‘Insider Attacks’ Concern for Federal Agencies Working on Cybersecurity, Say Officials at Hearing
Federal law enforcement officials are not equipped to handle a cyberattack from within their agencies, they said at a House Financial Institutions and Consumer Credit Subcommittee hearing on data security Wednesday. Capitol Hill has seen a number of hearings related to data security since the data breaches at Target and Neiman Marcus. Information sharing within those agencies working on cybersecurity needs to be better, said Carolyn Maloney, D-N.Y. Tokenization, a process that uses a substitute token or number for a given transaction, could fix the problems left unresolved by Europay, Mastercard, Visa (EMV) cards.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"Nothing we have would stop an insider attack,” said William Noonan, Secret Service deputy special agent in charge of cyber operations criminal investigation division, when asked by Steve Pearce, R-N.M., what could prohibit an “insider attack” from a law enforcement official working on data security, a la Edward Snowden, the former National Security Agency official who leaked millions of classified documents last year. This particular threat is “one of the most difficult things we face,” said Larry Zelvin, Department of Homeland Security director of the National Cybersecurity & Communications Integration Center (NCCIC). We're “not where we need to be, by a long shot,” he said.
The fight against cybercriminals is a “team effort,” with jurisdiction determining who gets to fight or collect data against particular criminals, said Zelvin. The NCCIC works on network defense measures and has a “responsibility to protect .gov,” he said. The “primary source for information sharing” is the NCCIC, said Noonan. The Secret Service works with “undercover” sources and operators and has identified breaches before they have occurred, he said. Both Zelvin and Noonan said they support the creation of a national breach notification standard, when asked by Rep. Maxine Waters, D-Calif.
It’s “important and critical” for breached companies to immediately notify law enforcement, said Noonan. If the authorities are “drawn in early,” they are able to better “protect the victims” and share information faster, he said. Asked by Rep. Gregory Meeks, D-N.Y., whether consumers should be notified of data breaches at the same time as law enforcement, Noonan said officials “may or may not need” a chance to determine “who is behind the attack” before consumers are notified.
Federal agencies are “collecting data in the areas we have the ability to see the information,” said Zelvin, in response to a question from Maloney, about which agency is able to organize and make sense of all the collected data. “We still don’t have visibility on everything,” said Zelvin. Maloney said the same lack of integration among intelligence agencies existed before 9/11 and that appropriate changes need to be made for cybersecurity. “No single agency or organization by itself can effectively respond to the rising threat of malicious cyber activity,” said Zelvin in prepared remarks. Eastern European and Russian-speaking cybercriminals are the most “sophisticated,” said Noonan. Cyberactivity in Asia is also “extraordinary,” said Zelvin.
Tokenization fills the gaps of EMV chip technology, said David Fortney, Clearing House Payments senior vice president-product development. “Tokenization addresses online and mobile phone payments by substituting a limited-use random number -- a digital token -- for the customer’s account number during the transaction,” he said in prepared remarks. Chip and PEN technology would help limit the “monetization of data, but not the theft,” said Noonan. The idea of tokenization is “promising,” said Maloney. (jmcknight@warren-news.com)