Digital Discourse / Archives for cybersecurity

Debunking the Myths of Cloud Computing: Cloud Computing Is not Secure

June 21, 2011 By

Cloud computing myth #1: “It isn’t secure”

In fact, cloud computing can deliver greater security at lower cost. As the Obama Administration recently said, “Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations.” So why does the myth persist?

In cloud computing, a provider houses and processes the data outside of the facilities and administrative control of the enterprise that owns it. Contractual arrangements and guarantees have to substitute for institutional security measures. This puts a premium on the proper selection of the cloud provider, and that can be scary.

But finding the right cloud provider doesn’t create inherently greater security risks. In fact, storing and processing data in the cloud can increase information security, reduce risks of unauthorized access, and save information security resources.

It is true that storing information in a central place creates a greater incentive for hackers–Willie Sutton robbed banks because that’s where the money was. The more money in the bank vault, the more interested Willie would be. The same is true of information gold: large concentrations of valuable information attract thieves.

But precisely for that reason providers of large data centers take extra precautions. For private clouds, there is really no difference between a large amount of data stored on premises and the same amount stored in a remote facility. They both have to be protected and the safeguards are largely the same. In a public cloud where data from several customers are combined in the same facility, special administrative and physical controls are used to provide adequate protection.

The advantage of centralized data storage is economies of scale, as Darrell West pointed out at a recent Brookings Institution event on cybersecurity. The combined nature of computing resources in the cloud enables providers to enhance such key security techniques as prediction and detection of threats, and to provide for quick remediation through streamlined installation of solutions. A small company cannot afford to hire the best security experts or keep up with the latest and most expensive control technology. But a large data center can. For this reason, cloud storage for smaller companies is more secure than local storage.

There’s no question that providers of multi-tenant cloud architectures must take special precautions. But that is true in many industries. To meet the special needs of the payment card industry, the card networks developed the Payment Card Industry Data Security Standard (PCI DSS), which put in place specific requirements for those who store process or transmit cardholder data. The same can take place in the cloud industry pursuant to a variety of information security initiatives.

Some have thought that special security needs for an industry should mean special security laws for that industry. But that is a mistake. The payment card industry developed PCI DSS autonomously – with no involvement of regulators or legislators. Moreover, regulators should not be mandating specific standards because it can freeze innovation where it is needed most–in developing new techniques to protect data. For this reason, special security laws applicable only to the cloud environment are not necessary.

Can the cloud be new and scary from the point of view of information security? Yes. But it is important to locate the true source of the fears. It is not an intrinsic riskiness of the cloud environment. The cloud is as safe as or safer than on-premises computing. The real concern should be finding the right provider who can deliver the increased security that the cloud makes possible. The industry needs to develop mechanisms that can help cloud customers make this decision with a greater sense of confidence.

Share|
Filed Under: All About the Cloud, Cloud Computing, Cloud/Gov, Government, Policy, Policy - Cloud Computing, PSIG, Software, Software Events Tagged With: , ,

Busy week in Washington: Cybersecurity, Privacy, Patent Reform – and ICANN

June 15, 2011 By

Cybersecurity / Data Security

The top news on the data security front is the upcoming Commerce Sbcmte. legislative hearing on Data Security/Data Breach scheduled for Wednesday morning. Earlier this week, Chairwoman Bono Mack (R-CA) released a discussion draft of the legislation, and a memo summarizing key differences from the legislation that passed the House in the 111th Congress.

On the Administration cyber front, the Dept. of Commerce last week released a report entitled, “Cybersecurity, Innovation and the Internet Economy.” SIIA issued a statement in support of the effort to more clearly define the line between “covered critical infrastructure” and the other parts of the Internet economy, and expressing our commitment to work with the Department to refine this definition.

Also out of the Administration last week, NIST held a workshop in conjunction with a NOI seeking feedback on a governance structure to advance their Trusted Identities in Cyberspace Initiative (NSTIC). More about that here.

