LXBN TV Interview: What Companies Should Do to Prepare for Implementation of Cybersecurity Executive Order

Posted by Admin on March 05, 2013

Following up on a recent post discussing this very subject, Jerry Ferguson, blog contributor and Co-Leader of BakerHostetler’s Privacy and Data Protection Team had the opportunity to speak with Colin O'Keefe of LXBN regarding the cybersecurity executive order. In the brief interview, Ferguson explains why companies shouldn't simply ignore the order and what they should do now to prepare for its implementation. 

FTC Databook Highlights Consumer Fraud

Posted by Michael von Ansbach-Young on March 04, 2013

The FTC last week announced the release of the Consumer Sentinel Network Databook for January – December 2012.  The “Consumer Sentinel Network” is the FTC’s platform for law enforcement collaboration on issues affecting consumers. The program collects data from a wide range of sources, providing a comprehensive, nationwide picture of consumer complaints. Given the possible existence of reporting biases and other factors, the FTC report should not be treated as a statistically valid survey of all consumer fraud. It is, nevertheless, an interesting and important part of the overall consumer-fraud picture.

This year’s Databook reports on over 2 million consumer complaints received, with identity theft as the top issue by a wide margin (369,132 complaints, 18% of complaints in all), followed by debt collection (199,721; 10%), banks and lenders (132,340; 6%), shop-at-home and catalog sales (115,184; 6%) and prizes, sweepstakes, and lotteries (98,479; 5%).

The total reported cost paid by consumers as a result of fraud was nearly $1.5 billion, or an average cost of $2,350 per affected consumer. However, this average is skewed by the existence of higher-dollar frauds affecting a minority of consumers. A close examination of the FTC-provided data reveals that most (54%) of consumers paid nothing as a result of fraud, with a median cost of $535 among victims who did pay. Thirteen percent of victims paid between $1,001 - $5,000, while only four percent paid more than $5,000,  rates which have remained fairly steady in each of the last three years.

It remains the case that most fraud originates in cyberspace, either via email (38%) or other web or internet exchanges (12%), although phone contact remains significant as well (34%).

Among reporting consumers, those aged 40 and above are at a higher risk of being victimized by fraud (66% v. 33% for those aged below 40). However, a complete look at the data undercuts any simple theory that susceptibility to fraud increases significantly with age. Considered as a whole, the under-40 group is helped by the fact that relatively few frauds target those 19 and under. And among reporting adults and broken down by decade, those aged over 70 are in fact the least likely of any group to be fraud victims.

In the category of identity theft fraud, most reported frauds are tax or wage related (43.4%), followed by credit card fraud (13.4%), and phone or utilities fraud (9.7%).

What You Should Be Doing Now to Prepare for Implementation of the Cybersecurity Executive Order

Posted by Gerald Ferguson on February 25, 2013

Co-Authored by: Theodore J. Kobus III

A tempting response to the Cybersecurity Executive Order (the "Order"), announced by President Obama at his State of the Union address, is to ignore it.  It is vague in key particulars, such as which companies are part of the "critical infrastructure" and therefore subject to the Order.  The only immediate effect of the Order is to require various departments and agencies, led by the Department of Homeland Security ("DHS") to: (i) study issues; (ii) identify powers that can be exercised under existing laws; (iii) and come back with proposed plans of action.  Maybe if we ignore it, it will go away.

But it won't.  If you are a significant player in a regulated industry that that has already been identified by DHS as part of the critical infrastructure (which includes energy, health care, transportation, financial services, heavy manufacturing, food and drugs), if you are a government contractor, or especially if you are both - the Order is a statement of intent that should not be ignored.

The Administration has identified cybersecurity as "one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter."  The Executive Order focuses on two solutions: 1) enhanced security standards; and 2) better sharing of information between government and the private sector.

While the Executive Order describes these security standards as "voluntary," it also directs regulators to identify "incentives" for adopting these standards. Incentives under consideration include potential preferred treatment for government contractors who participate.

