Connect with us

Cybersecurity

Transparency About Data Collection is a Needed First Step of Privacy Regulation, Panelist Say at FTC Event

Published

on

WASHINGTON, June 27, 2019 — Forcing websites and online platforms to be more transparent about the ways in which they collect and utilize consumer data is a step in the right direction, but it’s not enough, said speakers at a Federal Trade Commission conference on Thursday.

Panelists at the fourth annual PrivacyCon discussed emerging issues from new technologies such as the Internet of Things and how companies can quantify the costs and benefits to consumers of maintaining data privacy.

Consumers do not fully understand the myriad of ways in which they are being tracked, and even when they do, they lack the controls to manage it, said Consumer Reports’ Policy Counsel Katie McInnis. Rigorously protecting privacy requires time, effort, and sometimes even money—and even after all of that, some amount of data will still be tracked and used to create a profile of the consumer for marketing purposes.

While increasing transparency is important, we need to find a solution that shifts the burden away from the consumer and onto the providers of the technology, said McInnis, emphasizing the need for stronger federal regulation of online privacy and rules giving consumers access, deletion, and correction rights to their data.

Privacy should be the default and users should not have to understand complicated technical questions in order to ensure it, said Noah Apthorpe., a Ph.D. candidate at Princeton University.

If the government does not take action now, it will lead to long term problems and negative implications for consumers that will ultimately be far harder to solve, said Kristen Walker, a professor at California State University Northridge.

As policymakers work to create new, stronger regulations, it is essential that they include technologists, researchers, and consumer advocates in the process, Apthorpe said. Otherwise, policies are at risk of ending up with loopholes that could have been caught by someone more familiar with the technical details of the issue.

But simply increasing regulations will not solve the problem either, said McInnis, pointing out that many industries still fail to meet the bare minimum standard of regulations currently in place, such as the Children’s Online Privacy Protection Act.

Another issue discussed by the panelists was the monetary value of personal data. Mahmood Sharif, a Ph.D. student at Carnegie Mellon University, shared his research on privacy valuations, which indicated that many people would be willing to sell their personal attributes, especially to federal agencies or research pools.

McInnis vehemently objected to the concept of putting a price on personal data. Such practices would eventually make privacy a luxury rather than a basic human right, she said, and would exacerbate problems of systemic inequality.

The conference, which is held by the FTC as part of its ongoing effort to address evolving data security challenges, brings together academics, industry representatives, consumer advocates, and government regulators to discuss trends and research related to consumer privacy.

“It helps us keep our finger on the pulse of important developments in technology, economics, and consumer privacy so that we can ground our policymaking in real data,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

(Photo of PrivacyCon panel by Emily McPhie.)

Development Associate Emily McPhie studied communication design and writing at Washington University in St. Louis, where she was a managing editor for campus publication Student Life. She is a founding board member of Code Open Sesame, an organization that teaches computer skills to underprivileged children in six cities across Southern California.

Cybersecurity

Congressional Witnesses Say Lack of Agency Resources is Holding Back Government Cybersecurity Efforts

House Freedom Caucus Rep. Scott Perry calls GOP supporters of the bipartisan infrastructure measure “socialist-voting members.”

Published

on

Photo of House committee Chairman Peter DeFazio from May 2014 by Theresa Hogue used with permission

WASHINGTON, December 3, 2021 – Representatives of federal agencies tasked with overseeing the nation’s infrastructure systems told the House Transportation and Infrastructure Committee that their efforts to safeguard national cybersecurity are hampered by a lack of funding for their agencies.

The committee called on testimony from the Transportation Department, the Federal Aviation Administration, the Transportation Security Administration, the U.S. Coast Guard and the Government Accountability Office in the second part of a two-hearing series on infrastructure cybersecurity following a year that saw the number of high profile cyberattacks increase.

The TSA has recently proposed cybersecurity mandates for the transportation industry, only to face significant blow back from key leaders in transportation.

Throughout the hearing Thursday as lawmakers presented agency representatives with proposals to improve federal cybersecurity efforts, the agency representatives frequently cited a lack of resources as preventing them from executing such changes in cyber policy.

Lawmakers find uncertainty for success of proposals

Lawmakers’ questions touched on a wide variety of infrastructure issues.

Rep. Rick Larsen, D-Wash., raised concerns over the usage of C-band interfering with aircraft. The topic has been in the spotlight as C-band use increases with 5G rollout, and the aviation industry has continually requested delays in 5G deployment despite telecom companies already having set back their release dates.

The FAA’s representative at the hearing, chief information security officer Larry Grossman, stated that the FAA believes C-band can safely coexist with aviation, and that further information on the matter was being gathered by both the FCC and the FAA.

Rep. Grace Napolitano, D-Calif., stated examples of breaches in the nation’s water supply systems and recommended virtual cybersecurity training for the employees who oversee those systems.

Rep. Hank Johnson, D-Ga., emphasized that cybersecurity challenges had held up disbursement of emergency government COVID-19 stimulus, creating delays that he said many Americans could not afford. He pointed to the slow pace of cybersecurity solution implementation as a major contributor to these delays.

In one of the day’s more politicized lines of questioning, chairman of the House Freedom Caucus Rep. Scott Perry, R-Pa., asked what was being done to counter what he considered cybersecurity threats specific to electric buses such as lighting fires. In his questioning, he condemned the Republicans who voted for the Infrastructure Investment and Jobs Act, which contains an electric vehicles provision, as “some socialist-voting members.”

Photo of the hearing

The GAO’s representative, director of information technology and cybersecurity Nick Marinos, responded that whether they are gas or electric powered, vehicles are seeing increased potential for hacks.