Privacy

There are two noteworthy privacy bills in the works in the Senate. Sen. Franken (D-MN) is drafting a mobile privacy bill, and Sen. Pryor (D-AR) is expected to introduce a bill regarding children’s privacy online prior to the July 4th recess. While there may be a Senate Commerce Committee  a legislative hearing on the Kerry-McCain privacy legislation, the Commercial Privacy Bill of Rights Act (S. 799), as soon as next week, discussions are ongoing within the Committee regarding the official legislative vehicle for advancing Chairman Rockefeller’s (D-WV) priorities in this area, which also include a focus on “tracking” and children’s privacy.

Patent Reform

The House patent reform bill (H.R. 1249) is expected to be considered on the floor later this week. While support for the House bill is broad and bipartisan, budget issues and various amendments could cause the bill to be defeated or striped it of key elements, including the provision allowing the PTO to keep its user fees, and the “first to file” provision.

ICANN

ICANN is expected to vote on the new gTLD Applicant Guidebook on June 20. If the Guidebook is approved, the process for introducing hundreds of new gTLDs to the Internet will likely begin sometime next year. Also, the NTIA issued a Further Notice of Inquiry seeking comments on a Draft Statement of Work regarding the IANA functions (the contract for which currently is assigned to ICANN but is up for review). More about that here.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Copyright, Digital Policy Roundup, Patent Tagged With: , , , , , , , ,

More Buzz on Privacy, Cybersecurity and the ATTAIN Act

June 8, 2011 By

Last week saw two noteworthy announcements on the privacy front. First, the House Commerce Committee announced its intention to conduct a comprehensive review of data security and electronic privacy. In the statement released last week, the Committee highlighted its immediate focus on data security, but also noted that later in the year will turn to “broader electronic privacy concerns,” including mobile and web “tracking.” Chairwoman Mary Bono Mack (R-CA) will introduce draft data breach legislation in the near future, with the intention for quick Committee consideration. Additionally, deputy Federal CTO Danny Weitzner confirmed last week that the Administration’s white paper will be released “later in the summer,” proposing a safe-harbor approach based on a broad set of information privacy principles.

On the cybersecurity front, new legislation was introduced in the House by Rep. John McCaul (R-TX). McCaul, who was tapped by Speaker Boehner at the beginning of the year to take the lead on this issue, introduced H.R. 2096 on Thursday, “legislation to advance cybersecurity research, development, and technical standards.” Meanwhile, key Senate staff continue to deliberate on their draft legislation and reconcile differences with the recent administration proposal.

And on the education technology front, this Thursday SIIA expects Senator Bingaman (D-NM) to reintroduce the Achievement Through Technology and Innovation (ATTAIN) Act. The ATTAIN Act has been championed by SIIA and a coalition of education and industry groups for several years to revamp the technology grant program in the No Child Left Behind Act, which is still up for reauthorization.

Also last week, SIIA submitted comments to the Federal Reserve Boards in response to their proposed clarifications of warranties and liabilities in connection with electronically-created items (checks). In our comments, SIIA noted that efficiency-enhancing innovations rely on electronic processing of information that is only impeded by traditional requirements for paper origination and authentication.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Education, Education Policy, Policy, Software Tagged With: , , , , , , , ,

Movement on privacy, IP, cybersecurity in Washington

May 17, 2011 By

ECPA/Privacy
Today Sen. Judiciary Committee Chairman Patrick Leahy (D-VT) introduced legislation to update the Electronic Communications Privacy Act (ECPA). In response, SIIA issued a statement applauding the Chairman’s leadership and characterizing this as a big step toward making sure that the information Americans store virtually in the cloud receives the same level of protection as the information stored in their homes. Given the broad coalition of supporters and interest expressed by House Judiciary Chair Lamar Smith (R-TX), this issue is expected to receive considerable attention in both the House and Senate in the months ahead.

