A breaking development in the EU is creating ripples that have the potential to create a global tsunami. A European Court of Justice opinion has implications that highlight the pending impact for any global organization processing EU personal information outside of the EU.
RSA chief Art Coviello had a lot to cover at his RSA Conference keynote this week. In fact, he had so much to say that he tossed out his original talk and got straight to the point: his organization’s involvement with the NSA, the urgency of the cyber threat landscape, and how we should all be doing much, much more to collaborate as a security community.
Coviello came out of the gate with the first direct issue by denying the allegations that his company took $10 million from the NSA to build a backdoor into its software and noted that their joint projects were never secret. He says that, like other commercial organizations who work with the government, RSA used the (flawed) encryption algorithm that they named in order to meet their certification requirements, then took it out when NIST said they should. He also spent a few minutes discussing the dual nature of the NSA—the difference between its two purposes of intelligence gathering (offense) and information security (defense)—and reiterated a call to separate the two into different agencies.
The National Cyber Security Alliance has deemed today Data Privacy Day, and there probably isn’t anyone with a phone or an internet connection who hasn’t become deeply concerned about this issue in recent months. Guidance Software customers and our fellow information security professionals work in some of the most well-defended organizations on the planet, and we have learned a lot from collaborating with them on security in the age of assumed compromise—since the barbarians have breached the gate.
So although I’m certain that everyone reading this blog post knows far more about data security than the average citizen, I do have some recommendations. To begin with, the chief information security officer (CISO) at one of our customers, a global auto manufacturer, added a very important new facet to his internal data security training program.
The revelations late last year on the extent to which the National Security Agency (NSA) has encroached upon both corporate and citizens’ information have rapidly had an impact on everything from lost (and massive) technology deals with foreign customers to common information security (InfoSec) practices in the enterprise. This morning, President Obama addressed the media and the nation in a speech about the NSA program that gathers the private phone records of billions of Americans. Saying that he had not seen any indication of abuses of the program, he admitted that he recognized the potential for abuse and is requesting reforms to address these concerns.
The president announced the call for a “new approach” to phone-records collection, saying also that he is “ordering a transition that will end the…bulk metadata program as it currently exists” and establish a new mechanism that equips the NSA with the intelligence capabilities they need without the requirement to store what might be called “big metadata.” “This will not be simple,” President Obama noted, and said that a decision will need to be made on which entity will store the data and under which conditions the database can be queried. These are meaningful promises about important first steps that should be taken.
Once again on my long and arduous morning commute the radio brought me a news story that prompted me to write. There was an NPR news story, and oddly enough I can't find a reference to it anywhere, about how many mobile phone apps borrow, steal, or leak your privacy info. My initial thought was 'hey, big software companies that attempt to understand issues of privacy have a tough time with this. It must be a serious problem when it comes to a boutique firm or garage programmer that doesn't care about anything other than getting their app to work and to market.'
I thought it was a well understood security principle; trust but verify. Maybe it is and the PHBs are simply out-voting the security crowd and the voice of reason. At the end of the day when you don't know what is out in the cloud and have limited to no controls to act if you did know, your data is seriously at risk.
Of course, an equally well known security principle states that a valid response to risk is to accept it. I would sincerely hope that the businesses that have my data aren't doing this. Who am I kidding? I know they are. As if I only do business with the 20% crowd...I can only dream of the day.
The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications. I've heard claims that all three branches of government had oversight into the process. It struck me that there is a major problem with that claim. They were all sworn to secrecy and operating behind closed doors. No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff. Ok, so how are they related?