Tag Archives: Senators

Proposed data breach legislation could put executives in jail

Democratic senators have re-introduced the Data Security and Breach Notification Act that proposes severe consequences for enterprise executives, including jail time, for failing to notify consumers of a breach.

The proposed data breach legislation would make the willful concealment of a breach a crime that is punishable by up to five years in prison. The bill also states that a “covered entity” must provide notification to users or customers within 30 days of the discovery of the breach unless a U.S. federal law enforcement or intelligence agency exempts the entity from informing the public. The data breach legislation also provides some wiggle room for the notification deadline in order for enterprises “to accurately identify affected consumers; to prevent further breach or unauthorized disclosures; or to reasonably restore the integrity of the data system,” according to the bill.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Sen. Bill Nelson (D-FL), who sponsored the bill, in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

Nelson’s statement cited the 2016 Uber data breach, which was concealed by company officials and only recently made public. The breach exposed the names, email addresses and phone numbers for 57 million worldwide customers as well as the names and driver’s license numbers of 600,000 U.S. drivers.

Nelson first introduced the Data Security and Breach Notification Act in 2015 and introduced another version of the bill last year as well. The current version is co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).

The proposed data breach legislation includes a provision that requires the Federal Trade Commission to develop new information security standards for businesses to adhere to in order to prevent breaches.

A federal data breach law could potentially replace individual state laws such California’s SB-46 data breach notification statute. Enterprises, however, would still have to contend with the data breach notification laws in other countries, which in some cases are much stricter. For example, the European Union’s General Data Protection Regulation will require companies to notify authorities of a data breach within 72 hours when the law goes into effect in May.

SAVE Act attempts to bolster election security

Two senators introduced a new election security bill with the aim of providing assistance to states in order to protect against cyberattacks on voting infrastructure.

The bipartisan bill — the Securing America’s Voting Equipment (SAVE) Act — was put forward by Senators Susan Collins (R-Maine) and Martin Heinrich (D-N.M.). The aim of the bill, according to Collins, is to “assist states in protecting the integrity of their voting systems. 

“Our bill seeks to facilitate the information sharing of the threats posed to state election systems by foreign adversaries, to provide guidance to states on how to protect their systems against nefarious activity and, for states who choose to do so, to allow them to access some federal grant money to implement best practices to protect their systems,” Collins said on the Senate floor.

Collins said that she knew of “no evidence to date that actual vote tabulations were manipulated in any state” during the 2016 U.S. election, but noted that the FBI and Department of Homeland Security (DHS) found 21 states had election systems probed by Russian hackers.

“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections,” Sen. Heinrich said in a public statement. “The SAVE Act would ensure states are better equipped to develop solutions and respond to threats posed to election systems. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable.”

Requirements of the SAVE Act

According to the announcement, the SAVE Act would require the Director of National Intelligence to designate security clearance to the chief state election official — usually the secretary of state — and share all “appropriate classified information with those state officials to protect election systems from security threats.”

The SAVE Act would also classify state-run election systems as critical infrastructure and require the DHS to work with states to ensure election security.

Prior to the 2016 U.S. presidential election, the DHS offered to aid states with election security and Jeh Johnson, former secretary of Homeland Security, claimed 18 states had accepted that offer.

The SAVE Act would also call for the creation of the “Cooperative Hack the Election” program which would essentially be a bug bounty program for electronic voting systems.

The DEFCON team, which has offered to help election officials test voting equipment, did not respond to requests for comment at the time of this post.

Mike Pittenger, vice president of security strategy at Black Duck, said he thought a bug bounty program would help “build more secure voting machines, assuming the bounties are attractive,” but wanted more information on the SAVE Act.

If we are talking about vote integrity, the major shortcoming of any electronic voting system is an independent, auditable record.
Mike Pittengervice president of security strategy at Black Duck

“The other point to remember is that security is ephemeral. A secure application can become a ripe target overnight if a new vulnerability is disclosed and not remediated. We saw this with Equifax. How can we ensure that every device is updated?” Pittenger told SearchSecurity. “I do worry about designating this as critical infrastructure, however, if it requires that all states and local governments use electronic voting, even if a variety of choices are available.”

At the DEFCON conference in July, Barbara Simons, former president of the Association for Computing Machinery and president of Verified Voting, a non-partisan and non-profit organization promoting laws and regulations that support accuracy, transparency and verifiability of elections, said risk limiting audits are an essential part of ensuring election results but are very difficult with electronic voting systems and are much more effective with paper ballots.

While the SAVE Act calls for audits of election systems for states that receive federal grant money, there are no stipulations for auditing actual election results.

“If we are talking about vote integrity, the major shortcoming of any electronic voting system is an independent, auditable record. With paper voting, someone could miscount ballots or ‘stuff the ballot box.’ It’s not perfect, but when an election is over we can match the records of individuals who registered, and rescan and recount the paper ballots,” Pittenger said. “With electronic voting, we have an electronic audit trail, but any competent criminal would cover their tracks.”

