Group items tagged

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, the Wall Street Journal reported on Wednesday. The spies came from China, Russia and other countries, and were believed to be on a mission to navigate the U.S. electrical system and its controls, the newspaper said, citing current and former U.S. national security officials. The intruders have not sought to damage the power grid or other key infrastructure but officials said they could try during a crisis or war, the paper said in a report on its website. "The Chinese have attempted to map our infrastructure, such as the electrical grid," a senior intelligence official told the Journal. "So have the Russians." The espionage appeared pervasive across the United States and does not target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official told the paper, referring to electrical systems. "There were a lot last year." The administration of U.S. President Barack Obama was not immediately available for comment on the newspaper report. Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on." Officials said water, sewage and other infrastructure systems also were at risk.

Veterans suffering anxiety and paranoia following the theft of a government hard drive containing the medical histories and Social Security numbers of 198,000 of their brethren cannot recover financial damages, a federal appeals court says. The 11th U.S. Circuit Court of Appeals, in largely dismissing a class-action, ruled Wednesday that the veterans could recoup at least $1,000 under the Privacy Act if they could show financial damages, not mental anguish. What's more, the Atlanta-based court noted that the veterans - some already suffering post-traumatic stress syndrome from their Vietnam War days - likely could recover damages for mental anguish associated with the data breach if the lawsuit was before a different court. That's because the courts of appeal across the nation have issued conflicting interpretations of the Privacy Act of 1974, which allows people to sue the government for privacy breaches and recover "actual damages." Precedent in the 11th Circuit, which includes Alabama, Florida and Georgia, interprets "actual damages" as money losses only. So 198,000 veterans - whose life history was on a hard drive that vanished from a Birmingham, Alabama Veterans Administration hospital - are out of luck, even if their war-time paranoia was exacerbated by the breach. The 11th Circuit noted (.pdf) that the 5th U.S. Circuit Court of Appeals and the 10th U.S. Circuit Court of Appeals "do not restrict 'actual damages' under the Privacy Act to pecuniary losses." And the Supreme Court has refused to resolve the circuit splits.

The global economic crisis has become the biggest near-term U.S. security concern, sowing instability in a quarter of the world's countries and threatening destructive trade wars, U.S. intelligence agencies reported on Thursday. The director of national intelligence's annual threat assessment also said al Qaeda's leadership had been weakened over the last year. But security in Afghanistan had deteriorated and Pakistan had to gain control over its border areas before the situation could improve. "The financial crisis and global recession are likely to produce a wave of economic crises in emerging market nations over the next year," said the report. A wave of "destructive protectionism" was possible as countries find they cannot export their way out of the slump. "Time is our greatest threat. The longer it takes for the recovery to begin, the greater the likelihood of serious damage to U.S. strategic interests," the report said. The report represents the findings of all 16 U.S. intelligence agencies and serves as a leading security reference for policymakers and Congress. Besides reviewing adversaries, it also considered this year the security impact of issues including climate change and the economy. It said a quarter of countries have already experienced at least "low-level" instability, such as government changes, linked to the economy.

A company that monitors P2P networks says it found details about the president's helicopter, Marine One, on a computer in Tehran. Pittsburgh station WPXI reports. Bob Boback, CEO of Tiversa, said, "We found a file containing entire blueprints and avionics package for Marine One. … What appears to be a defense contractor in Bethesda, MD had a file sharing program on one of their systems that also contained highly sensitive blueprints for Marine One," Boback said. Retired Gen. Wesley Clark, an adviser to Tiversa, added: We found where this information came from. We know exactly what computer it came from. I'm sure that person is embarrassed and may even lose their job, but we know where it came from and we know where it went. It's no accident the information wound up in Iran, the company said. Countries like Iran, Pakistan, Yemen, Qatar and China are "actively searching for information that is disclosed in this fashion because it is a great source of intelligence," Boback said. Rep. Jason Altmire said he will ask Congress to investigate the risk to national security of this sort of exposure. Cnet's Charles Cooper interviewed the Tiversa's Sam Hopkins (Cooper says he's the CEO but the original report said Boback is CEO; the company website doesn't list executives), who said someone at the company was running a Gnutella client - possible a buggy one. Hopkins said it's hardly an unusual occurence - although presumably the usual breaches aren't so closely connected to the President. Everybody uses (P2P). Everybody. We see classified information leaking all the time. When the Iraq war got started, we knew what U.S. troops were doing because G.I.'s who wanted to listen to music would install software on secure computers and it got compromised. … We see information flying out there to Iran, China, Syria, Qatar-you name it. There's so much out there that sometimes we can't keep up with it. Bottom line: P2P is the big

