Outreach Key to Breach Response, Officials Say

The Federal Trade Commission just completed its Federal Information Security Management Act report, due Oct. 1, Chief Privacy Officer Mark Groman said. The FTC had to explain how it reports breaches, how it’s cutting use of Social Security numbers (SSNs), its inventory of personally-identifiable information (PII), and how it wrote rules for protecting PII. Office of Management and Budget rules are flexible enough to fit agency resources, he said, noting that the Department of Veterans Affairs information technology department is larger than the entire FTC.

The Defense Department was involved in breach reporting before the rest of the government, said Sam Jenkins, DoD privacy office director. He joined that office in July, during the FISMA reporting process. DoD’s notification policy dates to July 2005 and includes the now-standard one-hour reporting to the U.S. Computer Emergency Readiness Team and notice to financial institutions where government information might be stored. The formal OMB rules just “augmented” earlier DoD policies, Jenkins said.

The FTC incident response team includes the agency public affairs office, plus the general counsel, the Bureau of Consumer Protection, the chief information security officer and other obvious choices, Groman said. “If you don’t have someone from public affairs on your team, that’s a major flaw,” as those officials can craft a consistent message likely to be picked up in the media. Any DoD external breach - one affecting nonemployees requires news releases from the start, Jenkins said. “If the media catches wind of it, you can be crucified in the press for not having some kind of notification out there,” he said.

Part of the PR problem is terminology, said Toby Levin, Department of Homeland Security privacy adviser. The agency doesn’t tag a security incident a “breach” until a full inquiry determines that a law was broken. Security incidents are usually “inadvertent disclosures” by na?fs, which still can break the law, she said. Incidents are reported first to program managers, then information security system managers in the appropriate office and then the online DHS security operations center, which alerts top officials, she said. DHS recently drafted its “privacy incident handling guide,” or incident response plan. One major task was simply locating virtual spaces holding personnel data across the sprawl of agencies, as well as “shadow files,” or duplicates, Levin said. Employee training in reducing SSN use has begun but “by no means is completed.” It probably will wrap up before 2008.

DHS IT office personnel originally hesitated to work with the privacy office for fear of additional responsibility, but they came to see that most IT incidents involve PII, “so there’s a natural synergy between our programs and our missions,” Levin said. The two offices, which have similar guidelines, meet regularly, she said, though some components have their own privacy officers and each at least has “privacy points of contact,” she said. The privacy office plans to designate privacy officers in additional components, she said.

Levin declined to say whether Capitol Hill pressure to beef up data security, voiced this week by House Homeland Security leaders to DHS for cybersecurity lapses (WID Sept 25 p6), affected their plans. “I'd like to think we're the favorite agency of the Hill,” Levin joked. Speakers said they cover contractors in their training and legal materials, a recent concern from the committee. Ensuring service providers, vendors and contractors know the consequences of breaches is “one of the most challenging things” the FTC handles, Groman said. It takes due diligence before signing contracts and then auditing them, which is “very easy to say… it’s very challenging to implement.”

Higher education is coming to the rescue, said Lance Hoffman, founder of the Cyberspace Security Policy and Research Institute at George Washington University. The school runs the Cyber Corps, an “ROTC for geeks,” which tells tech-savvy students “you cannot go to work for Google right after you graduate,” he said. This year the Corps has placed about 150 interns in the federal government, he said, noting two who were on hand. GWU, to host a “virtual job fair” for federal IT slots late this year, will run a pilot in the spring teaching FISMA and related regulatory compliance, followed by a summer “lab unit,” Hoffman said, noting that his students attend hacker conferences, pointing to one in the crowd who attended Black Hat and DefCon. “They're all clearable and they all get clearances,” he assured the audience. -- Greg Piper

American Society of Access Professionals Notebook…

It’s often thought that small businesses have worse data security practices than larger ones, but “that’s not the case,” Betsy Broder, FTC assistant director of privacy and identity protection at the Bureau of Consumer Protection, said at the conference. Nearly half of large companies lack formal data security plans and don’t adopt encryption after a breach, she said, warning that good post-breach intentions can backfire. Broder advised breached entities not to use e-mail to notify affected people, since such e-mails look like stabs at phishing. If e-mail is the only avenue for notification, “give some assurance to the consumer -- I'm not sure what this could be -- that it is legitimate,” she said. David Hardy, FBI Records Information Dissemination Section chief, said some consumers may not realize accounts are compromised. Many ID thieves penetrate accounts without stealing, instead adding funds from other hacked accounts, simply to “hide the trail” from authorities as they juggle money, he said. “Our systems are attacked millions of times every day” by hackers, sometimes successfully, said Mary Dixon, director of the Defense Department’s Manpower Data Center. But now that the agency has issued “strong credentials” to DoD personnel and requires them to log in to networks using public key infrastructure, “successful intrusions” have plummeted, dropping 46 percent even before new measures were implemented fully, Dixon said. DoD’s “red teams” -- authorized hackers -- “are having a hard time breaking in.”