U.S. government cybersecurity is a mess, according to officials

Senators and government officials are calling out the U.S. government, as it struggles to make any real movement when it comes to cybersecurity.

During a talk at a cybersecurity conference at Arizona State University, Sen. John McCain (R-Ariz.) criticized President Donald Trump and his administration for not doing more in regard to U.S. government cybersecurity. McCain called the administration’s leadership on the subject “weak,” and he noted that the president has yet to follow through on his promise to present a plan to improve cyberdefenses within the first 90 days of taking office.

“Unfortunately, leadership from the executive branch on cybersecurity has been weak,” McCain said, according to a statement from the senator’s office. “As America’s enemies seized the initiative in cyberspace, the last administration offered no serious cyber deterrence policy and strategy. And while the current administration promised a cyber policy within 90 days of inauguration, we still have not seen a plan.”

McCain discussed the work that the Senate Armed Services Committee, of which he is the chairman, has been doing to improve U.S. government cybersecurity within the Department of Defense (DOD) and the military over the last few years, citing recent cybersecurity legislation, including bills that established Cyber Command and mandated that the DOD evaluate cybervulnerabilities of every major weapons system and critical infrastructure in the U.S.

“But despite the significant progress we have made at DOD,” McCain said, “much remains to be done, especially in the coordination of a whole-of-government approach to defending the homeland from cyberattacks.”

Also this week, the president’s National Infrastructure Advisory Council (NIAC) published a draft of a report examining how federal resources can be used to improve the cybersecurity of “high-risk assets.” The NIAC also called out the U.S. government for not doing enough.

“We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyberattacks — provided they are properly organized, harnessed, and focused,” the report said. “Today, we’re falling short.”

The report said there is only a narrow window of opportunity to improve U.S. government cybersecurity before a “watershed, 9/11-level cyberattack” strikes the country and its critical infrastructure.

The NIAC had nearly a dozen recommendations to begin improving the U.S. government cybersecurity stature, including establishing better protocols to “rapidly declassify” cyberthreat information, as well as strengthening the cyberworkforce by sponsoring a program that gets public- and private-sector experts to work together.

In a separate statement, Rob Joyce, the White House cybersecurity coordinator, echoed the sentiment, saying the U.S. needs an additional 300,000 cybersecurity experts to protect the country.

Joyce also recommended the American public not use security software from Kaspersky Lab. The Russian antivirus provider has been in the spotlight for alleged ties to the Russian government. This skepticism and caution against using Kaspersky lab products is not supported by any public evidence, and the company’s founder has denied the allegations.

However, Joyce was clear in his statement to CBS News, saying he wouldn’t advise his friends or family to use Kaspersky Lab software.

“I worry that, as a nation state, Russia really hasn’t done the right things for this country, and they have a lot of control and latitude over the information that goes to companies in Russia.”

In other news:

  • Facebook awarded $100,000 to a group of researchers who identified a way to detect credential spear-phishing attacks in enterprises in real time. The money was given to the researchers as part of its annual Internet Defense Prize partnership with the USENIX Association. The research team — Grant Ho, University of California, Berkeley; Aashish Sharma, Lawrence Berkeley National Laboratory; Mobin Javed, University of California, Berkeley; Vern Paxson, University of California, Berkeley and International Computer Science Institute; and David Wagner, University of California, Berkeley — presented their findings at the USENIX Security Symposium in Vancouver, B.C. Compared to a traditional spear-phishing detection method, the researchers said the new technique, called Directed Anomaly Scoring, detects nine times as many attacks. They also said an analyst would be able to look into a month’s worth of attack alerts in just 15 minutes. Facebook was drawn to this technique because of its applicability to social-engineering attack detection.
  • Users of the Enigma cryptocurrency investor platform were tricked into giving around $500,000 to attackers. The attackers gained access to the Enigma domain and a Slack administrator account, and they were able to use that information to send phishing emails to Enigma users. The targeted users received emails shortly before Enigma’s Token Sale — also called an initial coin offering (ICO) — offering them token sales prior to the ICO. Some users believed the phishing scam and sent their cryptocurrency to wallet addresses controlled by the attackers. While Enigma detected the attack immediately and sent out warnings to its users not to fall for the scam, the message didn’t reach them all in time. The attackers were able to get around $500,000 in Enigma’s cryptocurrency, Ethereum.
  • A new attack called Ropemaker can change the content of an email after it’s delivered to add malicious URLs. Email security company Mimecast explained in a blog post that “this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.” The company also noted that it hasn’t seen any exploits of Ropemaker in the wild yet, but it still undermines the assumption that emails cannot be altered after they are sent.