Is Your Confidential Data Safe in the Hands of Regulators?

Earlier this month, multiple, coordinated cyber-attacks struck across the financial sector. Citibank and Bank of America were among the first to report a series of systemic breaches that attempted to disrupt trading in equities markets.

Then, as regulators began to respond, they too were compromised. The Securities and Exchange Commission and Treasury Department were among those embattled by an army of malevolent coders. The Department of Homeland Security and FBI were also infiltrated.

Fortunately, the U.S. economy wasn't brought to its knees. The attack was just a drill, dubbed Quantum Dawn 2, organized by the Securities Industry and Financial Markets Association.

Over 500 individuals from approximately 50 entities took part in the daylong simulation of full-scale cyber-warfare targeting Wall Street and the financial sector. Participants were able to run through their crisis response plans including, how they would react to various threats against their firms, how they would coordinate with the financial sector as a whole to share information, and how they would coordinate with government agencies.

Much of the focus, when it comes to cyber-security, is how well prepared private enterprise is to protect sensitive data. To that end, regulators like the SEC and laws like the privacy protections of the Health Insurance Portability and Accountability Act demand the disclosure of security breaches. But what about the government agencies that make these demands? Are they able to secure the massive trove of confidential corporate and consumer data they collect?

“That's the $64,000 question,” says Tom Smedinghoff, a partner with the law firm Edwards Wildman Palmer whose practice focuses on information law and electronic business activities. “We've certainly seen a number of breaches at the government level. It seems they are not doing much better than the private sector with this.”

Government breaches typically come in three varieties: breach attempts by outside entities; malevolent insiders; and human error that leave data unprotected. Just a few of the high-profile incidents that have occurred in recent years:

In June 2012, an employee of the Commodity Futures Trading Commission fell victim to a “phishing” e-mail and allowed a hacker to access employee e-mails and personnel records for nearly 700 of its employees.

The Centers for Medicare and Medicaid Services was successfully breached 13 times by hackers from 2009 to 2011.

In September 2012, a contractor mistakenly uploaded the personal records and Social Security numbers of more than 500 Army personnel.

In June 2011, the hacker collective LulzSec successfully broke into the computer network of the U.S. Senate.

In March 2011, 24,000 Pentagon files were stolen by a foreign entity that hacked into the computers of a government contractor.

Earlier this month, the SEC sent letters to former employees, offering them free credit reports after a government employee inadvertently exposed their personnel data, having uploaded it onto a flash drive.

Then, there are two cases that have dominated media headlines for weeks: former National Security Agency contractor Edward Snowden's release of top-secret information on the government's electronic surveillance programs; and the sharing of 250,000 State Department diplomatic cables through WikiLeaks, allegedly committed by Bradley Manning, an Army soldier stationed in Iraq.

Also, the Consumer Financial Protection Bureau has come under fire, mostly by Congressional Republicans, over its collection of consumer data, much of it purchased from third parties. Critics are questioning the security and confidentiality of the more than 10 million records being stockpiled by the Bureau.

“Honestly, it's difficult to put a system in place that will catch everything. So, I think it is worth asking whether the government really needs all this information, because we now know it can't be kept perfectly safe.”

—Hester Peirce,

Senior Research Fellow,

Mercatus Center

There are mechanisms in place that are intended to bolster the security of government technology and databases, Smedinghoff  says. For example, the Federal Information Security Act requires federal agencies to implement a variety of security protections and programs. “But the breaches keep happening, so it's not foolproof.”

For each organization, basic questions need to be asked. Who is collecting what data? Why do they need it? How sensitive is it? What are they doing with it? How well are they protecting it and, if it does get compromised, what is the risk? How bad will it be?

“The CFPB says they are only collecting anonymous data, but with a lot of the things you read about how easy it is to correlate anonymous data back to an individual you've got to wonder about that,” Smedinghoff says.

“When you look at what the CFPB, or anyone that collects that amount and type of data, they are making themselves a big target,” says Lamont Orange, senior director of information security for Websense, a company that specializes in computer security software. “It is almost saying, ‘Come and see what I have.'”

