The European Commission has announced a plan to rally a wide variety of resources to address the increasing involvement of criminal elements in cyberattacks and the failure of European companies to seriously appreciate and address the cybersecurity issues.
"In the past hackers were motivated by a desire to show off, whereas today many threats come from criminal activities and are motivated by profit. What we need is a renewed strategy based on dialogue, partnership and empowerment," said EC Information Society and Media Commissioner Viviane Reding.
According to the plan, the EU’s Network and Information Security Agency will play a leading role. NISA, located in Greece, would work with the industry to lead efforts to develop appropriate policies and frameworks to handle cybersecurity and information misuse incidents within the 25-member EU. The EU attributes most problems to to the lack of awareness of the security risks related to use of digital information technologies and the inability of, usually smaller groups, to understand and implement even basic information protection mechanisms. According to the EC, an average of only 5 to 13 percent of the information technology budget is spent by companies on security measures. Although it is difficult to establish a benchmark of adequate and due diligence amount of spending, a range between 5 and 13 percent is inadequate.
A comment on Slashdot made me think - in a similar way FEMA became the subject of late-night show jokes and ultimate mistrust after Katrina, would the Social Security Administration lose control of what they intended to be just a benefits number if something big were to happen to a large number of SSNs?
One of these days some government employee is going to run an errand with a laptop in his car and a lucky car thief will drive off with every single name and Social Security number in the country. You could fit them all on a USB thumb drive. And they could be all over the Internet within hours. It would be game over for Social Security numbers and the rickety infrastructure that has been built on top of them. It’s only a matter of time before this happens. It might not be in a single theft as I described, but smaller thefts will eventually add up to the point where everyone’s SSN has been compromised, and someone is going to compile them and make them widely available.
Can you have both good external security and internal data security policies? According to the folks behind the Payment Card Industry (PCI) Data Security Standard, who are about to release a new version of the standard, it is best to create good external policies, such as broader vulnerability scan, rather than have strong data protection rules. The new standard, due this summer, will relax the requirement that data be made unreadable whenever it is stored and will only ask companies to replace encryption with other types of security technology, such as additional firewalls and access controls.
Although there are legitimate reasons for avoiding privacy in some situations - such as older payment systems not built to support scrambling technology - the problem lies within the premise that external protection is all it takes to protect sensitive data. No matter how sophisticated firewalls, access controls, and server applications become, inevitably there will be new vulnerabilities disclosed and computer criminals will be able to penetrate the external protection, which may have been 100% protected the day before the vulnerability became public.
In light of the new guidelines, the PCI should be considered as a minimum baseline, and not as a recommended optimal setting for protecting payment data. It is far too often that we hear about personal or financial information being stolen, often from an unencrypted data media, and the new PCI guidelines do not seem to address this problem.