Cybersecurity
Last Thursday the White House released its long-awaited cybersecurity legislative proposal to address cybersecurity threats to the Nation’s critical infrastructure. In response to the proposal, SIIA released a statement commending the commitment to the strong public-private partnership and pledging to continue working with Administration officials and Congressional leaders on this critical issue. As if this wasn’t enough to increase the attention on cybersecurity policy, the Administration followed-up on Monday by announcing the U.S. International Strategy for Cyberspace that provides the President’s “vision for the future of the Internet” and sets an “agenda for partnering with other nations and peoples to achieve that vision.” Importantly, the plan emphasizes adhering to commitments to freedom, privacy and the free flow of information.

Intellectual Property
Also last Thursday, Senate Judiciary Committee Chairman Leahy, ranking member Grassley, and Senator Hatch introduced “The Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act” (The PROTECT IP Act, s. 968), a legislation to provide the government and rights holders with improved tools to help stop the use websites to profit from piracy and counterfeiting of software, content and other intellectual property. SIIA issued a statement in support of the legislation, and urged Congress to make this issue a priority. The bill is included on the agenda to be mark up at the Senate Judiciary Committee business meeting this Thursday. On Sunday, the comment period for ICANN’s Draft Applicant Guidebook (6th version) closed. SIIA submitted comments urging ICANN to delay its vote on the DAG and address remaining concerns with the rights protection mechanisms and whois provisions. The ICANN Board will be meeting June 20 in Singapore to consider whether to approve the Guidebook at that time and open the process for new gTLD applications.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Digital Policy Roundup, Government, Policy, Software Tagged With: , , , ,

Data security and mobile privacy are front-burner in Washington

May 3, 2011 By

Congress has resumed and as expected, turned significant attention to several key technology issues. Data security and mobile privacy have emerged as front-burner privacy issues, with multiple hearings expected on the topics in the next couple of weeks. On mobile privacy, the Senate Commerce and Judiciary Committees are jockeying to take a lead on what is ultimately a split-jurisdiction issue. Sen. Al Franken’s (D-MN) Judiciary Sbcmte. on Privacy Technology and the Law has its hearing scheduled for May 10, while Commerce Cmte. Chairman Jay Rockefeller (D-WV) has announced his intention to hold a hearing but has yet to confirm the date. While the makers of mobile operating systems (notably Apple and Google) have received the most attention on this issue so far, heavy focus is likely to shift to the app developers who have been collecting most of the location data.

Similar to recent focus on mobile privacy, the data breach attention is the result of a closer look at industry practices–with Sony’s recent PlayStation data breach in the spotlight. House Subcommittee on Commerce, Manufacturing and Trade Chairman Mary Bono Mack (R-CA) noted that the incident reinforced her “long-held belief that much more needs to be done to protect sensitive consumer information.” In announcing a hearing on the issue Wednesday, she also said she plans to introduce legislation soon to provide consumers with necessary additional safeguards.

Also this week, SIIA President Ken Wasch will be testifying before the U.S. China Economic Security Review Commission Hearing on IP Rights and Indigenous Innovation, and the House Judiciary Sbcmte. hearing on ICANN gTLDs. Steve Metalitz will be testifying on behalf of SIIA and other members of the Coalition for Online Accountability. And on the West Coast, the California legislature will be holding the first state hearing on proposed “Do Not Track” legislation.

As the Administration works to complete its cybersecurity review of the Federal and critical information infrastructure, SIIA sent a letter to Administration officials last week urging for a robust partnership between the government and private sector and making additional recommendations to help the government keep pace with the ever-evolving challenges of protecting the nation’s online systems, networks and data.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.



Share|
Filed Under: Digital Policy Roundup, Government, Policy, Software Tagged With: , , , ,

SIIA sends cybersecurity recommendations to Administration

April 27, 2011 By

As the Administration completes its review of the legislative proposals to improve the security of federal and critical information infrastructure, SIIA pushed for a robust partnership between the private sector and the government in a letter to officials today.