Mistakes can have real consequences, says Hester Peirce, a senior research fellow at the Mercatus Center of George Mason University and one of the former SEC employees whose information was breached.

“Honestly, it's difficult to put a system in place that will catch everything,” she says. “So, I think it is worth asking whether the government really needs all this information, because we now know it can't be kept perfectly safe.”

“Pleasantly Surprised”

There is some reason to be optimistic about the government's efforts to secure the data it holds, says Vivek Shivananda, founder and CEO of Rsam, a security, risk, and compliance consultancy that has government agencies among its clients.

“It varies from agency to agency, and there is work to be done, but I've are pleasantly surprised with the level of sophistication at some agencies,” he says.

One of the main accomplishments in recent years has been the government's focus on recruiting IT talent that was traditionally lost to private sector companies, he explains.

Darren Hayes, a professor at Pace University's Seidenberg School of Computer Science and a leading expert in computer forensics, agrees. He says that through scholarship awards, ethical hacking competitions and other initiatives, U.S. government agencies increasingly attracting the cyber-expertise they need. So much so, that Washington D.C. now surpasses Silicon Valley as the nation's top employer of IT personnel.

Still, companies will have to keep close tabs on the information they share with regulators, although monitoring their use of that data isn't easy. When a bank shares consumer data with regulators and that data gets breached, it is almost like the regulator is now like a third-party vendor, Shivananda says, but a bank won't have authority over a regulator.

“The insider threat is always the hardest because these are the people who know the systems the best,” Hayes says. “It is also a real challenge for the government, because sometimes things move slower because of red tape and bureaucracy.”

Too Much Data?

“The issue with the government is that they have such a volume and variety of data that it compounds the problem of protecting it,” says Brian Contos of Solara Networks, a Blue Coat company that offers data analytics and security software. “Not just protecting it from external threats, but, of course, potentially malicious or just careless insiders.”

SEC DISCLOSES BREACH

The following is an excerpt from a July 8 letter to SEC employees, present and former, regarding a breach of their personal data that occurred April-June, 2012.

On Feb. 27, 2013, another Federal agency reported to the SEC the discovery of SEC employees' sensitive data on its computer network. The sensitive data was employment-related information maintained by the SEC as part of your Official Personnel File.

A joint investigation launched by the SEC's Office of the Inspector General and the reporting agency's OIG found that the origin of the data was an upload from an employee's thumb drive. The investigation further revealed that the employee formerly worked at the SEC and, upon departure from the SEC, inadvertently and unknowingly downloaded the SEC personnel data to the thumb drive. The employee had thought he was downloading templates to help him in his future work at the government.

Upon discovering the data files, the reporting agency immediately removed them from its network drives and backup tapes.

The SEC takes its responsibility to safeguard personal information seriously. We acted quickly with the reporting agency to contain and eradicate the breach, and also confiscated the thumb drive. While there is no evidence that any unauthorized third party accessed any of your personal information, you may wish to take some precautionary steps.

Source: SEC.

Contos says that there are lessons and strategies companies can learn from the cyber-security challenges government agencies face.

Addressing the problem, Contos says, requires being able to “monitor the intersection point between users and data.”  

“You can't answer these things with traditional anti-virus and firewalls,” he says. “ Its not just about prevention anymore. It doesn't matter how tall you build your walls, or how deep you build your moats. The problem becomes how well are you monitoring how users are interacting with this data.”

“Know your assets and know your people,” he adds. There are patterns, anomalies, and inconsistencies to heed. For example, when an employee who customarily needs to access 500 accounts on a typical day, suddenly accesses 5,000, or even 5 million, that warrants an investigation.

Shivananda says it is important to prioritize risks. “You don't have the resources to look at everything, and if you try, you will miss something important,” he says.

Orange stresses accountability, and having a point person who is responsible and traceable when data is moved.

Accountability could help the regulators themselves to protect their sensitive data. “Who is looking at the regulators themselves? There needs to be some sort of governmental body that oversees the regulators,” says Shivananda. “There needs to be some governing body, because everybody needs to answer to somebody.”