Lance Bellers - Fotolia
Following a tumultuous stretch filled with high-profile data breaches at Target Corp., Sony Pictures Entertainment Inc., and most recently Anthem Inc., cybersecurity finally seems to be getting the federal attention it so desperately needs.
The projected increases for cybersecurity initiatives in the proposed 2016 federal budget and this week's U.S. Senate committee hearing regarding a proposed national data breach notification law highlight the growing recognition of cybersecurity issues -- and the need to combat cybersecurity threats effectively.
The proposed 2016 cybersecurity budget
As part of President Barack Obama's proposed 2016 $3.99 trillion budget released Monday, an all-time high of $14 billion is reserved to both strengthen U.S. cybersecurity defenses and "allow the government to more rapidly protect American citizens, systems and information from cyberthreats."
The budget also includes $480 million for the Department of Homeland Security to improve network security and run its Continuous Diagnostic and Mitigation program, and the Einstein intrusion detection system that analyzes and blocks potentially malicious incoming traffic.
A total of $227 million is budgeted to begin building a civilian cyber campus to "better share information on cyber threats and incidents with those being targeted, improve the ability to share evidence of cybercrimes with other nations, and maintain efforts to increase the nation's cyber workforce."
An additional $190 million is allotted to the National Nuclear Security Administration to invest in cybersecurity and to "maintain technological superiority."
The budget would also designate $105 million to expand the U.S. Digital Service, a group of public and private sector innovators, entrepreneurs and engineers launched in 2014 to help implement "cutting-edge digital and technology practice's on the nation's highest impact programs."
President Obama also requested $38 million to improve the Agriculture Department's cybersecurity program, and $15 million for the FBI's "grants, training and technical assistance program that helps local law enforcement fight economic, high-technology and Internet crimes."
Separately, the Pentagon requested $5.5 billion in cybersecurity funding to address "significant vulnerabilities" to cyberattacks that "nearly every U.S. weapons program" had due to misconfigured, unpatched and outdated software.
While the general consensus around increased cybersecurity spending is favorable, SANS Institute John Pescatore noted that though it is a 10% increase over 2015's budget, there are a lot of "cats and dogs" included in the fine print that get thrown into the "cybersecurity" header but have, in actuality, little to do with the problem at hand.
Data breach notification panel hearing
The Senate subcommittee on Consumer Protection, Product Safety, Insurance and Data Security in the 114th Congress held its first hearing yesterday on data security breach and notification legislation. The potential law may trump various state measures to create an overarching federal standard for preventing breaches and promptly notifying victims when breaches occur.
In his opening statement, Senator Jerry Moran, R-Kan., the subcommittee chairman, said that businesses today are "subjected to a patchwork of over 50 different state/district/territory laws that determine how businesses must notify consumers in the event of a breach."
Moran discussed the importance of a law that would outline both the timeliness of notification to affected consumers and how personally identifiable information should be defined.
"Data security is an increasingly important topic to Americans," said Moran. "In light of recent data breaches, consumers and companies have called for policy changes in this area. This hearing will help the Committee gain a better understanding of how to develop a clear and consistent national data breach notification standard that will help both companies and consumers when they face data security challenges."
The panel included testimony from Symantec Corp. Vice President Cheri McGuire, the National Retail Federation's Mallory Duncan, Brown University's Ravi Pendse, Information Technology Industry's Yael Weinman, American Bankers Association's Doug Johnson and Illinois Attorney General Lisa Madigan, who testified in favor of stronger data breach notification laws.
"Congress should seek to pass legislation that ensures notification of breaches that can harm Americans," Madigan said. "A weak national law that restricts what most state laws have long provided will not meet Americans' increasing and rightful expectation that they be informed when their information has been stolen."
The National Retail Federation released a statement today supporting the passage of a federal data breach notification law.
"It is time for Congress to the step in to create a national, uniform standard for data moving in interstate commerce in order to ensure uniformity of a federal act's standards and the consistency of their application across jurisdictions," Duncan, senior vice president and general counsel of NRF said. "A single, uniform national standard for notification of consumers affected by a breach of sensitive data would provide simplicity, clarity and certainty to both businesses and consumers alike."
Last month, the White House released its own data breach notification legislative proposal.
In other news
- Executive Chairman of RSA and Executive Vice President of EMC Corp. Art Coviello announced Tuesday he would retire Feb. 28 due to personal health issues. Amit Yoran will assume Coviello's duties while maintaining his current position as RSA president; Coviello will stay on as a strategic advisor to Yoran for a transitional period. Coviello said, "As I retire, I do so with the confidence that RSA is well positioned for even greater success in the future and in good hands with Amit Yoran as president. Now is the right time for me to step down to focus on addressing health concerns that have recently emerged and to be with my family."
- Adobe Systems Inc. released yet another out-of-band update this week to address a critical vulnerability in its Flash Player, which could potentially allow an attacker to take control over the affected system. AOSV15-04 addresses 18 critical vulnerabilities affecting Flash on all platforms. This includes the patch for CVE-2015-0313, which was disclosed on Monday. Adobe urges users to update to version 18.104.22.1685.
- Security firm Taia Global Inc. released a report Wednesday which alleges Russian hackers infiltrated Sony Pictures' network at the same time as Guardians of the Peace reportedly hacked it. Taia Global President Jeffrey Carr has been in contact with Russian hacker "Yama Tough," who said he has connected with one of the Russian hackers involved in the breach. Evidence obtained by Yama Tough includes spreadsheets and emails that were not part of the original Sony data dumps in December. According to Taia Global's report, Russian hackers and North Korean hackers either ran simultaneous attacks, or North Korea in fact had no involvement and the entire breach was completed by different hackers, at least one of them being Russian.
- In additional Sony Pictures news, co-chair Amy Pascal announced yesterday that she will step down in May to start a production company backed by Sony. Pascal, who has run the company for nearly a decade, said in a statement, "I have spent almost my entire professional life at Sony Pictures and I am energized to be starting this new chapter based at the company I call home. I have always wanted to be a producer." According to the Wall Street Journal, Pascal's contract was expiring this spring. Pascal's boss, Chief Executive Michael Lynton, reportedly did not ask Pascal to step down; it is currently unclear who will be Pascal's successor.
Learn more about the latest Adobe Flash Patches.
Read up on the Sony Pictures breach.