With respect to information sharing, the Executive Order only specifically discusses the government sharing information with industry about identified threats. But the Administration has acknowledged that the achieving the goals of the Executive Order "will by necessity involve increased collaboration with the private sector and a whole-of-government approach." Initially this sharing may take the form of responding to questionnaires from the National Institute of Standards (NIST), or requests by the government to a company's security expert. Ultimately, be ready for requests for information related to cybersecurity threats coming from your regulators and government procurement officers.

What should you be doing now to prepare for the impact of the Executive Order on your company?

(1) Review your incident response policies and, if necessary, update them to address the concerns of this Executive Order. Historically, breach reporting obligations have focused on lost personally identifiable information and protected health information because state and federal laws have focused on these losses. The Executive Order focuses on "infrastructure threats" and includes risks posed by trade secret theft, cyber terrorism and hacktivism. Make sure that your policies in place adequately address identifying infrastructure threats and escalating those issues to the appropriate people within your organization. There are going to be "whistleblowers" waiting to assist you with making these disclosures if you are not willing to confront these issues head on.

(2) Look at your vendor lists and contracts. If you are not considered to be critical infrastructure, are your business partners? Are your business partners at risk for certain cybersecurity events like hacktivism and foreign government sponsored attacks? Are your key vendors demonstrating their readiness to you and should you be better protecting yourself in your contracts with these business partners?

(3) Establishing or upgrading security audits should be considered -- not just of your own house, but of your business partners as well. Increasingly government is not just looking at an organization, but an organization's business partners as well.

(4) Finally, develop a regulatory strategy. Just like any other government relationship, figure out how you are going to leverage your existing relationships to guide you through this process and what their expectations are. Government, whether as a regulator or a partner in the war against cyberterrorism, expects transparency, cooperation, and a good attitude. Think about reaching out and starting a dialogue about these challenges and concerns as we figure out how to combat these cyber attacks.

APT Threat Report Shows Cybersecurity Risks Not Limited to Identity Theft

Posted by Craig Hoffman on February 22, 2013

We often talk to companies who believe they are an unlikely target for hackers because they do not have financial account information, Social Security numbers, or medical information.  However, personal information is not the only item hackers are after.  Indeed, the chief of the United States Cyber Command and director of the National Security Agency said last year that the loss of industrial information and intellectual property through cyberespionage is “the greatest transfer of wealth in history.”

Cyberespionage has often only been publicly attributed to the APT (Advanced Persistent Threat), a generic naming convention for sophisticated attacks that are believed to be sponsored by foreign governments.  This week computer security firm Mandiant released a threat intelligence report that detailed the cyberespionage attributed to one specific APT group (APT1—reportedly a division of China’s People’s Liberation Army) over the past seven years.  The report was based on the investigation of compromises at 141 companies across 20 industries that included the theft of hundreds of terabytes of data containing blueprints, manufacturing processes, product development test results, business plans, and pricing documents, as well as the e-mails of company executives.  The industries that were targeted most often include information technology, aerospace, telecommunications, energy, transportation, manufacturing, engineering services, and high-tech electronics.  Notably, the APT1’s attack methodology usually begins with aggressive spear phishing to gain entry to a company’s network before deploying their sophisticated “digital weapons” (Figure 15 of the report contains a spear-phishing e-mail APT1 sent to Mandiant employees that contained a malicious executable that would install a custom backdoor).

The release of Mandiant’s report follows recent disclosures by news organizations that they had been compromised by attackers from China.  Among the targets were “journalists who had written about Chinese leaders, political and legal issues in China and the telecom giants Huawei and ZTE.”   President Obama, who has declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation," issued a cybersecurity executive order shortly before his February 12, 2013 State of the Union address, which was designed as a start towards protecting the country’s critical infrastructure from these threats.  The executive order was followed by a February 20, 2013 release of the Administration Strategy on Mitigating the Theft of U.S. Trade Secrets, which was designed as a means for improved government coordination to protect against trade secret theft by foreign competitors of U.S. companies.

Because the attack methodology and motives behind cyberespionage are different than attacks designed to steal credit card data, companies need to spend time learning about the threat before designing their defenses.  The appendix to Mandiant’s report lists more than 3,000 indicators of APT1's arsenal of digital weapons, including domain names, IP addresses, encryption certificates and MD5 hashes of malware.   

