nextgov

How the IRS Is Leaving Your Financial Data Unprotected

The tax agency needs to better audit its own accounts, according to the Government Accountability Office.

GAO officials discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems. In addition, this is the seventh consecutive year the IRS has failed to patch security vulnerabilities that could compromise financial data, a review of GAO reports dating back to 2007 reveals.

"Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data," Nancy Kingsbury, GAO managing director for applied research and methods, and Gregory Wilshusen, GAO director for information security issues, wrote in a new report.

The IRS did not apply critical patches in a timely fashion to multiple systems, including programs for procurement and email, the auditors said. In addition, the agency was running unsupported software on workstations and databases that developers are not even issuing security fixes for anymore. GAO officials also noticed that systems handling transfers of financial data were not configured to encrypt login information.

DHS Prepares Overhaul of Internal Security Operations

The Homeland Security Department announced future plans to overhaul an organization that defends DHS’ own internal networks.

A counter-hack mechanism called the intrusion defense chain, or "kill chain” -- developed by researchers at Lockheed Martin -- is expected to drive the revamp, according to DHS officials. A kill chain predicts an intruder’s attack plan and breaks it down into steps that must be taken to achieve the ultimate hack -- for instance, obtaining a map of the most critical US water plants from a DHS network. Operators then devise a countermeasure for each action that, if applied along any point in the chain, will thwart the criminal's plan.

The office of DHS Chief Information Security Officer Jeff Eisensmith is requesting security operation ideas, "including most notably the employment of an Intrusion Defense Chain methodology to 'align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise," stated a market research survey. The notice quotes a 2011 Lockheed paper. The potential plans also ask vendors how they would measure the effectiveness of the center, if given the management job. And officials want contractors to list staffing and facilities requirements DHS should consider.

Sometimes the Best Big Data Questions Raise The Biggest Privacy Concerns

One useful definition for the unstructured data that underlies most existing and theoretical big data projects is that it was often collected for some purpose other than what the researchers are using it for.

This definition points to the potential of big data analysis as more and more information is gathered online and elsewhere, but it also points to some challenges as outlined by Duncan Watts, a principal researcher at Microsoft’s research division.

First off, a large portion of the data that might be valuable to social scientists, policymakers, urban planners and others is held by private companies that release only portions of it to researchers. Facebook, Amazon, Google, email providers and ratings companies all know certain things about you and about society, in other words, but there’s no way to aggregate that data to draw global insights.

“Many of the questions that are of interest to social science really require us being able to join these different modes of data and to see who are your friends what are they thinking and what does that mean about what you end up doing,” Watts said. “You cannot answer these questions in any but the most limited way with the data that’s currently assembled.”

Second, even if social scientists were able to draw on that aggregated data, it would raise significant privacy concerns among the public.

Finally, because much of the data that’s useful to social scientists was gathered for other purposes, there’s often some bias in the data itself, Watts said.

“When you go to Facebook, you’re not seeing some kind of unfiltered representation of what your friends are interested in,” he said. “What you’re seeing is what Facebook’s news ranking algorithm thinks that you'll find interesting. So when you click on something and the social scientist sees you do that and makes some inference about what you’re sharing and why, it’s hopelessly confounded.”

Is It Time To Make Cyber Jobs A National Imperative?

With research showing a vast shortage of skilled talent to fill cybersecurity jobs, it may be time for the United States to make cybersecurity a national imperative in much the same way it did with aerospace technology, nuclear science and biotechnology.

That’s according to Sam Visner, vice president and general manager of CSC Global Security, who said that while attention is being brought to the issue through programs like the National Initiative on Cybersecurity Education, or NICE, as well as the National Institute of Standard’s and Technology’s recent cybersecurity framework, not enough is being done or coordinated to truly make those efforts effective.

“We have uncoordinated initiatives, but not a national strategy coupled with a national program,” Visner said. “We have in the case of NICE a broad statement of policy but not what I would consider to be the level of programmatic strategy and resources to be a national imperative.”

DHS Quietly Delivers Hacker Footprints To Industry

A little-known website sitting behind a firewall has been exchanging sensitive hack intelligence between companies and agencies at a rate of one new threat hallmark per hour, a top Homeland Security Department official said.

