Companies, governments, and individuals need to do more to protect against information security threats, according to an international information policy think tank.
A new white paper released Thursday by the Centre for Information Policy Leadership says “society is in an arms race against security threats” and provides ten recommendations for data breach and information security policy.
“It’s really time to sort of ramp up the seriousness with which we take these issues to move policymaking to a federal level, with less focus on the state level, and to be treating the security threats with the magnitude of response that they deserve,” said the paper’s co-author Fred Cate, a senior policy advisor at the Centre.
The paper, which comes midway through the Obama administration’s 60-day review of the federal cybersecurity mission, urges increased government spending on security with an investment in research and an emphasis on collaboration and sharing of best practices.
“The government has invested very few resources in enhancing information security, and even the much-touted increase in funding promised by the Obama Administration still amounts to the same federal investment scheduled for FY2010 that we currently spend in Iraq in a day—a surprising comparison given how greatly national security officials believe cyberattacks threaten our national interests,” the paper says.
It also calls for companies to work together to share information and approaches to combating threats. While customers receive billions of notices, the paper notes, there's no clearinghouse for attacks or attack strategies.
Individuals, too, play a role in keeping information and networks safe, but many are ignorant of how truly important they are to network security, said Paula Bruening, deputy executive director for the Centre.
“I don’t think they always really understand that when they plug into the network, they become a link in the security system and that if they’re the weak link, they can be the vulnerability that can cause tremendous damage far beyond anything that they really realize," she said.
Executive Director Marty Abrams said the government may have to consider some tough policy issues as well. “We don’t sell cars with brakes as optional equipment, yet security software is often an add on,” he says. “We don’t let people drive cars who aren’t licensed to drive cars and those are tough issues for us to confront in a world where the Internet is seen as something that’s necessary for participation.”
The paper recommends looking beyond data breaches of personal consumer information to the far more serious threat posed by other information security risks like rootkits that hijack individual systems; botnets that connect compromised machines to steal data or attack servers; wireless communication interception and diversion; and domain name server attacks that use fraudulent Web sites to steal online information from unwitting users.
Breaches of personal data are on the rise, with 656 reported in 2008, up from 47 percent in 2007, according to the paper. Concern about such breaches has led to the adoption of data breach notice requirements in 44 states and the District of Columbia. Complying with many different state laws taps the resources of companies, which could be spent keeping information more secure, experts say.
Currently no federal notification law exists.
“Research says that data breaches actually play little role in most identity fraud,” the paper says. It cites the 2009 Javelin Identity Fraud Survey that shows data breaches accounted for only one in ten respondents who identified themselves as identity fraud victims. Most of the notification laws, the paper says, require notices even when no risk is posed or there is nothing individuals can do to guard against risk. Too many notifications, the paper warns, can cause “notification fatigue” among consumers.
Breach notification laws, which were patterned after environmental disclosure laws, have been effective in forcing corporate management to understand and pay attention to the issue of personal data security, said Lisa Sotto, a partner at Hunton & Williams LLP law firm and head of the privacy and information management practice which operates the Centre. “Breach notification has the effect of forcing a company to announce from the rooftops their lack of security in many cases,” she said, “and it’s a really embarrassing issue for companies.”
Experts emphasize that the issue of information security is a global one. Just as the Internet and other information networks cross borders without regard for national and provincial boundaries, so too do security threats and vulnerabilities,” the paper says. “Concerted multinational action is necessary to arrest and prosecute perpetrators and to isolate countries that may harbor them.”