Recorded Webinar: New Cybersecurity Executive Order

Posted by Craig Hoffman on February 13, 2013

TwoImagesCybersecurity_Bigstock_73297921

 

  
Recorded Webinar:
New Cybersecurity Executive Order

President Obama has declared that the "cyber threat is one of the most serious economic and national security challenges we face as a nation" and that "America's economic prosperity in the 21st century will depend on cybersecurity." In an increasingly interconnected and interdependent world, the threats posed by cyberterrorism, state sponsored industrial espionage or hacktivists such as Anonymous, are real and growing. President Obama's long-awaited cybersecurity executive order issued shortly before his State of the Union address on February 12, 2013, aims to confront these threats and challenges.

 

BakerHostetler and Kroll Advisory Solutions presented a webinar discussing the President's cyber-security executive order and its anticipated impact on US businesses. Topics covered include:
 

  • Threats analysis – cyberterrorism, industrial espionage, hacktivists
  • Key features of the cybersecurity executive order
  • Potential impact on industry security standards
  • Dealing with regulatory aspects of the cybersecurity executive order

 

PANELISTS

Michael DuBose, Senior Managing Director, Kroll Advisory

Gerald J. Ferguson, Partner, BakerHostetler

Theodore J. Kobus III, Partner, BakerHostetler

Jason Straight, Managing Director, Kroll Advisory

 

Recording: Windows>> | Mac>>

 

PowerPoint Presentation>>

 

 

 

BH11003-logo_RGB_300dpi_FINAL      kroll

Rockefeller Releases Results of Fortune 500 Survey on Cybersecurity

Posted by William J. Weber on January 30, 2013

Back in September, I posted here about Senate Commerce Committee Chairman John D. Rockefeller’s (D-WV) letters to all FORTUNE 500 companies inquiring about business opposition to cybersecurity legislation.  This morning, Rockefeller released a report by his staff summarizing the gist of the roughly 300 responses he’s received to date.  The report does not mention any companies or executives by name, but, together with an illustrative table, quotes anonymously and selectively from the responses received.  Following is an overview of the report’s findings.

  • Over 80 of the Fortune 100 responded, with the rate falling off after that.  Staff views the overall response rate as a “very positive sign that America’s largest companies and top business executives are taking the issue of cybersecurity seriously.” 
  • All responses stated that they have developed cybersecurity practices to protect their infrastructure from cyber attacks, often based on legal compliance requirements.  Many companies rely on audit firms and sector-focused trade groups to benchmark and develop their practices.  Responses illustrated the federal government’s “ad hoc” approach to cybersecurity, involving sector-specific agencies and programs in the areas of chemicals, financial services, telecommunications and defense.
  • Staff’s review found that opposition to the legislation by the US Chamber of Commerce and other groups, while shared by some, was not shared by many companies; that overall, the private sector is supportive of passing cybersecurity legislation.  Many companies support an increased government role, a voluntary federal program, and increased information-sharing between the private sector and the government.  A variety of companies support greater cybersecurity R&D and workforce training.
  • Concerns raised about the legislation were about the specifics of the government’s role and what impact it would have on companies, such as whether voluntary requirements could become mandatory and would impact the ability to address cybersecurity issues in a flexible manner, or duplicate efforts already underway.  Another common concern was the need to adequately protect the confidentiality of information shared with the federal government during cyber threat assessments.  Companies in the financial and electric sectors expressed concern that existing regulatory relations would be disrupted.

It’s clear from today’s release and the aspirational measure Rockefeller introduced with fellow Democratic Committee Chairmen last week, S. 21, the Cybersecurity and American Cyber Competitiveness Act of 2013 that he and his colleagues intend to pursue legislation this year.  It’s quite unclear how or when that will happen.  Readers will recall that last year the Senate failed to advance legislation repeatedly, prompting the President to consider issuing an Executive Order.  While it’s still quite early in the 113th Congress, the political calculus post-November seems to favor a continued stalemate:  Democrats gained only a couple seats in the Senate, five votes short of a 60-vote, filibuster-proof majority.  Also, unlike certain other issues, arguably, the election was hardly a referendum on or endorsement of the Senate bill or the President’s plan for cybersecurity.  Nonetheless, hope springs eternal on Capitol Hill so we’ll continue to stay abreast of developments.