Recognizing the risk that weak controls in partner nations present, the European Commission recently proposed a series of recommendations based on the risk of attack and the current structural limitations. This again points to issues of privately owned and controlled infrastructure that is critical to daily life. This article reports on the inquiry being conducted by the political oversight organization. Key questions that the politicians are asking include:

1. How vulnerable is the Internet to widespread technical failures?
2. Is the Internet industry doing enough to ensure the resilience and stability of the Internet, or is regulatory intervention unavoidable?
3. Is the European Commission's concern about cyber attacks justified, and should the military be more involved in protecting the internet?
4. Are government-operated computer emergency response teams an appropriate mechanism for dealing with internet incidents?
5. Is it sensible to develop Europe-centric approaches to response infrastructure or should there be more emphasis on a worldwide approach?

All good questions. Questions that all governments should be asking.

Georgetown University: Cyber Security, Law, and Policy

Georgetown University: Cyber Security, Law, and Policy

Posted using ShareThis

Excellent panel discussion on policy isssues surrounding cybersecurity in the US. Discusses the problem in getting Congress and the public to see cybersecurity as a risk and threat to national security.

Policy efforts have lagged in recent months as the White House and Congress are focused on healthcare and other issues.

Factual vice inflamatory. Pentagon leads the way as others stand and wait.

Healthcare info at risk

A recent survey of US Healthcare Industry ICT professionals conducted by the Ponemon Institute again points out that electronic information is a target for criminals. The operators know the risks but cite lack of management support as the major impediment to security.

The benefits of electronic records are many. The ability to quickly inform providers of a patient's medical history, medications, and family risk factors is essential to providing proper treatment (and at lower cost and risk!) This explains the recent emphasis on electronic medical records in economic stimulus efforts and the health care insurance reform debate on going in the US.

Policy makers and industry leaders must kept patient confidence if the savings are to be realized.

Lessons to be learned from the private sector

In an article on Risk Center author Tami Casey reports on a survey of computer professionals for large companies about how difficult it can be to convince executive management of the need to invest in security of web based applications.

The keys to laying out the case have applications in the government world as well. Lets look at the recommendations:

• Effectively communicate the issue and build application security awareness. Executive management might not understand the impact or urgency of fixing security defects. Explain the importance of preventing a data breach, identity theft, unauthorized access and downed websites. Be sure to stay clear of jargon and use real world examples highlighting damages to companies. It's important to provide training on Web security issues to all functions and not just developers. For Governments this translates to teaching your leadership and explaining the political implications of failure.
  
• Align your security strategy with business objectives. Discuss specific management goals and point out how a security breach could stand in the way of meeting these objectives, be they revenue or corporate reputation goals. Government version: focus on political risk and failure to meet citizens' needs
• Calculate the ROI. The cost of a breach can be $500K or more per incident. For example the Heartland Payment Systems breach is estimated to have cost the company $12.6 million along with damage to their reputation and a dramatic drop in the company's stock price. For government it is not ROI but rather cost avoidance and funds that can be used for more productive work/services. When governments fail to protect citizen information direct costs can also be incurred.
• Cite laws and compliance issues. Be sure to point out penalties for non-compliance with regulatory standards, which can pile up quickly. It is bad form for government officials to fail to obey their own regulations!
  
• Emphasize Web app security as part of the software development process. Include stakeholders from the development team through QA and production. This is the key. Government is a very large player in the IT services and procurement industry. It must demand quality products for its investments.
  

Pirated software source may carry unwanted surprise

A recent report from the Business Software Alliance (BSA)states that 41% of the software on PCs is pirated. Not only is this illegal, it is a serious security threat. Cyber criminals, taking advantage of the opportunity leverage the desire of individuals to "get something for nothing" use the pirated software packages to insert malware into gullible hosts.

Pirated software is most likely not patched (software vendors use technology to determine if you have a valid copy of the software before doing updates). Thus know vulnerabilities are left open for exploit.

The BSA report also indicates that areas with geographies with high levels of software piracy also have high levels of malware infections. Mexico and Brazil are nations with high piracy and infection rates. See below