Amid a hodgepodge of national laws, calls for a global data exchange standard grow louder, reports Greg Masters.
Pirates continue to plunder the sea lanes in some parts of the world, armed with AK47s instead of cutlasses, but a new iteration of piracy has become more common – this form well hidden from sight and employing nothing so primitive as swords or guns.
Today's cyberthieves, armed with computers linked to the internet and a variety of hacking skills, can penetrate networks anywhere in the world to abscond with corporate treasures and violate the privacy of individuals. In fact, according to a recent report from the World Economic Forum, cybersecurity ranks in the Top Five “risks to watch” for stakeholders across government and the private sector.
But, just who is responsible for protecting the privacy of individuals and organizations – particularly when data traverses national boundaries – has become a hot topic for debate.
Despite 46 states having breach notification laws, and compliance mandates that order adherence to privacy restrictions, such as Sarbanes-Oxley and HIPAA, this country lags the European Union in prescriptive requirements, experts say. Europeans, far more sensitive to the possibility of data exposure, owing to their experiences under authoritarian regimes during World War II, passed the Data Protection Directive, which offers a comprehensive system throughout the EU that incorporates recommendations made 30 years ago by the Organization for Economic Cooperation and Development (OECD), an organization comprised of 34 countries that was founded in 1961. While the United States endorsed the OECD's recommendations, it never implemented them. 
“We don't have anything [here in the United States] that specific,” says Hugh Thompson (left), program committee chairman of the RSA Conference, the security industry's largest trade event. Overall, there is a big cultural difference in how the United States treats privacy and how it is regarded in Europe. The laws in Europe, for example, dictate where data can be moved, says Thompson, a well-known application security expert who teaches at several universities and co-authored four books.
The transfer of data across geographic boundaries is a challenge for multinational corporations and government entities, he says. There are laws on the books in Europe that prescribe how long data must be retained and when it must be deleted. But the requirements vary from country to country, so often it is a juggling act to adhere to the commands. “There's a lot of confusion."
Patricia Titus (right), VP and CISO at Reston, Va.-based Unisys, agrees. Unisys – a company that designs, builds and manages systems for businesses and governments around the globe – works with a number of companies that have drafted transfer agreements with various countries to move their applications and data into the Unisys network. It's a process that is time-consuming and eats up a lot of personnel time.
Clients in each country must compile data transfer agreements that incorporate such standards as ISO 2700 or NIST. The next level implements standards from FISMA, a government dictate that adds another layer of data safeguards across the globe, she says.
It would be helpful for corporations if there were a global standard with bare minimums, Titus says. “It would go a long way to create a framework beginning with the United States and the EU.” There's been a lot of dialog around such a development, but little to nothing has been actually implemented, she says.
Too, it is expensive to manage all the data privacy laws. “There's no Gantt chart [a type of bar graph that illustrates the start and finish dates of a project] that shows the country, the standards it upholds, and the gap between its' and the United States' privacy laws," she says.
No one seems to have a workable response. Thompson is not aware of any group, public or private, moving toward a global standard that could take the guesswork out of the process. Nations and corporations are still grappling with what data is private and what needs to be protected, he says. “It is murky when moving data across borders,” he says.
And this ambiguity is causing headaches for a lot of people and organizations. Those wishing to shop for a cloud service provider, for example, must weigh not only which service offers the best rates, but with the rapidly evolving legal ramifications, which can provide some measure of protection.
In the past, negotiating a service-level agreement with a cloud provider wasn't a big issue, says Thompson. Now, though, with new laws being implemented in various countries, the logistics become more prohibitive. For example, he says, a German customer's data may not be moved out of the country, so how is that person supposed to make a purchase with a credit card from a business across the border?
Also, he adds, some types of data not considered private in the United States may prove to be a gateway to identification. What might not be considered personally identifiable information (PII), and thus safe from data privacy restrictions, still could provide access to truly private data, say, via a password reset, says Thompson.
“There is no legal body to sort it out, to give guidance, to help make sense of what one should do with a piece of data,” he says.
| “We're in serious catch-up mode. And, from a digital perspective, it is getting murkier.” – Hugh Thompson, program committee chairman of the RSA Conference |
But there is some measure of hope. In his position as chair of the RSA Conference, Thompson is in a position to observe what the hot topics are. And despite the buzzwords of the day being cloud and cyberwarfare, when one digs deep into the agenda, privacy is the big ticket item, he says. Based on the proposals for sessions at the annual conference, both here and in its European edition, he's seeing issues being raised around transfer of data and the privacy implications.
Controlling the airwaves
And action would be most welcome as enterprise and government operations continue to expand across borders and, as a result, face potential risks from native intruders more familiar with the lay of the land.
Foreign office threats is sure to be a big topic this coming year, says Rich Baich (right), a principal analyst in the security and privacy practice at Deloitte & Touche LLP. But, while most attention has been focused on privacy laws, what's been missing, he says, is a comprehensive understanding of telecommunications laws, particularly those affecting telecom infrastructure owned or controlled by a foreign nation-state.
