Tom Gann – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Wed, 28 Nov 2018 16:50:50 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png Tom Gann – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 Why Data Security Is Important https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/#respond Wed, 01 May 2019 15:00:09 +0000 https://securingtomorrow.mcafee.com/?p=95090

The Increasing Regulatory Focus on Privacy The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on […]

The post Why Data Security Is Important appeared first on McAfee Blogs.

]]>

The Increasing Regulatory Focus on Privacy

The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on U.S. federal-level breach and privacy laws, while individual U.S. states are also looking to strengthen and broaden their privacy laws.

The focus on stronger consumer privacy has already sparked new regulations like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Many customers of U.S. companies are covered by GDPR’s broad privacy protections, which protects the rights of residents of the European Economic Area. As U.S. states increasingly pass their own privacy laws, the legal environment is becoming more fragmented and complex. This has led to an increased focus on potentially creating a U.S. federal privacy law, perhaps along the lines of the GDPR or otherwise protecting individuals’ information more broadly than the sectoral laws now in place. Although it is not clear whether effective national legislation will pass in the immediate future, the continued focus on regulatory solutions to strengthen consumer data privacy appears certain.

Privacy is Important to McAfee

For technology to be effective, individuals and corporations must be able to trust it. McAfee believes that trust in the integrity of systems – whether a corporate firewall or a child’s cell phone – is essential to enabling people to get the most possible out of their technologies. Fundamental to that trust is privacy and the protection of data. McAfee is committed to enabling the protection of customer, consumer and employee data by providing robust security solutions.

Why Privacy Matters to McAfee
  • Protecting our customers’ personal data and intellectual property, and their consumer and corporate products, is a core value.
  • Robust Privacy and Security solutions are fundamental to McAfee’s strategic vision, products, services and technology solutions.
  • Privacy and Security solutions enable our corporate and government customers to more efficiently and effectively comply with applicable regulatory requirements.
  • McAfee believes privacy and security are necessary prerequisites for individuals to have trust in the use of technology.

Effective Consumer Privacy Also Requires Data Security

Today, electronic systems are commonly used by government, business and consumers. There are many types of electronic systems and connected devices used for a variety of beneficial purposes and entertainment. The use of data is a common element across these systems, some of which may be confidential information, personal data and or sensitive data.

A reliable electronic system must have adequate security to protect the data the system is entrusted to process and use. Data leaks and security breaches threaten the ability of customers to trust businesses and their products. Flawed or inadequate data security to provide robust data protection puts consumers’ privacy at risk.

Too often, privacy and information security are thought of as separate and potentially opposing concerns. However, there are large areas of interdependency between these two important policy areas. Privacy and information security must work in harmony and support each other to achieve the goal of consumer privacy. Privacy requires that consumers have the capacity to decide what data about them is collected and processed, and the data must have safeguards driven by appropriately secure technologies and processes.

Data security is the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Privacy is an individual’s right or desire to be left alone and or to have the ability to control her own data. Data security also enables the effective implementation of protective digital privacy measures to prevent unauthorized access to computers, databases and websites. Data security and privacy must be aligned to effectively implement consumer privacy protections.

An effective risk-based privacy and security framework should apply to all collection of personal data. This does not mean that all frameworks solutions are equal. The risks of collection and processing the personal data must be weighed against the benefits of using the data. Transparency, choice and reasonable notice should always be a part of the way data is collected. The specific solutions of a framework may vary based on the risk and specific types of data. The key is to have in place a proactive evaluation (Privacy and Security by Design principles) to provide the most effective protection for the specific application and data use.

Examples Where Privacy Regulations Require or Enable Robust Data Security

Breach Notification Safe Harbor for Encrypted Data in U.S. State Privacy Laws

Data breach notification laws require organizations to notify affected persons or regulatory authorities when an unauthorized acquisition of personal data occurs as defined by the applicable law or regulation. Many U.S. state laws provide a “safe harbor” for data breach notice obligations if the data was encrypted. A safe harbor may be defined as a “provision of a statute or a regulation that reduces or eliminates a party’s liability under the law, on the condition that the party performed its actions in good faith or in compliance with defined standards.”

Security safe harbor provisions may be used to encourage entities and organizations to proactively protect sensitive or restricted data by employing good security practices. Encrypting data may protect the organization from costly public breach notifications.  Encrypted data may be excluded from breach requirements or unauthorized access to encrypted data may not be considered a “breach” as defined in the statute. To be protected by an encryption “safe harbor” exemption, the breached organization must encrypt data in compliance with the state statute. The state-specific statutes may also require control of the encryption keys to claim safe harbor.

GDPR Security Requirements

The General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA) in 2018, enhancing further the privacy rights of residents of the EEA.  In addition to allowing EEA residents access to personal data collected about them, the GDPR requires companies interacting with this data to perform risk analyses to determine how to secure the data appropriately.  The GDPR lays out basic security requirements in Article 32, GDPR Security of processing, which requires entities to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”

Controllers of personal data must also have appropriate technical and organizational measures to satisfy the GDPR. Business processes that handle personal data must be designed and implemented to meet the GDPR security principles and to provide adequate safeguards to protect personal data.

Implementing a robust security framework to meet the GDPR requirements means the organization should proactively evaluate its data security policies, business practices and security technologies, and the organization must develop security strategies that adequately protect personal data.

