Posts Tagged ‘Legislation’
Posted by Melissa Stevens in Cybersecurity, Federal, Security Intelligence, Threat Management
In a post published earlier this week, I invited you to read the latest article written by Chris Poulin for SecurityWeek. In this article, Chris presented his belief that full breach disclosure and better collaboration among security professionals is key to thwarting today’s cyber threats.
In line with this belief, proposed breach legislation is also attempting to make disclosure and collaboration a center point of the nation’s cyber security strategy. According to an article on CNN’s Security Clearance blog, such legislation would “enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.”
This addresses weaknesses outlined in an INSA study published this past summer, in which the authors suggested both private industry and public agencies have a responsibility to defend the country against cyber attack. In this proposed law, not only would businesses be required to share information about attacks with the government, the government would also share intelligence with security-cleared organizations. This would open up communication channels in the cyber-intelligence community immensely, creating the type of collaborative environment Poulin describes in his article.
What do you think? Can collaboration between the federal government and private industry help defend the country from a major cyber attack? Does it seem too idealistic to imagine that these sectors can work together? Share your thoughts below!
Posted by Erich Baumgartner in Threat Management
As I wrote in a previous blog, cybersecurity continues to be a preeminent issue in Washington D.C. and across the political spectrum, a broad coalition of elected officials and government agencies are moving quickly to drive agencies and federal contractors to get a better handle on genuine network security – and they are starting with continuous, real-time reporting.
The latest ball to drop was Wednesday’s (April 21, 2010) announcement by the OMB regarding significant changes that apply to all government agencies as part of their FY 2010 reporting requirements, including:
- Conduct government-wide benchmarking study on the current state of cybersecurity
- All civilian government agencies are required to submit real-time data on their network’s security
- Conduct agency specific interviews to begin the process of tailoring cybersecurity requirements to meet the needs of each agency
Of these, the new requirement for all agencies to begin reporting on a continuous, real-time basis is the most far reaching, and shows a real shift in direction from a “paperwork culture” to genuine security intelligence. These new requirements pose serious challenges to agency heads as they will now be required to make reporting a bi-product of the systems they are deploying and make sure they are continuously monitoring how their information systems are being protected. Specifically, agencies will be required to submit reports via the CyberScope system (run by the Department of Homeland Security) either through a direct data feed or through and Excel xml file upload. They will have to do so by November 15, 2010 in order to be in compliance.
With legislation that includes provisions for continuous, real time reporting already making its way through both chambers of Congress, it will be critical for agency heads to stay in front of new reporting requirements as well as other mandates that will be coming their way. In order to comply with these new requirements, let alone what FISMA 2.0 will require, agencies will need to have in place a solution that enables them to collect and store massive amounts of data, generate a real-time report on their network’s security status and then submit that information.
As Federal CIO Vivek Kundra said in his press briefing, “The FISMA guidance we issued today is a significant departure from how we operated in the past.” It is important to recognize that these new requirements do not call on agencies to invest in a mere reporting tool – it goes far beyond that. If you look deeper into the pending legislation and Executive-level initiatives, it is clear that government agencies are at the early stages of a new paradigm where they are being required (or perhaps being given the resources) to do what network security professionals have long said needed to be the focus of FISMA: a genuine, well-resourced mandate to protect the government’s networks from cyberattacks. Reporting is going to still be key, but it is going to be output that is produced through the process of protecting the network.
For agency CIOs and CISOs, they will need to arm themselves with comprehensive tools that will allow them to:
- Monitor their network and security-related activity through a single console, or “One Console Security”
- Utilize data to establish benchmarks and best practices
- Ensure best practices are adhered to and policies are being actively monitored
- Automate the creation and availability of continuous, real-time reports
- Scale their network security solution so that devices throughout their distributed networks can be monitored
- Enable proactive decision making and intrusion prevention capabilities
While this may seam like a daunting challenge, the technology already exists and has been implemented by over 1,000 private and public sector organizations, customers of Q1 Labs.
QRadar is certified as a technology product for government deployments, including Common Criteria or (CC) – an international standard. (ISO/IEC 15408) for computer security certification and a Evaluation Assurance Level (EAL) – claimed security assurance rating.
Posted by Erich Baumgartner in Cybersecurity, SIEM
Last month, Washington State became the third state to enact legislation that aims to protect consumers and financial institutions from security breaches by incorporating PCI requirements on their books, and also by placing additional financial consequences on payment card processors who are deemed “negligent” by the new law. For businesses that are not based in Washington State, this new legislation may have passed well below the radar – but non-compliance could have serious ramifications to any processor or vendor’s bottom line.
Washington’s new law allows for regulated entities to be held financially responsible for losses incurred through fraud or data breaches if the entity merely offers or sells goods or services to Washington residents. The Information Law Group has a great post about the details of this legislation, but two things really jump out at me here:
- PCI compliance, and penalties for non-compliance, are becoming a patchwork of laws being created at the state level
- There is a trend starting here, with a possible domino effect taking place as more states begin to take a closer look at implementing legislation to proactively protect consumers’ personal information
Minnesota kicked off legislating PCI compliance at the state level in 2007 by requiring all entities accepting credit and debit card transactions to implement a set of 12 security controls to protect payment card data against compromise. If they don’t comply, they may have to reimburse banks and credit unions that are affected. Nevada was next, when in 2009, that state passed a bill that mandated PCI compliance for businesses accepting payment cards; again, to any covered entity doing business in the state.
