The Long Road to Securing America's Digital Infrastructure

As the US pioneered the Internet, so too the country is pioneering this ever changing information age. With this effort comes a responsibility for all organizations, both private and public, in all industries to protect client and consumer information. On January 12, 2015 President Obama spoke to the nation from the Federal Trade Commission (FTC) office outlining a robust plan with the overall goal to protect American consumers, youth, companies and ultimately the American economy. These measures fall in-line with improvement of America’s overall cyber security posture.

Currently, the approach to protect consumer’s information in the information age has been addressed on a state-by-state basis creating a fragmented and likely irregular approaches. Most notably California has led the charge with unprecedented legislation facilitated by Student Online Personal Information Act (SOPIPA) back on September 29, 2014 and the California Bill AB1149, which influences organization’s incident response and measures to protect consumers in the event of a data breach. In recognizing the need for a uniform and collaborative approach, President Obama outlined five fundamental principles driving the new legislation at the federal level. Initially, some thought the primary focus would be on protection of student data; however, these fundamental principles show President Obama’s push for an overarching improvement to America’s cyber security posture across all industries, both public and private.

Initial pushes were seen through Executive Order 13636 in February 2013 and in response the National Institute of Standards and Technology (NIST) released a Cyber Security Framework (CSF) in February 2014. This program and the message delivered last week by President Obama in his 2015 State of the Union address sheds light that this truly is a pioneering effort. Comparisons are being drawn to US Civil Rights as the US begins to establish whose responsibility it is to protect the people’s rights and freedoms in the information age.

Below are some examples of how the US Government and private organizations are working towards securing America’s digital infrastructure.

  • Providing legislation at the federal level will create a more uniform approach to cyber security and protecting consumer information. The Personal Data Notification & Protection Act adopts some concepts from the previously mentioned California bill in that it focuses on incident response and goes at length to close loopholes around criminals selling stolen information domestically and abroad. Ultimately this will look to apply criminal prosecution to such fraudulent activities, allowing the US to go after criminals abroad. The new act discusses an obligation of companies to notify consumers when their personal information has been compromised within 30 days from the discovery of the breach. Within cyber security monitoring and logging, the mean time to detection is crucial to identifying breaches as soon as possible, to limit the exposure and scope of the breach. The common phrase of “it’s when, not if” carries some weight here, with evident influence in building appropriate incident response policies and procedures.

  • Financial institutions such as JPMorganChase are beginning to adopt a policies to reduce mean time to detection and to put some of the power back in the consumer’s hands by providing free credit score checks. This serves as a means to early detection of malicious activities of which could significantly impact the consumer’s financial wellbeing.

  • Included within proposed legislation is the Consumer Privacy Bill of Rights. Initially released back in 2012, the bill has been redrafted and the plan is to deliver the revised legislation to Congress within the next 45 days. Private sectors and advocacy groups were included on the discussion to determine appropriate definition and understanding of what consumer information companies collect and how it is used. There is also a degree of transparency that is outlined so consumers are aware of what is happening to their information behind the scenes.

  • The Voluntary Code of Conduct (VCC) is primarily focused on the US energy sector and has backing from the Department of Energy and Federal Smart Grid Task Force. For organizations pursuing compliance of the North America Eclectic Reliability Corporation – Critical Infrastructure Protection (NERC-CIP), rest assured these efforts will likely see increased legislation backing the effort for compliance. Overall the code looks to promote the protection of Smart Grid customer’s energy usage as well as the overall security of the US energy sector.

  • Now for the education piece to protect America’s youth. In an age where the younger generations are collaborating and leveraging technology more every day, details of their lives and personal information are becoming ever exposed to potential breaches and misuses. Obama made it clear that the goal of the Student Information Privacy Act aims to keep all student data collected in the classroom or through other technologies for education purposes only. This is a shift away from a concept commonly seen in today’s big data technology and media of targeted advertisement. Targeted advertisement in the education sector occurs when student data is leveraged by organizations to create a profile for that individual which is used to cater advertisement based on the individual’s habits and lifestyle for profit or other beneficial gains for the organization. Another concern is the selling of the student’s information for profit, which the act looks to deter as well. The US Department of Education is fully on board by providing tools and guidance for schools to implement programs that better protect their students.

    Support is growing for initiative as 75 companies have signed a student privacy pledge, including the likes of Apple, Microsoft….but we are missing a big one here. What’s the deal with Google not signing on? Google has invested a great deal in leveraging consumer data through the use of their suites and apps, most notably the Google Apps for Education. With nearly 40 million users, Google’s Apps along with many other organizations could see significant impact should this new legislation make it through Congress. Google has come out to say its contracts and policies are in place to protect student privacy. Still, not having the immensely influential technology behemoth on board with the pledge is something that will no doubt attract much attention and scrutiny as this unfolds.

As America has been at the forefront of pioneering technology and with the responsibility and potential cyber target that is associated with this, we are beginning to see a trend to improve America’s overall cyber security posture. Although President Obama reiterated multiple times that the new legislation will still facilitate on going enhancements and innovation, many skeptics are worried that this may cause some hindrance to innovate and use technology.

One undeniable fact is true, that in protecting consumer or student information on the Internet, programs and regulations promote organizations across all US industries to implement more sound practices and cyber security controls. As a result the overall wellbeing of the US economy should no doubt be impacted for the better. It will be interesting to see how this unfolds and what path the US will take as the country continues to pioneer forward in the information age.

Until next time,

Bob Swanson – Compliance Engineer, LogRhythm Labs