Group items tagged

US senators have drafted legislation that would give the federal government unprecedented authority over the nation's critical infrastructure, including the power to shut down or limit traffic on private networks during emergencies. The bill would also establish a broad set of cybersecurity standards that would be imposed on the government and the private sector, including companies that provide software, IT work or other services to networks that are deemed to be critical infrastructure. It would also mandate licenses for all individuals administering to strategically important networks. The bill, which is being co-sponsored by Senate Commerce Committee chairman John Rockefeller IV and Senator Olympia Snowe, was expected to be referred to a senate committee on Wednesday. Shortly after a working draft of the legislation began circulating, some industry groups lined up to criticize it for giving the government too much control over the internet and the private companies that make it possible. "This gives the president too much power and there's too little oversight, if there's any at all," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology. "It gives him the power to act in the interest of national security, a vague term that has been broadly defined." Nojeim was pointing to language in the bill that permits the president to "order the limitation or shutdown of internet traffic to and from any compromised federal government or United States critical infrastructure information system or network" after first declaring a national cybersecurity emergency. A separate provision allows the executive in chief to "order the disconnection of any federal government or United States critical infrastructure information systems or networks in the interest of national security." "It applies to any critical infrastructure," Nojeim added. "Surely, the internet is one." The bill would also require NIST, or the National Institute of Standards and Techn

The use of data in the online world is being governed by the rules of the "Wild West," the European Commission will argue this week, in the clearest warning yet to Internet companies to curb how they use the information they collect on users. With concern growing over the amount of data gathered by the biggest players on the Internet, the comments will challenge the industry to agree on new principles for its use - or face a clampdown. Meglena Kuneva, the European consumer affairs commissioner, will argue that basic consumer rights are being violated by companies that profile and target consumers, according to a draft of a speech seen by the International Herald Tribune. "From the point of view of commercial communications," the draft speech reads, "the World Wide Web is turning out to be the world 'Wild West."' Kuneva is to deliver the speech to a meeting of around 200 industry and consumer representatives on Wednesday. Her comments reflect the anxiety of regulators on both sides of the Atlantic about the commercial use of information garnered through online tracking made possible via "cookies" - small files dropped into users' computers by the Web sites they visit. These cookies help companies take note of users' habits and can be sold to advertisers to help them target their marketing efforts. But their use raises serious questions about who knows which sites we visit and what they do with that information. In the United States, the chairman of the Federal Trade Commission, Jon Leibowitz, warned recently that, if the industry does not show it can protect users' privacy, it will invite legislation from Congress and a more regulatory approach from the F.T.C.

"House lawmakers stepped up their questioning of companies that collect and store information about consumers both on the Internet and in real life. In a hearing today, lawmakers interested in drafting legislation that would place restrictions on how Internet and marketing firms collect consumer information, asked Wal-Mart, WPP and privacy advocates detailed questions about how personal information is gathered and used. Reps. Rick Boucher (D-Va.), Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) have been considering a bill, but a draft will most likely not be released until early next year. (See interview with Rush.) The House Energy and Commerce Subcommittees on Comerce, Trade, and Commerce Protection and Comunications, Technology, and the Internet held a joint hearing on the topic--although it was poorly attended by members. "We've moved from an era of privacy keepers to one of privacy peepers and data-mining weepers who want to turn our information into products," said Rep. Ed Markey (D-Mass.). "The product is our records, our privacy, our family's history. We wouldn't let the government do this, so we have to protect against companies that want to do this." "It is understandable that most Americans simply do not trust that their personal information is properly protected," said Rep. Doris Matsui (D-Calif.). "

"A key, centrist digital rights group is set to put out a report calling for strong federal privacy laws and guidelines to regulate the growing tracking and targeting of Americans online. It argues that the self-regulation approach that industry fights for just hasn't worked. The online ad industry has "historically failed to fully implement its self-regulatory principles," according to the 34-page draft report by the Center for Democracy and Technology. CDT is a centrist D.C. group that works with and is substantially funded by the tech industry, including companies like Facebook, Google and AOL that are deeply invested in targeted ads. "Recently revised self-regulatory principles still fall short (.pdf) even as written," charges the draft, obtained by Wired.com. These tough words spearhead a new tactic for a group more used to convening inside-the-Beltway tech policy forums than launching ACLU-style send-outraged-e-mail campaigns. The CDT, which splintered off from the rabble-rousing Electronic Frontier Foundation 15 years ago, is also planning to launch a "Take Back Your Privacy" campaign on Thursday, designed to garner support for its call for comprehensive federal privacy legislation. Dozens of tech firms, known and obscure, record users' behaviors as they interact with search engines, blogs, e-commerce sites and even government websites. The tracking goes on in the background with little knowledge by consumers and even less oversight from government authorities. The tech industry - like others subject to potentially blunt-forced government regulation - has argued that policing itself was enough to prevent egregious privacy intrusions that could proliferate without any real chance individuals would even be aware of them."

NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-16, Revision 1, Information Security Training Requirements: A Role- and Performance-Based Model. This publication is now available for public comment. The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems. We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.

With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens' personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

Legislation to reform the Federal Information Security Management Act of 2002 will be introduced in the Senate on Tuesday, a Senate staffer who helped draft the bill told a panel at the RSA Conference in San Francisco on Thursday. Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president. Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House. Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.