The Cybersecurity Information Sharing and Collaboration Program, launched in 2011, virtually convenes about 70 critical industry and analytics organizations – think energy companies -- as well as federal departments. The result is bulletins provided in formats that computers can "read" so they can apply the appropriate protections. And containment recommendations are pumped out in plain text that people can read.

"It enables us to identify those threats or organizations" that are a danger, said Roberta Stempfley, DHS acting assistant secretary of cybersecurity and communications. "We have shared through this program more than 26 unique indicators a day. You wouldn't think that that sounds like a large number. But it's unique indicators in a day. That's more than one an hour."

Now's Your Chance To Weigh In On The White House's Web Privacy Policy

The White House does not share information about visitors to its Web and mobile tools outside of the federal government, either for commercial or political purposes, according to the draft of an updated privacy policy.

The White House may share some visitor information with other federal agencies in response to law enforcement requests or to protect its online security, the policy said. The White House may also share information requests that are under an agency’s jurisdiction “for the limited purpose of addressing your request for assistance.” The draft policy will go into effect on April 18.

The Internet Of Things Means More Things To Hack

[Commentary] People often ask me if I “stay off the grid” by refusing to participate in online shopping and banking and express surprise when I tell them I don't bother. "Doesn’t it scare you?" they ask. "Aren’t you worried your information will be compromised?” Yes and yes, but staying away from the Internet isn't much of an option. Plus, as the recent retail store credit card debacles have demonstrated, bad things can happen to shoppers no matter if they are online or physically in a store.

What scares me more than someone stealing my information as I shop on Zulily or Amazon is how quiet the drumbeat has been on securing the broader Internet of things. As more of the items we use every day get online capabilities, our lives and the Internet of things are increasingly interconnected.

From my desk, I can control the temperature of my house, look at my wrist and determine that I need to get up and walk, check my fitness app to see that my cousin in Texas is now ahead of me in total steps for the week, and open and close the windows of my networked car. From my phone, I can control my TV, my front door, my security system and the baby monitor.

Yet despite the connectivity we are not seeing a massive amount of discussion about the Internet of things and cybersecurity. The concerns with Internet-of-things security are two-fold. The first is the ability to hack in and control aspects of our lives -- open my front door, turn the heat up at my house or disable my security system. The second is the vulnerability and theft of the data collected as part of the Internet of things movement to make our lives easier and more interesting.

[Herrera-Flanigan is a partner at the Monument Policy Group]

Key NSA Defender Wants To End Bulk Data Collection

One of the top supporters of the National Security Agency is now calling for an end to the agency's controversial practice of collecting data on millions of US phone calls.

Under the proposal from Rep Dutch Ruppersberger (D-MD), the top Democrat on the House Intelligence Committee, the phone companies, not the NSA, would hold the phone data. NSA analysts could access the records only if they first obtain an order from the Foreign Intelligence Surveillance Court.

His proposal would not impose any mandate on the phone companies to maintain the data -- an idea that would face fierce resistance from civil-liberties groups and the phone companies themselves. Rep Ruppersberger argued that a new data-retention mandate is unnecessary because the Federal Communications Commission already requires phone companies to maintain their records for 18 months in case there are disputes over billing.

75 Percent Of Hospitals And Clinics Are Worried About Healthcare.Gov Hacks

A major concern about Obamacare is that the online swap of patient information between providers and the federal government's data hub will jeopardize consumers' privacy and security, according to a new study by the Ponemon Institute.

As far as cyber threats that affect patients, "the Affordable Care Act (ACA) is seen as a contributing factor because of the documented insecure websites, databases and health information exchanges that are highly vulnerable to insider and outsider threats,” state the findings of the report. Health and Human Services officials have maintained, ever since registration for Obamacare plans launched on Jan 1, that HealthCare.gov is safe and that there have not been any breaches detected.

About 70 percent of hospitals and clinics said they believe the Affordable Care Act, in general, increases the risk of compromising patient data. The factors driving their fears: insecure online exchanges (75 percent); unprotected databases (65 percent); and the website registration process (63 percent).

Federal Website Security Bill Moves Forward In House

Legislation approved by the House Oversight Committee would require agency chief information officers to vouch to Congress for the security of any new government websites that gather citizens' personal information.

