Earlier today the Wall Street Journal’s Risk and Compliance Journal published an interview with me and Steve Chabinsky from Crowdstrike about cybersecurity. In the interview, Steve and I make the case that the current paradigm for protecting companies against cyberattacks isn’t working, and that fixing it involves focusing on aligning private sector and
Data security
Another Takeaway from TARGET: Are you being targeted through your vendors?
Yesterday TARGET announced that the hackers who committed the breach that has potentially affected as many as 110 million customers gained access to its systems through one of its vendors. Although the details are still emerging as the forensic investigation continues, this early report is a reminder that your vendors can be a potential source…
The Shorter Matt Blaze: NSA Hacking Is OK, As Long As We Take Away Its Best Hacking Tools
Matt Blaze, a well-known public cryptographer and NSA critic, offered what seemed like a modest concession in the relentless campaign against NSA intelligence gathering:
The NSA’s tools are very sharp indeed, even in the presence of communications networks that are well hardened against eavesdropping. How can this be good news? It isn’t if you’re…
Video Interview: Discussing the Target Data Breach with LXBN TV
Following up on my recent commentary on the Target data breach, I had an opportunity to discuss its fallout in a video interview with Colin O’Keefe of LXBN. In the interview, I describe litigation Target now faces and share my opinion on what lawmakers should do to combat breaches like this.
TARGETed for a Breach – and Now TARGETed for Litigation
On Thursday, TARGET announced that it had been the victim of a cyber attack in which hackers stole data on credit and debit cards of as many as 40 million customers who made purchases at the height of the holiday shopping season. The incident was first reported the previous day by the website KrebsOnSecurity.com.…
Europe, the Cloud, and the New York Times
The New York Times recently ran a story arguing that, after the Snowden revelations, Europe would have to build its own cloud computing industry to protect European privacy. I was moved to send the Times a letter in response. The Times edits such letters pretty heavily, so I’m sharing it here:
You left some critical…
The DPA for the USA
Officials in the EU often deride the lack of a national data protection authority in the US. It is absurd to suggest that the existence of a national DPA is itself a litmus test for a country’s commitment to privacy protection. Indeed, I would put the US system of constitutional checks and balances and sectoral…
How NIST’s Cybersecurity Framework Could Reduce Cybersecurity
In my first post about NIST’s draft cybersecurity framework I explained its basic problem as a spur to better security: It doesn’t actually require companies to do much to improve their network security.
My second post argued that the framework’s privacy appendix, under the guise of protecting cybersecurity, actually creates a tough new privacy requirement…
Is NIST turning weak cybersecurity standards into aggressive new privacy regulation?
Following up on my earlier NIST post, it’s fair to ask why I think the NIST Cybersecurity Framework will be a regulatory disaster. After all, as I acknowledged in that post, NIST’s standards for cybersecurity are looking far less prescriptive than business feared. There’s not a “shall” or “should” to be found in NIST’s…
Who’s Afraid of the NIST Cybersecurity Framework?
Business and conservatives have been worried all year about the cybersecurity standards framework that NIST (the National Institute of Standards and Technology) is drafting. An executive order issued early this year, after cybersecurity legislation stalled on the Hill, told NIST to assemble a set of standards to address cyber risks. Once they’re adopted, the order…