Update on Feb. 18, 8:33 a.m.: Facebook is backing off changes to its terms of service, informing users on their official blog that they will remain intact. "Over the past couple of days, we received a lot of questions and comments about the changes and what they mean for people and their information," Facebook CEO Mark Zuckerberg writes in the blog. "Based on this feedback, we have decided to return to our previous terms of use while we resolve the issues that people have raised." To learn more, read our original post below. Facebook is having trouble dousing the flames in a firestorm over its trustworthiness. A recent change in its terms of use -- the legalese tacked onto the bottom of most websites -- has sparked concerns that the social networking giant plans to own all users' information forever. Founder and CEO Mark Zuckerberg claimed in a blog post Monday that "on Facebook people own and control their information." But privacy advocates still aren't satisfied. "I think in simple terms it's a tug of war over user data," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington. "People put information on a Facebook page to share with friends. But it's pretty much with the understanding that they're deciding what to post and who has access to it. Facebook, like any other company, is trying to obtain maximum commercial value from its users."

A group of federal agencies and private organizations, including the National Security Agency and the Department of Homeland Security, has released a set of guidelines defining the top 20 things organizations should do to prevent cyberattacks. The Consensus Audit Guidelines (CAG) describe the 20 key actions, referred to as security controls, that organizations should take to defend their computer systems. The controls are expected to become baseline best practices for computer security, following further public- and private-sector review. CAG is being led by John Gilligan, formerly the CIO for both the U.S. Air Force and the U.S. Department of Energy, and a member of the Obama transition team dealing with IT in the Department of Defense and various intelligence agencies. "We are in a war, a cyberwar," Gilligan said on a media conference call. "And the federal government is one of many large organizations that are being targeted. Our ability at present to detect and defend against these attacks is really quite weak in many cases." Borrowing an analogy he attributed to an unnamed federal CIO, Gilligan said, "We're bleeding badly and we really need triage and we need to focus on things that will keep this patient alive." The CAG initiative represents part of a larger effort, backed by the Center for Strategic and International Studies (CSIS) in Washington, D.C., to implement recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.

Outgoing CPO of the Department of Homeland Security Hugo Teufel discusses his team's accomplishments and the challenges ahead for his successor. If you had a chance to pose any question to the person in charge of protecting Americans' privacy as the U.S. Department of Homeland Security executes its mission, what would you say? I had that chance this month when Hugo Teufel, departing chief privacy officer at the DHS, delivered an address, entitled "Reflections on My Time as DHS CPO of the War on Terror," to the Twin Cities Privacy Retreat. After the address, I cornered Teufel for some follow-up questions. Those and his answers follow.

The departments of Defense, State, and Health and Human Services have not met legal requirements meant to protect Americans' civil liberties, and a board that's supposed to enforce the mandates has been dormant since 2007, according to federal records. All three departments have failed to comply with a 2007 law directing them to appoint civil liberties protection officers and report regularly to Congress on the safeguards they use to make sure their programs don't undermine the public's rights and privacy, a USA TODAY review of congressional filings shows. An independent Privacy and Civil Liberties Oversight Board set up to monitor the departments hasn't met publicly since 2006; it no longer has members. Government missteps such as putting innocent people on terrorist watch lists and misusing administrative warrants, known as national security letters, "might have been dealt with much sooner if we had … cops on the beat to make sure there are standards that are being upheld," says Caroline Fredrickson, legislative director at the American Civil Liberties Union (ACLU). The lack of civil liberties officers at State and Health and Human Services is troubling because the departments hold passport and medical records, says James Dempsey, vice president of the Center for Democracy and Technology. "Security of that information is very important," he says, and these officers should monitor how it's used and shared. The Pentagon also has sparked concerns. Its Counterintelligence Field Activity office was criticized by the ACLU for wrongly tracking anti-war groups - a charge confirmed by the Pentagon in 2006. A 2007 law requires eight departments and agencies to have civil liberties officers and file reports. Justice, Homeland Security, Treasury, the CIA and the Office of the Director of National Intelligence have done so. Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, leaders of the Homeland Security committee, says departments not in compliance will b

Bring up the subject of digitizing medical records and you're likely to get a paradox of a discussion. Everyone thinks it will help save money and improve health care, and everyone has grave reservations. Get ready to hear more as a massive economic stimulus bill works its way through Congress, which includes IT health care spending measures. Although lawmakers are close to pulling the trigger. ensuring the privacy of patients' electronic health records (EHR) remains a top concern. "I very firmly believe that the Achilles heel of health IT is privacy," said Sen. Jim Whitehouse, a Rhode Island Democrat who chaired a hearing this morning examining the appropriate safeguards government should insist on before it doles out billions of dollars to help providers computerize patients' records. Champions of health IT argue that EHRs and interoperable systems to integrate data among providers would drive down healthcare costs while greatly reducing medical errors. Just 17 percent of physicians currently have even basic EHRs. The Center for Disease Control has estimated that as many as 98,000 preventable deaths occur in U.S. hospitals each year, many of which could presumably been avoided with more accessible patient data. "If 100,000 Americans were being killed by anything else, we'd be at war," Whitehouse said.