Rep Kerry Bentivolio (R-MI), introduced the legislation in December in the wake of reports that HealthCare.gov, the Obama Administration’s troubled online federal health insurance marketplace could have exposed insurance seekers’ personal information to hackers. During committee discussion, members focused on private sector data breaches at Target and other retailers.

There have been no successful hacks against HealthCare.gov and that the system adheres to government standards for information security, the Health and Human Services Department has said.

“We have a duty to protect our constituents, especially if they are being directed by our offices to use federal websites that require their personal information,” Bentivolio said. “If Americans cannot trust federal websites they will be wary of going on these websites and finding the information and services they need.”

Key Senators Back A Stronger, More Digital FOIA

The chairman and ranking member of the Senate Judiciary Committee expressed interest in a House-passed bill to strengthen the Freedom of Information Act, including by mandating a single online portal for all government FOIA requests.

Judiciary committee staff members are reviewing the bill that the House passed unanimously in February, said Sen Chuck Grassley (R-IA). Sen Grassley and Judiciary Chairman Patrick Leahy (D-VT) both expressed optimism the committee would take up the bill during a hearing focused on “Reinvigorating FOIA for the Digital Age.”

The FOIA Oversight and Implementation Act would also require that the Office of Government Information Services, which was established in 2007 as something of a FOIA ombudsman, report directly to Congress rather than passing its reports and recommendations through the White House’s Office of Management and Budget first.

[March 11]

Pentagon Tries Again On Cyber Intelligence-Sharing Contract

The Defense Department will recompete a $26 million contract to support a classified cyber intelligence network, after federal attorneys determined the Pentagon failed to properly evaluate contractor proposals, Defense officials said.

The project in question involves a network that holds "signatures" of known cyber threats identified by the National Security Agency. The system, part of a Defense Information Systems Agency program, feeds these classified and sometimes unclassified indicators of potential hacks to cleared defense companies so they can apply appropriate computer protections. A DISA spokeswoman said the agency will amend its original solicitation and recompete the contract.

[March 7]

TSA Halts Testing On Technology To Screen Passengers' Online Data

The Transportation Security Administration has called off -- for now -- live tests of technology that would expand background checks on airplane passengers to include analyses of their online presences.

The idea was to have contractors analyze consumer data -- potentially including dating profiles and shopping histories -- on fliers who apply for the voluntary "Pre✓” program. Pre✓, open to all US citizens, lets passengers breeze through dedicated checkpoints without removing shoes, belts, laptops or TSA-compliant liquids after paying an $85 fee and proving their identities. The agency got as far as watching "prototype implementations" but decided against trying a system out on actual passengers, according to a March 4 notice published in a government acquisition database.

Under the Pre✓ data mining strategy, private screeners would aggregate biographic and biometric “non-governmental data elements to generate an assessment of the risk to the aviation transportation system that may be posed by a specific individual,” the 2013 announcement stated. The vendor would have to provide a “reliable method that effectively identifies known travelers, based on a sound analysis and the application of an algorithm that produces dependable results.”

[March 7]

Women Fleeing Science, Tech Fields

The talent pipeline of female workers in science, engineering and technology fields is on the rise, yet many women -- faced with hostile work environments, extreme work pressures and isolation – are fleeing these in-demand fields in droves. That’s according to “Athena 2.0,” a new report by the Center for Talent Innovation, which surveyed women in science, engineering and technology (SET) fields in the US, Brazil, China and India, and found that while women make up nearly 50 percent of SET college graduates in every nation, roughly one-third of them say they feel stalled and are likely to not only quit their jobs within one year but to leave their respective SET field entirely.

“There’s unique challenges that women in different industries face,” Tara Gonsalves, a senior research associate at the Center for Talent Innovation, told Wired Workplace. “Women in science are struggling against the lab coat culture, women in engineering are facing the hard hat culture and women in technology are facing the geeky, late-night hacking culture.”

In the United States specifically, the majority (80 percent) of women love their work, yet many feel excluded from male-dominated “buddy networks” and lack female role models. Most SET women (86 percent) in the US also lack sponsors or mentors, and nearly half (46 percent) believe senior managers more readily see men as leadership material. In addition, many SET women in the US (54 percent) say they are eager to get to the top of their organizations, yet nearly one-quarter (23 percent) feel a women could never get a top position at their company. US respondents also felt their leadership does not endorse (62 percent) or implement (75 percent) ideas from SET women.