“We understand what the FBI can do,” Baich says, referring to traditional means of surveillance of telecommunication, such as VoIP or cell phone calls. “But, do organizations understand who owns the rights to their data when that data is being transmitted in foreign nations?”
The message seems to be: No one should be trusted. The data flowing among corporate headquarters and remote satellite offices, particularly in foreign countries, is subject to a number of variables, namely foreign-controlled network infrastructure. This is different from privacy laws, he says. “Can you trust the phone guy?” he asks.
How can corporations opening an office overseas entrust the buildout of their office to contractors? As an illustration, he mentions the American embassy built in Moscow in the mid-1980s that had to be redone once it was discovered that the building was infested with bugs – of the snooping variety.
The threat of unauthorized access by criminals is just one of the challenges of a foreign-controlled network infrastructure. The system is also vulnerable to eavesdropping by foreign intelligence services interested in intercepting corporate or government proprietary data.
It is more than a matter of doing due diligence, Baich says. When leaving your host country, the laws are going to be different. “If you're an executive, what sort of encryption are you using?” he asks. And when that executive returns, how can it be determined they are not bringing back something unwanted on their laptop?
The risk, Baich says, is that state-sponsored entities, perhaps in cahoots with criminal gangs, can use any number of techniques to monitor, intercept, modify or disrupt the communications of any corporation or government agency from any number of points in the network path. Devices can be implanted anywhere, including within the central office of the telco.
As well, miscreants can use social engineering to dupe an email recipient into providing a password or another key needed to view corporate assets. Or, the public and private wireless networks can be penetrated. Compounding the situation, “lawful” intercept rules are not likely to be consistently applied across nation-state boundaries, Baich says.
The new Cold War
Baich says his job is to let people know they have to think of security differently as opportunities for attack always rest outside of a traveler's environment. Supply chain infiltration has been real for years, since at least World War II, he says. When one goes to a foreign country, they can become a target for corporate espionage. “The Cold War is still on,” Baich says. “It's just a different domain.”
| “The Cold War is still on. It's just a different domain.” – Rich Baich, a principal analyst in the security and privacy practice at Deloitte & Touche LLP |
For Titus of Unisys, the question really boils down to who is in charge of security in the United States. Is it Christopher Painter, the U.S. Department of State's first coordinator for cyber issues, appointed in April? Among his duties is to coordinate the department's global diplomatic engagement on cyber issues and serve as a liaison to public and private sector entities.
But, Titus asks, can he coordinate when, at this point the U.S. government has not even settled whether laws governing overseas data transmission are a diplomatic or corporate issue.
But she does see some evolutions in governance coming from the White House, particularly the U.S. Commerce Department creating an internet ID, a cybersecurity effort that seeks to create an “identity ecosystem,” according to White House Cybersecurity Coordinator Howard Schmidt. The final plan for the National Strategy for Trusted Identities in Cyberspace, announced on April 15, provides guidelines for establishing secure online credentials to make internet transactions more secure. Computer users would cease using unique passwords on each website they visit and instead employ a set of credentials recognized by multiple sites. However, the secure credential – software on a mobile device, a smartcard or a small token that generates one-time passwords – has yet to be devised.
Despite that, Titus calls for expanding the initiative and bringing in EU colleagues to get identity standards moving quicker. Further, while there seems to be no unified effort at the moment to create an international set of standards for the transfer of data, Thompson points to historical precedents that caused huge legal shifts, such as the failure of Enron, which gave rise to SOX, and rampant identity theft cases in the state of California, which gave rise to the first data breach notification laws in this nation.
“There has been no privacy Armageddon yet,” says Thompson, “but there have been tremors.” He cites the recent breach of Epsilon, an email marketing services firm, where so much data was compromised that the consequences reverberated in the media and, thus, the status quo was shaken.
“When will we cross that boundary to get an overarching law to kick in?” he asks. So far, there is no answer.
[sidebar]
DATA ALARM: Travelling workers
The worker travelling on foreign soil is susceptible to a range of intrusions, says Rich Baich, a principal analyst in the security and privacy practice at Deloitte & Touche LLP.
Their smartphones, laptops or other mobile devices link up to foreign carrier networks that may be subject to compromise. And there are any number of means to achieve this – including man-in-the-middle attacks, in which an intruder penetrates a communications channel, or through the introduction of malicious code. If a foreign intelligence service is interested, the strategies can intensify to remote compromise or the loading of code during a sync to a foreign network, or even escalate to what Baich terms a “physical access attack” as a device is left unattended, i.e., in a hotel room or during cistoms inspection.
As well, there is the more common technique of employing hotspots or public Wi-Fi networks to gain access.
Targeted attacks are now capable of getting into networks through a travel agency, for example. Through a posting on a social network site, such as Facebook or LinkedIn, an attacker can know where an exec is traveling and subsequently target a hotel room.
Most people are comfortable and assured of their rights and protections in their own country, but once they leave may not comprehend the risks. In fact, the probability of an occurence rises exponentially when leaving the host environment, Baich says. – Greg Masters
