Lance Bellers - Fotolia
News that President Barack Obama's emails were accessed during a system hack last fall broke shortly after two cybersecurity threat information-sharing bills were passed by the House of Representatives.
Within that same timeframe, a poll on the government's role in cybersecurity prevention was released. Yet, while respondents believe cybersecurity prevention should be a top priority for Congress, not everyone is on board with the cybersecurity bills awaiting Senate approval.
Obama emails hacked
The New York Times reported Saturday that senior American officials briefed on the investigation confirmed hackers who infiltrated an unclassified White House network last October through a State Department system did not access messages from Obama's BlackBerry, nor did they hack into his email account. They did, however, gain access to the email accounts of people with whom Obama communicated with.
The officials did not indicate how many emails were accessed, nor did they discuss the contents of the correspondence. Last month it was revealed that hackers got into the system after an alleged phishing scam; the attack has been referred to by officials as "among the most sophisticated attacks launched against U.S. government systems."
Breach detection of government system takes weeks
The Times article was published just two days before a new report from Meritalk was released which revealed government cybersecurity professionals estimate cyberthreats exist on their networks for an average of 16 days before detection.
The hackers responsible for the White House breach in October, however, reportedly "owned" the State Department system for months; some speculate the hackers still have access to the network.
Meritalk researchers also found 86% of the 302 government cybersecurity professionals polled believe big data analytics could improve cybersecurity efforts, yet only 28% reported using big data for security purposes.
Two bills pass the House
Congress is aiming to increase the number of organizations using big data, with the House's approval of two cybersecurity bills.
On April 22, H.R. 1560, the Protecting Cyber Networks Act (PCNA), was passed by a vote of 301 to 116. The next day, the House passed H.R. 1731, the National Cybersecurity Protection Advancement Act (NCPA), by a vote of 355 to 63.
An ISACA report comparing the legislation highlights "one of the key differences in the bills is that the NCPA Act only authorizes sharing with the Department of Homeland Security while the PCNA provides companies the flexibility to choose to share cyberthreat indicators or defensive measures with a number of different government agencies."
The Senate is working on a similar bill, S. 754 the Cybersecurity Information Sharing Act of 2015. It is unknown when this bill will come to a vote.
Concerns over government cybersecurity legislation
While 40% of the registered voters surveyed in a Morning Consult poll believe cyberattack prevention should be the top technology issue for Congress, others are raising concerns about the bills.
Numerous websites are highlighting the potential privacy issues with PCNA, NCPA and CISA, as well as two other proposed cybersecurity threat sharing bills, the Cyber Intelligence and Protection Act (CISPA) and the Cyber Threat Sharing Act (CTSA). Neither CISPA nor CTSA have been approved by the House or Senate.
However, a separate Morning Consult poll of 1,245 registered voters published in March found 43% of respondents believe the Federal government should be responsible for detecting and preventing cyberattacks. These bills, Congress claims, can help achieve this.
Others have questioned the clarity of the bills. A letter addressed to Congress that was signed by 55 civil liberties groups, security experts and academics opposes the PCNA. Security expert Bruce Schneier and RSA algorithm creator Ron Rivest have attached their name to the letter, which cites the 'vaguely defined' language of the bill.
The ISACA report reiterates this concern. For example, the report cites the use of "reasonable efforts" in both the PCNA and NCPA (The PCNA says companies are "required to implement appropriate security controls and to take reasonable efforts to assess and remove, as necessary, any personal information reasonably believed to be unrelated to the threat." The NCPA says "Entities must make reasonable efforts to remove information that can be used to identify specific persons unless they are related to a cybersecurity risk or incident identified at the time of sharing."). However, ISACA notes, "Neither House bill defines 'reasonable efforts,' thus, it is unclear what legal standard will be used in cases where personal identification information is shared."
The ISACA report does, however, try to calm many fears regarding privacy concerns. For example, the NCPA states shared data cannot be used for law enforcement or surveillance purposes, and that personally identifiable information must be removed before sharing cyberthreat indicators. The PCNA similarly says personal information not related to the threat must be removed.
In other news
- A report released last week from NSFOCUS correlated the growth of distributed denial-of-service (DDoS) attacks with the proliferation of the Internet of Things. In its bi-annual "DDoS Threat Report," the Santa Clara, Calif.-based DDoS mitigation provider explained the Simple Service Discovery Protocol (SSDP) emerged as a favorable attack vector. "These attacks use smart devices (routers, webcams, etc.)," the report reads, "and amplify the attack bandwidth by as much as 75 times … Globally more than 7 million SSDP devices could be exploited to launch DDoS attacks." To prevent it from becoming an even more widespread issue, "end users, carriers and security vendors must work together on different levels to ensure security and the reliability of services."
- In an effort to prevent users from falling victim to phishing attacks, Google announced Wednesday on its blog the launch of a new Chrome extension called Password Alert that warns users when they type their Google password into a site that isn't a Google sign-in page. The free, open-source extension, which protects both Google and Google Apps for Work Accounts, "remembers a 'scrambled' version of your Google Account password" only for "security purposes" and doesn't share it with anyone. If a user types his or her password into another site, an alert will pop up that they are at risk of being phished. Not everyone is onboard with the extension. However, less than 24 hours after Google's release, a researcher found a way to bypass it using a few lines of code. Google Security Engineer Drew Hintz since reported that Password Alert has been updated to version 1.4 to prevent the bypass from being successful.
- The "Netwrix 2015 State of IT Changes Survey" revealed 70% of IT pros make undocumented changes on their networks, potentially putting their systems at risk of both downtime and security violations. This is an increase from 57% in 2014. The survey, which polled more than 700 IT pros across more than 40 industries, highlighted the current state of change management controls and documentation -- or lack thereof. The number of large enterprises whose workers "forgot" to document changes increased more than 20% over 2014 to 66%. Despite the grim outlook, the report had a silver lining: The number of small companies documenting changes despite the lack of change management controls increased from 30% in 2014 to 58% this year. The total number of enterprises that have implemented change-auditing mechanisms also increased from 52% last year to 75%.
From RSA 2015: Government cybersecurity experts are calling for better information sharing