not get all it wants in Pacific Rim trade talks either. "It is unfortunate because there were some good nuanced conversations happening before the spying allegations," said Adam Schlosser, director of the Center for Global Regulatory Co-operation at the U.S. Chamber of Commerce. "But there is now a tendency to inappropriately conflate national security and law enforcement with . . . commercial privacy practices, which has put a damper on rational debate."

The TTIP and the Trans-Pacific Partnership (TPP) talks are billed as next-generation trade negotiations, covering not only tariffs and goods trade but also common standards and goals in areas ranging from labour standards and environmental protection to intellectual property and data flows.

The last two issues are key for digital trade, which encompasses everything from U.S. cherry farmers selling direct to Chinese families via Alibaba Group Holdings' electronic shopping platform to plane maker Boeing monitoring in-flight diagnostic data on-line. A 2011 report by the McKinsey Global Institute found almost $8 trillion changed hands each year through e-commerce, something that explains the keen interest IT firms and industry associations are taking in the trade agreements. According to data compiled by the Sunlight Foundation, the computing and IT industry has been the second-biggest lobbyist on the TPP, after the pharmaceutical industry. Industry groups such as the Software & Information Industry Association say free exchange of data is the key focus.

"For SIIA and its members, the most crucial issue in the trade agreements under negotiation is to get provisions permitting cross-border data flows," said Carl Schonander, international public policy director at SIIA, whose members include Reuters News parent Thomson Reuters. BSA The Software Alliance, an advocacy group for the software industry has warned that TPP partners Australia, Canada, Chile, Mexico, Peru and Vietnam are among countries adopting or proposing rules banning or limiting companies from transferring personal information off-shore. This might mean U.S. companies have to set up local servers in every country.

"Data flows are the life blood of the digital economy," said BSA policy director David Ohrenstein. "Trade agreements (must) ensure borders are open to data flows." In an ideal world for IT companies, countries signing the TPP would promise not to impede cross-border data flows or make companies set up local servers. U.S-based lobbyists expect those provisions to make it in, possibly with exceptions, but say work is still needed to convince trading partners to promise that any new regulations, including on privacy, will not restrict trade unnecessarily.

In Europe, where the backlash against U.S. spying has been the strongest, policymakers want changes by mid-2014 to the Safe Harbor Agreement, which allows U.S. companies with European-level privacy standards access to European data. An opinion poll by the Atlantic Council and the Bertelsmann Foundation found rules governing cross-border data flows and the alignment of privacy protections were among the most contentious and important, issues in the U.S.-Europe talks. Atlantic Council vice-president Fran Burwell said it would be hard to get support from the European Parliament or countries like Germany without an agreement on data protection.

"I think the big concession that (the U.S.) will have to make will be in the data privacy area," she said.Tension is also brewing over intellectual property. U.S. music, book and software companies see piracy of copyright material as the biggest threat to their exports, while companies like Google worry about being held responsible for the actions of clients on their networks. Data privacy group Electronic Frontier Foundation said proposals in draft TPP chapters would restrict flexibility in allowing fair use of copyright materials and encourage low-quality software patents by setting the bar too low.

A group of 29 smaller tech companies wrote to U.S. Senate finance committee chairperson Ron Wyden last week and warned against including harsher criminal penalties for minor copyright infringements in the TPP. The committee has jurisdiction over trade issues in the U.S. Congress. "Reddit is a platform the same way that the telephone is a platform," said Erik Martin, general manager of on-ine news hub Reddit, one of the signatories to the letter. "To put so much burden on the providers to deal with problems from individual users is just really going to put a chill on investment and put a chill on innovation."