Like Rep. Napolitano, committee chairman Rep. Peter DeFazio, who recently announced this would be his last term in Congress, said cybersecurity training should be mandated for companies overseeing infrastructure. He emphasized that just before it was hacked, Colonial Pipeline turned down an audit that was offered to it, and that should the audit have taken place the hack may have been prevented.

Additional legislation concerning these hacks has been pushed recently in the House, such as a mandate for quick reporting to the government when companies are hacked.

Continue Reading

Cybersecurity

House Oversight Reveals Details of Investigation into Colonial Pipeline, Other Company Hacks

The committee released a memo stating that “small lapses” led to many prominent cyberattacks this year.

Published

on

Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York

WASHINGTON, November 17, 2021 – A House Oversight and Reform Committee investigation concluded in a staff memo that “small lapses” in cyber security led to hacks of Colonial Pipeline, meat producer JBS USA, and insurance group CNA Financial Corporation that occurred earlier this year.

Additionally, in Tuesday’s memo, the committee stated that the companies’ lack of “clear points of contact with the federal government” hampered response efforts to the attacks and that the companies faced a “huge” amount of pressure to pay hackers. Cyber security officials on Tuesday asked Congress to push legislation that would force companies to notify the government about cyber breaches.

The CNA hack occurred after an employee accepted a fake browser update and hackers gained access to JBS through an old account with a weak password that had not been deactivated. Colonial Pipeline was hacked as a result of just one stolen password linked to a profile, leading to gas shortages in several states.

Employees at JBS and Colonial Pipeline may have been operating on Internet of Things devices, which often only make use of mass-produced factory password settings due to limited processing power. This makes such devices extremely vulnerable to cyberattacks.

“Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack,” reads Oversight’s memo.

Security issues for schools and libraries

Experts say that similar issues with IoT and password security are increasingly threatening cybersecurity in schools and libraries as well. During a School, Health and Libraries Broadband Coalition event Wednesday, leaders in education emphasized data that shows attacks on the educational sector to continue increasing in frequency from a rate that already ranks second among all professional sectors.

Amy McLaughlin, executive director of technical and solutions architecture for Oregon State University, suggested during the event that schools and libraries expand their security beyond basic firewall that is paid for by E-rate funding and change default passwords when possible, avoiding using an administrator login, patch systems, as well as use anti-malware software on all devices.

Similarly, Bob Turner, field chief information security officer for higher education at Fortinet, stated that his organization recommends schools use multi-factor authentication.

The recently signed Infrastructure Investment and Jobs Act specifically allocates funding to be used for the implementation of improved cybersecurity practices in institutions including libraries, cyber security officials said Tuesday.

National security concerns

In June, Oversight and Reform Committee Chairwoman Carolyn Maloney, D-New York, told CNA, JBS USA and Colonial Pipeline via letters that she was “extremely concerned that the decision to pay international criminal actors sets a dangerous precedent that will put an even bigger target on the back of critical infrastructure going forward.”

During an Oversight and Reform panel Tuesday, committee members questioned witnesses on the efforts by President Joe Biden’s administration to push back on recent ransomware attacks by Russian-based cybercriminals.

Continue Reading

Cybersecurity

Cyber Officials Reiterate Need for Private-Public Sector Cyber Threat Information Sharing

Calls are growing louder for mandatory breach reporting for cybersecurity incidents.

Published

on

Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency

WASHINGTON, November 16, 2021 – Cybersecurity officials from the federal government told the House Committee on Oversight and Reform Tuesday that Congress needs to press forward on legislation that would force companies to share information on cyber attacks with the federal government.

In July, Sens. Mark Warner, D-Virginia, Marco Rubio, R-Florida, and Susan Collins, R-Maine, introduced the Cyber Incident Notification Act of 2021, which requires federal and private sector cybersecurity intrusions to be reported to the government within 24 hours.

On Tuesday, the oversight and reform committee, which is studying how the government can crack down on ransomware, heard from three cyber security witnesses that a priority of Congress should be to pass such legislation to force that information sharing so the government is better prepared to respond, and prevent, attacks.

“Passing cyber threat notification legislation is a top priority,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency. “We need the information because that enables CISA and the FBI to both engage with that victim, offer our assistance, understand what’s happening on their networks, and protect other victims as well as all the threat response and going after the actor and following the money.”

The comments and the calls for legislation come against the backdrop of high-profile cyberattacks, including against oil transport company Colonial Pipeline and software company SolarWinds, which prompted a Senate hearing on the matter. Recently, investment app Robinhood suffered its own data breach.

The attacks also raise even more alarm as the pandemic has made remote work more commonplace.

Wales noted that there have been improvements in terms of public-private partnerships to better deal with cyberattacks, including the launch of the Joint Cyber Defense Collaborative, which will lead development of cyber defense plans and executive plans in coordination with the federal, state, local and tribal governments, as well as the private sector.

Those companies Wales specified were those that have the most “visibility” on these attacks, including major cloud companies, internet service providers and cyber security firms.

“As we work together to spot threat activity, we are able to provide more protection than anyone can do individually,” Wales said.

Last month, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.

Other legislation before Congress

The signing into law Monday of the Infrastructure Investment and Jobs Act includes cybersecurity grants to state and local governments, which Wales said he is hopeful will help

The House recently passed the Small Business Administration Cyber Awareness Act, which would require only small businesses of their cybersecurity capabilities and notify Congress about cyber breaches.

Before that, Senator Angus King, I-Maine, called for the crafting of legislation that would require all companies to report cyber breaches to the federal government, which backed by a Department of Justice official in further testimony before the Senate judiciary committee earlier this year.

Continue Reading

Recent

Signup for Broadband Breakfast

Get twice-weekly Breakfast Media news alerts.
* = required field

Trending