It's hardly a bed of roses these days for IT companies and their managers. There are plenty of things nagging at high-tech vendors, too, according to the annual RiskFactor Report for Technology Businesses published by the financial consultancy, BDO Seidman. The information was gleaned from fiscal year 2008 10-K SEC filings of the 100 largest publicly traded U.S. tech companies. Strong competition and consolidation risk factors top the list of IT managers' concerns. Failure to develop new products or services is also a big headache. Other items making the worry list: * International operations. * Management of current and future M&As. * And, for the first time: Natural disasters, war, conflicts and terrorist attacks. So how should a top manager deal with all this uncertainty? Play some tennis, go for a run, gobble a few Tums and then forge ahead with the best ideas you have.

Following complaints from Republicans, the White House has shut down a two-week-old e-mail tip line launched to take reports from citizens of "disinformation about health insurance reform." "An ironic development is that the launch of an online program meant to provide facts about health insurance reform has itself become the target of fear-mongering and online rumors that are the tactics of choice for the defenders of the status quo," wrote White House new media director Macon Phillips in announcing the change. "The White House takes online privacy very seriously," he added. The e-mail tip line, flag@whitehouse.gov, was launched Aug. 4 as part of the White House's Health Insurance Reform Reality Check effort, a campaign-style rapid-response effort reminiscent of the war room Obama for America launched in the summer of 2008 to fight online rumors about the then-senator's patriotism and religion. But coming from the head of state, rather than a political candidate, the new effort quickly sparked concern among Republicans about the propriety of government collecting information on private citizens' political speech.

The Federal Bureau of Investigation is expanding beyond its traditional fingerprint-focused collection practices to develop a new biometrics system that will include DNA records, 3-D facial imaging, palm prints and voice scans, blended to create what's known as "multi-modal biometrics." Slideshow: The changing face of biometrics How the Defense Department might institutionalize war-time biometrics "The FBI today is announcing a rapid DNA initiative," said Louis Grever, executive assistant director of the FBI's science and technology branch, during his keynote presentation at the Biometric Consortium Conference in Tampa. The FBI plans to begin migrating from its IAFIS database, established in the mid-1990s to hold its vast fingerprint data, to a next-generation system that's expected to be in prototype early next year. This multi-modal NGI biometrics database system will hold DNA records and more.

This post is one in a series on Privacy & Security, and covers some of the intersections of these domains for those who are not practitioners with in-depth understanding of the associated disciplines.
History Points to Privacy's Future
Today's post explores the history of privacy a bit mor

A year after Microsoft (NSDQ: MSFT) chief research and strategy officer Craig Mundie urged the technology industry to come together to create a more trustworthy Internet, the company's vision of End to End Trust is starting to take shape. At the RSA Conference this year, Scott Charney, Microsoft's corporate VP of Trustworthy Computing, plans to deliver a progress report on his company's campaign to move beyond the password as a means of authentication.

The Senate and House appear headed for a clash over competing visions of how to protect the privacy of patients' electronic medical records, with the House favoring strict protections advocated by consumer groups while the Senate is poised to endorse more limited safeguards urged by business interests. President Obama has called creation of a nationwide system of electronic medical records fundamental to health-care reform, and both chambers of Congress have included about $20 billion to jump-start the initiative as part of their stimulus bills. But as with much in the stimulus package, it is not just the money but the accompanying provisions that groups are trying to influence. The effort to speed adoption of health information technology has become the focus of an intense lobbying battle fueled by health-care and drug-industry interests that have spent hundreds of millions of dollars on lobbying and tens of millions more on campaign contributions over the past two years, much of it shifting to the Democrats since they took control of Congress. At the heart of the debate is how to strike a balance between protecting patient privacy and expanding the health industry's access to vast and growing databases of information on the health status and medical care of every American. Insurers and providers say the House's proposed protections would hobble efforts to improve the quality and efficiency of health care, but privacy advocates fear that the industry would use the personal data to discriminate against patients in employment and health care as well as to market the information, often through third parties, to generate profits.