The Administration’s legislative recommendations on cybersecurity will be released shortly and are expected to provide impetus to the legislative process on the issue in Congress. Sens. Leiberman and Collins have reintroduced their cybersecurity bill, and it will likely be combined with a similar bill from Sens. Rockefeller and Snow–with the possible outcome of a combined legislative vehicle on the part of Senate Majority Leader Reid.

SIIA’s letter features six recommendations that would help the government keep pace with the ever-evolving challenges of protecting the nation’s online systems, networks and data. Here are the recommendations:

Public Private Partnership

The private sector is on the frontlines of active security defense for our nation’s critical infrastructure since the majority is owned, operated, and maintained by industry. Therefore, a robust partnership between the public and private sectors is vital. Government should collaborate with industry to develop reasonable security practices and find technology solutions that ensure our nation’s security.

Risk-Based Security

No set of precautions can ensure absolute security.  Reasonable cybersecurity measures must address threats based on the importance of the networks and systems involved and the nature of the threat they face. For this reason, government should address risks to systems and networks that are part of our nation’s critical infrastructure differently from its approach to risks to systems and networks that are not part of our critical infrastructure.  To ensure predictability and transparency for the private-sector companies that manage these systems and network, government should provide a clear, public and consistent boundary between critical and non-critical infrastructure.  Further, critical infrastructure should be narrowly defined to include only the systems and networks of the utmost importance to national security.

Layered Security

Experts regard a layered approach to security as the best practice.  Security in depth minimizes the chances that any single point of failure will result in the leak of information or the compromise of a system.  Elements of a layered approach to security include protection at the data/document level, the application and OS levels, and finally at the network/perimeter level.  Government should utilize adopt layered security for its own use, and encourage its adoption by the private sector through voluntary means.

International Coordination

Security threats are global.  Adequate countermeasures can be developed only through global cooperation among governments and industry.  For this reason, government and the private sector should cooperate to establish, maintain, and upgrade internationally accepted security standards. In particular, government should look to the Common Criteria to ensure that technology products exhibit security.  For supply chain requirements, governments should adhere to public, internationally accepted standards which are audited pursuant to international standards.

Security Incentives

Strong market incentives already exist within the marketplace to promote increased innovation within the constantly evolving cybersecurity landscape. To the extent that government and the private sector agree that the needed level of security goes beyond that for which a business case can be made, government should provide incentives such as confidentiality, liability protection, and tax incentives that lead the private sector to implement desired security measures. The government should not mandate specific measures that need to be adopted by the private sector. Specific mandates generally do not adapt with the changing threat and technology landscape, potentially becoming a hindrance to security advancement later on.

Innovation

Cybersecurity is a dynamic and evolving field that must respond to the rapidly changing, innovative nature of the information technology sector itself.  For that reason, government should provide resources, support, and guidance for research and development in this field and use its role as a convener to encourage multi-stakeholder cooperation and information sharing.

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Security Tagged With:

Patent, privacy and cybersecurity loom during slow week in Washington

April 26, 2011 By

It’s a relatively slow week for technology policy in Washington, with Congress out the second week of its Easter recess. But much activity is looming in the weeks ahead. Already on the calendar is a House Judiciary Subcommittee hearing on ICANN proposed generic top level domain (gTLD) rollout, and the first hearing of the Senate Judiciary Subcommittee on Privacy, Technology Subcommittee on mobile technology and privacy on May 10th. Also next week, SIIA President Ken Wasch will be testifying before the U.S. China Economic Security Review Commission Hearing on IP Rights and Indigenous Innovation.

Looking further down the road in May, patent reform, privacy and cybersecurity legislation is expected to be front-and-center, among a wide range of other key tech issues. Indications are still that the Administration will release it’s long-awaited recommendations on cybersecurity in early May, including possibly draft legislative recommendations that have been circulated. Stay tuned!

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Anti-Piracy, Digital Policy Roundup, Government, Policy Tagged With: , , ,
« Older Posts
Newer Posts »