Up-and-coming security pro Dan Weiser wrote me recently about some issues he’s been pondering. His words below:
I wanted to talk with you about some articles and cyber security, the Army’s move into the cloud, and whether data breach victims deserve to be notified.
While the government may have good intentions, it ‘runs the risk of establishing a program akin to wiretapping all network users’ communications,’ the nonpartisan legal think tank says. The Associated Press obtained a copy of the report in advance.
I feel the right balance will be struck between individual liberties and the watching of individual’s data. By the way, if you have lots to hide then you might as well be like Gene Hackman in the movie Enemy of the State and just disappear under the radar. I really liked that movie and feel that movies sometimes help us understand real life. On the other hand, if individuals like and must use technology, they must be willing to opt out of all information sharing. I would prefer that the user’s opt-in be required rather than having to go to the trouble of opting out of everything we use.
The Army turning to a private cloud environment is part of the government’s larger ‘cloud-first’ policy that requires government and federal agencies to examine cloud computing solution as they government seeks to dramatically reduce IT costs. It also falls under the government’s plan to dramatically reduce the number of federal data centers.
Okay, cloud computing might be good, but at what cost? And then who really owns the data once it is in the cloud? I am still super skeptical about cloud computing and at least for myself prefer backing up my data on Western Digital External hard drives. However, if cloud computing must be used for the military to cut costs then please don’t put anything above confidential status out there and be prepared for the day when all the data will be leaked and exposed for the whole world to see. A good example of the embarrassment to our country is the data released to Wikileaks.
IT professionals believe that assessing the potential harm caused by data breaches is more useful to mitigating the effects of such incidents than notifying affected individuals, according to a survey published on the day the European Union’s proposed a 24-hour deadline for data breach disclosures.
I do not agree with these “IT professionals,” and think it is critically important to notify data-breach victims as soon as possible. I have had problems with identity theft in the past with fraudulent charges on one of my credit cards, mail being opened at an old address and people trying to falsely create a credit card in my name. Anyway, it is very important that victims know as soon as possible about data theft so they can check their credit reports and begin damage control.
By comparison, contracting computer forensic experts was considered important by only 5 percent of survey participants in 2007. This suggests that IT professionals today are much more interested in learning how a breach happened before taking action.
It is still important to take the action of notifying victims ASAP and I would certainly hope that IT professionals would realize this, because I certainly do, and I’m working towards becoming an IT pro myself.
Nearly half of respondents said that their companies suffered data breaches that involved log-in credentials and credit card or bank payment information. Sixty percent of them said that the data was not encrypted, while 16 percent were unsure.
Wow, 60!!! percent of the data was not encrypted. I am annoyed but not surprised, because companies apparently find it too expensive to encrypt and protect people’s data, and think that the their safeguards of firewalls and such will keep any intruders out. Well, it works well in theory, but with the right tools, enough patience and the ability to social engineer people, you can pretty much do what you want in this day and age. I say the last statement with some sadness but it is certainly the truth. All right, everyone, it’s time to bring the comments and arguments on for me and Glenn.
Sincerely,
Dan Weiser
(By the way, I know when it comes to Information Technology and certain other areas that I have very strong opinions, but I am always open to debate with those who can argue their points effectively.)