When the OCEG released Red Book version 1.0 back in 2005--it seems like a long time ago--the whole idea of GRC applications was still new. There was definitely a need for a COSO-like guide to internal GRC implementations. The focus back then was compliance and that is where the Red Book offered the most value. Four years later, the landscape has morphed a bit, and no one should be surprised that version 2.0 is concerned with the R and G as much as the C. The heart of the new version--a public exposure draft has been released--is something called the GRC Capability Model, which the OCEG markets as a "comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system (e.g., compliance, training, hotline, investigations)." Eventually, OCEG members will be able to access the resource online to "create custom reports drawing from the Model and additional OCEG resources."

Securing our Nation against cyber attacks has become one of the Nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform defense'. In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008.

It's often the security issue that dogs Google, Microsoft and other purveyors of personal health records (PHR): How will so much personal medical data be kept safe? A tangential question for Google, however -- one that has dogged the search giant since its Google Health offering was first made available in May 2008 -- is whether Google's search-based advertising platform creates a conflict with storing personal health data. Speaking at the Mastermind Session at Everything Channel's Healthcare Summit in San Diego in November,Google Vice President of Research and Special Initiatives Alfred Spector told health care CIOs, solution providers and other attendees that Google intended Google Health as an extension of the Google brand, and it was and would continue to be entirely separate from Google's main advertising platform. Watchdog organizations have taken Google to task over that claim, however, with one, Consumer Watchdog, even accusing Google of trying to lobby Congress to allow it to sell medical records by loosening regulatory language in the stimulus bill. "The medical technology portion of the economic stimulus bill does not sufficiently protect patient privacy, and recent amendments have made this situation worse," wrote Jerry Flanagan of Consumer Watchdog in a Jan. 27 open letter to Congress. "Medical privacy must be strengthened before the measure's final passage, rather than allowing corporate interests to take advantage of the larger bill's urgency." Flanagan in the letter states that, "Google is said to be lobbying hard ... to weaken the ban currently in the draft measure on the sale of our private medical records." While Consumer Watchdog did not cite specific evidence of Google pushing for softer restrictions, Google responded to the group's claims on its Public Policy Blog last week. "The claim -- based on no evidence whatsoever -- is 100 percent false and unfounded," wrote Pablo Chavez, Google's Senior Policy Counsel. "Google does not sell health

The Federal Trade Commission had some sharp words for Internet advertising companies Thursday, saying that they simply are not disclosing how they collect information about users well enough. And the agency threatened that the industry had better get its act together - or else. Or else what? Well, that's a bit harder. The commission has limited ability to issue binding regulations on advertising practices, and the process is cumbersome. But if the agency were to say that its attempt over the last few years to have Internet companies voluntarily bolster their privacy standards has failed, it could encourage Congress to pass online privacy legislation. Indeed, two members of the commission - Pamela Jones Harbour, an independent, and Jon Leibowitz, a Democrat - issued statements saying that while they support the commission's action, they hope for further regulation and possibly legislation on the issue. What the commission issued Thursday was the final version of its principles for online behavioral advertising - that is, ads shown to you based on something you did in the past. The agency issued its first draft of these at the end of 2007 and spent more than a year digesting comments. These principles were meant to spur various Internet groups to create self-regulatory standards for their members. And one group, the Network Advertising Initiative, did publish new rules. The top recommendation was that users should be given clear notice about what information was collected and an easy way to tell sites to stop watching them. "What we observe is that, with rare exception, is not the rule for any Web sites," said Eileen Harrington, the acting director of the commission's bureau of consumer protection, in an interview Thursday. "It is far more commonplace to put the information in the midst of lengthy and hard-to-understand privacy policies."

Internet companies came under fire on Capitol Hill on Thursday, with lawmakers questioning how well the companies protect information that they collect online about consumers for advertising purposes. "I think it's a big deal if someone tracks where you go and what you look at without your personal approval. We wouldn't like that in the non-Internet world and I personally don't like it in the Internet world," said Rep. Joe Barton (R., Texas). Lawmakers in the House are drafting Internet-privacy legislation designed to provide consumers more information about what is being collected online and to give them greater control about how that data can be used. It could also set rules for how consumers could prevent their personal data from being shared with advertisers. "Consumers are entitled to some baseline protections in the online space," said Rep. Rick Boucher (D., Va.) chairman of the House Internet subcommittee.

The National Institute of Standards and Technology (NIST) this month released preliminary recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information (PII). U.S. government agencies should take a number of precautions when dealing with personal information residing in their organizations, according to the NIST document. The recommendations are intended to be for U.S. federal government agencies, and companies with which they work, but NIST said that other verticals may also find value in it. The report states that organizations should store only PII necessary to conduct business, develop an incident response plan for the event of a breach and encourage coordination for data-loss incidents among CIOs, information security officers and legal counsel.

There is no simple technology solution to protect children from bullying, pornography, sexual predation and other online threats, a new study says. The highly anticipated report -- results of a year-long study ordered by 49 state attorneys general -- found that "a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social-network sites and service providers, may assist in addressing specific problems that minors face online," according to a draft of the report reviewed by The Wall Street Journal. The report also found that the risks that minors face on the Web -- notably bullying and harassment by peers -- aren't very different from those they face in the real world. The report is scheduled to be issued Wednesday by the Internet Safety Technical Task Force, led by Harvard University's Berkman Center for Internet and Society. Task-force members included representatives of several top Internet and security companies, including News Corp.'s MySpace, Google Inc., Time Warner Inc.'s AOL and Facebook Inc. (News Corp. also publishes the Journal.) The 278-page report is a boon for the Web companies, which have long argued that technology isn't the sole solution to the dangers kids face online. It is a disappointment for those in favor of stricter technological controls, such as age-verification and filtering tools.