The White House this week released a plan to stop state sponsored hacking, like the one uncovered by Mandiant this week, through the use of diplomatic pressure. The 72 page report details the measures that the White House is willing to use as leverage. The strategy stops short of threatening economic or other types of sanctions.
No word yet from the hackers on whether they will lay down their compilers. A more likely response will be that they install malware into the PDF of the report. Sorry if you already clicked the link. I can picture the hackers learning to say "Diplomatic Immunity" a la Lethal Weapon 2.
Showing posts with label Obama. Show all posts
Showing posts with label Obama. Show all posts
Friday, February 22, 2013
Tuesday, June 5, 2012
Obama ordered Stuxnet
According to an upcoming book by New York Times chief Washington correspondent, David Sanger, it was Obama who ordered the Stuxnet attack against Iran's nuclear program.
This isn't really a surprise, since most people believed the US to be behind the attack, but it does continue Obama's M.O. of preferring special forces over direct and prolonged engagements.
If true, the real motivation for the attack was to prevent further escalation of a conflict. Had the virus not been discovered, perhaps the belief was that Iran would have assumed that the failures were accidental or that the virus wasn't targeted. After all, the world had never seen such a directed cyber attack before.
This isn't really a surprise, since most people believed the US to be behind the attack, but it does continue Obama's M.O. of preferring special forces over direct and prolonged engagements.
If true, the real motivation for the attack was to prevent further escalation of a conflict. Had the virus not been discovered, perhaps the belief was that Iran would have assumed that the failures were accidental or that the virus wasn't targeted. After all, the world had never seen such a directed cyber attack before.
Thursday, February 23, 2012
Obama proposes Privacy Bill of Rights
Today, the White House released it's proposal for a Privacy Bill of Rights. The press release is entitled "We Can't Wait". Sound familiar? It's because John Kerry and John McCain proposed this last summer.
Obama's proposal goes much further in terms of scope. The proposal includes several key principles:
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control,companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.
Obama's proposal goes much further in terms of scope. The proposal includes several key principles:
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control,companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.
Thursday, July 21, 2011
Barack Obama's Audacity of Hack, Chapter One
In May, the White House released a comprehensive proposal for a number of CyberSecurity measures. Unlike most of the other legislation proposed that focuses on Data Breaches or Do-Not Track. The White House proposal has 6 different sections that include changes to Homeland Security CyberSecurity as well as coordination of CyberSecurity between agencies.
- Data Breach Notifications
- Homeland Security CyberSecurity Authority and Information Sharing
- CyberSecurity Regulatory Framework for Covered Critical Infrastructure
- Coordination of Federal Information Security Policy
- Personnel Authorities Related to CyberSecurity Positions
- Preventing Restrictions on Data Center Locations
At 52 pages, the entire proposal is very dense, which makes me think this could be a sequel to Obama’s second book, the Audacity of Hope. The proposal, which I’ve nicknamed the Audacity of Hack, is interesting at points and surprising at others. I still think it is very "hopeful" to think that any of this legislation will passed this year, but hopefully there will be some progress. This will be a multi-part series looking at the proposal.
The first thing that strikes me is how different all the data breach proposals are. The White House may well be the most conservative of all the proposals.
The average max penalty for a data breach for the House of Representatives proposals is $3.8 million. The average max penalty for a data breach for the Senate is nearly double that at $7.2 million. The senate is also much higher for the daily average penalty at $12,333 versus $7,333 for the house.
Subscribe to:
Comments (Atom)