New National CISO will have a full plate
Back in February, President Obama announced the creation of the position of a national Chief Information Security Officer (CISO), as part of an administrative Cybersecurity National Action Plan “that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take a better control of their digital security.” Though we still don’t know who will ultimately get the position and spearhead this effort, even a cursory glance around the always troubled security landscape indicates just how much work there is to be done on all fronts. This includes approaching not only record numbers of data breach incidents, which continue to grow exponentially, but also all the volatile politics that swirl around this whole topic.
One of the latest such mine fields looks to center around Twitter’s recent decision to restrict US intelligence agencies their accustomed access to Dataminr—a real-time data gathering service that analyzes and gathers Twitter’s colossal output in order to produce breaking news such as natural disasters or terrorist attacks. Dataminr’s access to Twitter’s stream allows it to send alerts to clients in a broad array of organizations, from finance to news. And while the Department of Homeland Security maintains a separate contract with Dataminr, other spy agencies are effectively being stripped of their privileges in this regard, making them wait in line for news with everyone else. So, in case you were wondering what the next move would be that would increase tensions between Silicon Valley and the government, this could be it.
Of equal if not more importance are the breaches themselves. Some can be caused by such underwhelming accidents as an employee mistakenly sending a document containing certain personal information of other employees to a benefits manager at another company. Of course, when the leak in question comes from Google, even a tiny chink in a titan’s armor becomes a topic of concern.
Even more alarming is the continued targeting of hospitals and other health care organizations. Medical records are a greater bounty for thieves than credit card information, and attacks on medical networks using methods like ransomware has become increasingly popular. This year alone has seen these incidents at such institutions as MedStar Health and Hollywood Presbyterian Medical Center. Responses differ from case to case, but several government agencies have discouraged organizations from paying the ransom and rewarding criminals; instead insisting they review their own data security policies and focus on prevention efforts. Nor does it seem like any entities are off limits for hackers, as demonstrated by such notifications as the one by the Bay Area Children’s Association, which this month reported that a cyber intrusion last year used stolen credentials to infect its systems with malware, and that the electronic medical records stolen were obtained by unauthorized parties.
It’s been a few months now since the announcement, and they have yet to find the right person for the nation’s new CISO position. Clearly, inheriting this kind of domain, this person is going to be one busy official. Who do you think would make a good security czar?