After high profile security breaches at Target and other retailers, along with damning Senate report on the government’s preparedness for a cyber attack, the government is set to unveil “framework” for strengthened cybersecurity in the public and private sector later this month.
A final plan establishing best practices in fending off cyberterrorism, hackers and identity thieves, will be released this month by the National Institute of Standards and Technology (NIST), a plan developed by government officials and the technology business sector.
The preliminary report states that the framework’s core will be to “Identify, Protect, Detect, Respond, and Recover,” important data.
“As we have seen in the private sector, cyber threats evolve every day, and our mission is to stay ever vigilant and to stay ahead of the threats by identifying and mitigating them and by continually improving our efforts,” White House National Security Council spokesperson Laura Lucas Magnuson told TheBlaze.
Cybersecurity was also front and center on Capitol Hill this week. On Wednesday, the House Energy and Commerce Committee will have a cybersecurity hearing, while the Senate Banking and Senate Judiciary had hearings on Monday and Tuesday.
Well before the problems at either the retailers or the recent Senate GOP report, President Barack Obama issued an executive order on Feb. 12, 2013 to establish cybersecurity framework.
Confidential information held by the Department of Homeland Security, the Internal Revenue Service, the Nuclear Regulatory Commission, the Security Exchange Commission and the Department of Energy has all been compromised to some level, according to a report by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee issued Tuesday. The report was led by Sen. Tom Coburn (R-Okla.), but the findings were endorsed by committee chairman Sen. Tom Carper (D-Del.).
The report is particularly tough on DHS, which oversees cybersecurity for all federal agencies.
“The [inspector general] found hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software,” the report says. “Weaknesses at DHS are not confined to its own cybersecurity office. IT security vulnerabilities exist throughout DHS and its component agencies. Although it has steadily improved its overall cybersecurity performance, DHS is by no means a standard-setter. In fact, in some key areas DHS lags behind many of its agency peers.”
The report also states that the Government Accountability Office (GAO) found 100 weaknesses in computer security at the IRS that hackers were able to break into the Department of Energy system to get information on more than 100,000 department staffers. Further, SEC laptops obtained information that was not encrypted and staffers were transmitting non-secure information about companies.
The report states the Nuclear Regulatory Commission, the agency charged with security of nuclear reactors, regularly experiences unauthorized disclosure of sensitive information.
Magnuson, the White House spokesperson, declined a comment directly on the report, but stated the administration is constantly trying to improve readiness to tech threats.
“Government-wide we have made cybersecurity one of our Cross-Agency Priority Goals, meaning that each federal agency must report back to the Office of Management and Budget about the IT assets it has in place to ensure that its networks are security configured and patched; that agencies are properly authenticating IT users; and that agencies are protecting their network perimeters using the best methods available,” she told TheBlaze.
Magnuson pointed out that Obama promoted national data breach legislation in May 2011.
“The administration’s legislative priorities for the 113th Congress build upon the president’s 2011 cybersecurity legislative proposal and take into account several years of public and congressional discourse about how best to improve the nation’s cybersecurity,” Magnuson said.
“Congress should enact legislation to incorporate privacy, confidentiality, and civil liberties safeguards into all aspects of cybersecurity; strengthen our critical infrastructure’s cybersecurity by further increasing information sharing and promoting the establishment and adoption of standards for critical infrastructure; give law enforcement additional tools to fight crime in the digital age; and create a National Data Breach Reporting requirement.”
Holes in security were exposed during the Christmas shopping season when consumer data at retailers such as Target, Neiman Marcus and Michaels was compromised by identity thieves. The data breaches are the subjects of two Senate hearings and one House hearing this week.
About 7 percent of all U.S. residents over the age of 16 – about 16.6 million people — were victims of identity theft in 2012, according to the Bureau of Justice Statistics.
“Advances in computer technology and greater access to personally identifiable information via the Internet have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies,” William Noonan, deputy special agent in charge of the U.S. Secret Service, told the Senate Banking subcommittee on National Security and International Trade and Finance Monday. “As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure.”
“These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy,” Noonan continued. “The recently reported data breaches of Target and Neiman Marcus are just the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals who are intent on targeting our Nation’s retailers and financial payment systems.”
Jessica Rich, director of the bureau of consumer protection at the Federal Trade Commission, told the Senate panel Monday “Companies should limit the information they collect and retain based on their legitimate business needs, so that needless storage of data does not create unnecessary risks of unauthorized access to the data,” and added, “companies should properly dispose of information that they no longer need.”
Follow Fred Lucas (@FredVLucas3) on Twitter.