While the Washington, Nevada and Minnesota laws attempt to achieve a similar objective, they have different definitions for what a “covered entity” is, what requirements payment processors must undertake, what penalties can be assessed, and what is considered a safe harbor. If this trend is anything like data breach notification laws, where a wave of other states passed laws shortly after California passed theirs, there could be another wave coming.
The challenge for the payment card industry will be to keep up with all of these new requirements and demonstrate that they were in compliance if a breach occurs. After all, an out of compliance breach could result in millions of dollars in reimbursable payments to financial institutions – and the difference between having to make a reimbursable payment or not could come down to compliance and reporting.
Posted by Erich Baumgartner in Cybersecurity, Federal, Threat Management
It has been a busy couple of weeks in Washington, and not all regarding healthcare – it’s because of the increasing drain on GDP from cyber-crime and attacks. In stark contrast to the recent divisions found in the nation’s capital on some issues, there appears to be a great deal of consensus on the need to improve the nation’s ability to prevent and defend against cyber attacks.
Just yesterday, the Senate Commerce Committee approved the Cybersecurity Act (S.773), a bi-partisan introduced by Senator Rockefeller (D-W.VA) and Senator Snowe (R-Me), that is aimed at improving both public sector and private sector preparedness. The bill would mandate that the President and those responsible for critical infrastructure systems work to identify and classify IT systems that, if successfully attacked, would threaten strategic national interests. Federal agencies would also be required to:
- share information with the private sector concerning critical infrastructure networks
- increase the numbers of trained and certified cybersecurity professionals
- fund research related to cyber security.
Also on Wednesday, H.R. 4900 was introduced by Rep. Diane E. Watson (D-CA) that would rewrite provisions in the 2002 Federal Information Security and Management Act (FISMA) including establishing a “National Office for Cyberspace” within the Executive Office of the President (the EOP is a QRadar user) , a Federal Cyberspace Practice Board that would be responsible for updating policies and procedures, as well as implement an agency-wide information security program to monitor network security and ensure compliance. The bill would also place security requirements on IT products that the federal government procures.
In testimony given Wednesday by public and private industry experts, many argued that the current FISMA requirements focus too much on compliance and so have actually hamstrung security professionals.
“In my view, the implementation of FISMA has been like getting on a treadmill,” said John Gilligan, the Air Force’s CIO at the time FISMA was implemented “A treadmill is great if all you want is exercise, but it is not the way to reach a destination. The federal government has certainly burned a lot of calories, but we are still a long way from reaching our destination of dramatically improved security.” This supports the growing practice that tends to confuse “compliance” with “security”.
Alan Paller, founder of the SANS Institute, gave praise to government reforms that would require continuous monitoring but also pointed out that the 2002 FISMA legislation “rewarded ineffective behavior” and generated “reports that answered the wrong questions”.
At the same time as significant revisions to FISMA are being considered, FY 2010 FISMA performance metrics look to drive agencies and federal contractors to get an even better handle on real-time, automated cyber security and compliance reporting today. The focus of many of these reforms is to move from a compliance and reporting driven system to one that focuses on actually defending IT networks.
A third piece of legislation, The Grid Reliability and Infrastructure Defense Act, was unanimously approved by a House subcommittee on Wednesday as well. This bill directs the Federal Energy Regulatory Committee (FERC) to take measures to protect the electricity grid from telecommunications intrusions. This is on top of the $4.5 billion included in the 2009 stimulus to modernize the electric grid.
For government agencies and covered contractors, this sea change in regulation may leave some questions as to what direction each should take now, as they look to meet both current and future mandates, while also working to better defend their IT networks. In other words, how to leverage increasing compliance mandates (budget creation) to drive security best-practices.
Two points of emphasis arise:
First, compliance & reporting mandates may change but they won’t go away. Following Gartner and other research firms and security consultants advice, compliance initiatives should involve these key audit guidelines:
- Transparency - Providing visibility into the security controls, the business applications, and the assets that are being protected
- Accountability - Proving who did what and when
- Measurability - Metrics and reporting around risk within your organization
Second, any organization, public or private, needs to be able to scale their solutions to meet what is likely to be the centerpiece of the newest crop of cyber security regulations – actually securing networks. To do this, security teams will need to be able to monitor their entire network and gain total visibility across systems, security devices, and the network and then apply event correlation, including behavior analysis, and intelligent application of context—network architecture, system profiles, identity information, and 3rd party security intelligence sources— to event data.
QRadar is certified as a technology product for government deployments, including Common Criteria or (CC) – an international standard. (ISO/IEC 15408) for computer security certification and a Evaluation Assurance Level (EAL) – claimed security assurance rating.
QRadar surveys the entire network, using native flow sources in a customer’s routing/switching infrastructure or from distributed collectors to gather a detailed history of all network flow activity.
Leveraging the total visibility across systems, security devices, and the network, QRadar then applies industry-leading event correlation, including behavior analysis, and intelligent application of context—network architecture, system profiles, identity information, and 3rd party security intelligence sources— to event data.
Posted by John Burnham in Cybersecurity, In the Industry
With healthcare making up over 15% of our GDP and the hyper-attention the medical vertical is now receiving due to the Legislation passed last night, cyber-crime and fraud in healthcare will also increase.
Jon Oltsik from ESG just posted to Network World’s Cisco subnet:
“Forget politics or whether you are in favor or opposed to health care reform. The fact is that there is a lot of money going into health care right now, and this trend will continue into the future. In my mind, this means that IT vendors need to embrace a focused sales and marketing effort in the health care vertical. I’m not talking about brochures or trade shows, I’m talking about real expertise health care IT architecture, requirements, regulations, and vision.”
We concur, and our customers in healthcare rely on QRadar and the expertise it represents.
The latest on Cyber Security