Next Steps:

Federal policymakers need to pass uniform privacy legislation into law. A key part of this effort must include sufficiently strong cybersecurity provisions, which are imperative to protecting data, as evidenced by GDPR and thoughtful state breach notification laws. Instead of relying on hard regulations to incent organizations to implement strong security, policymakers should include a liability incentive – a rebuttable presumption or a safe harbor – in privacy legislation. Such an approach, ideally aligned to NIST’s flexible Cybersecurity Framework, would enable policy makers to promote the adoption of strong security measures without resorting to a “check the box” compliance model that has the potential to burden customers and discourage innovation in cyber security markets.

The post Why Data Security Is Important appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/feed/ 0
Federal, State Cyber Resiliency Requires Action https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/#respond Tue, 16 Apr 2019 15:00:42 +0000 https://securingtomorrow.mcafee.com/?p=94907

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of […]

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

]]>

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of an ever-expanding attack surface, making old system architectures an increasing liability.

Recently, the city of Albany, New York became a victim of a ruthless ransomware attack, which created a series of municipal service interruptions. Residents weren’t able to use the city’s services to obtain birth certificates, death certificates or marriage licenses, and the police department’s networks were rendered inoperable for an entire day. This resulted in an enormous disruption of the city’s functionality and made clear that the threat to infrastructure is more real than ever. Bolstering state and local digital defenses should be of the utmost priority, especially as we near the 2020 presidential elections when further attacks on election infrastructure are expected. We must take the necessary precautions to mitigate cyberattack risk.

The reintroduction of the State Cyber Resiliency Act by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX), does just that. The legislation demonstrates a critical bipartisan effort to ensure that state, local and tribal governments have a robust capacity to strengthen their defenses against cybersecurity threats and vulnerabilities through the Department of Homeland Security (DHS). States have made clear that they suffer from inadequate resources to deal with increasingly sophisticated attacks, but also the most basic attacks, which require proper safeguards and baseline protection. This bill works to strategically address the challenges posed by a lack of resources to deal with emerging threats.

The possibility of cyber warfare must not be taken lightly and has long gone ignored. This bill shows that the status quo of kicking the can further down the road will no longer stand as a “strategy” in today’s political and cybersecurity landscape. Action is necessary to better secure our national security and the systems upon which every sector of our economy relies, from utilities to banking to emergency first responders to hospital networks to election infrastructure. It is our responsibility to create and support the safeguards against bad actors looking for gaps in our infrastructure.

The bill makes states eligible for grants to implement comprehensive, flexible cybersecurity plans that address continuous vulnerability monitoring, protection for critical infrastructure systems and a resilient cybersecurity workforce. States would also be able to repurpose funds to various local and tribal governments. In addition, the bill would implement a 15-person committee to review the proposed plans and track the spending of state and local governments. This committee would help states and localities formulate and deliver annual reports to Congress that detail the program’s progress. The specific funding was not disclosed, but this effort showcases the timeliness of the issue and why it is such an imperative step at this stage in time.

We must take basic steps to ensure the security of our state and local systems, and enable systems to be patched, maintained and protected from outside threats. This bill is a welcomed and needed effort by lawmakers to address the existing challenges states and local governments and infrastructures are dealing with every day.  As adversaries become increasingly sophisticated and targeted in their attack strategies, we have a responsibility to best equip states and localities with the necessary tools to close gaps and mitigate gaps.

We at McAfee are committed to partnering with federal, state and local governments to equip them with the best strategies to create a better and more secure cybersecurity future.

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/feed/ 0
Step Up on Emerging Technology, or Risk Falling Behind https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/#respond Fri, 18 Jan 2019 22:00:30 +0000 https://securingtomorrow.mcafee.com/?p=93885

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in […]

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

]]>

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in the global market while supporting the development of emerging technology (read comments submitted by McAfee here).

Emerging technology poses an interesting challenge for tech companies and federal regulators alike. In many cases, technologies that BIS designates as “emerging,” such as AI and machine learning, are already in widespread use around the world. Other technologies like quantum computing are very much in the research and development phase but have the potential to alter the course of national security for decades to come. Many of these technologies are difficult to define and control, and many are software-based, which greatly complicates the development of regulation. Software technologies, by their very nature, are fundamentally different from physical items and physical process technologies. Their intangible, readily-reproducible character makes software-based technologies inherently difficult to define and control.

This task is enormous and must be handled cautiously, as history has provided countless examples of how overregulation has the capability to hamper development. A poignant example of overregulation at the cost of progress is the automobile industry. According to Deloitte, although tough restrictions on automobiles were nothing but well-intentioned in the late 1800’s, regulation greatly hampered research and advancement. The early days of the automobile industry should serve as a cautionary tale when it comes to regulating new and innovative technology.

The U.S. is in a unique position to act to protect our technological interest and secure the nation’s position as a global leader. The U.S. secured a pivotal tech leadership role, having spearheaded the development of the internet in the early 1990’s. The nation has immense power and potential to take the mantle on emerging technology, and the stakes are high. Some of the country’s greatest accomplishments have stemmed from empowering the private sector and encouraging innovation. For example, tremendous strides in private sector space exploration have been made possible due to the support and administration of empowering legislation. Companies like SpaceX and Boeing are creating next generation space technology, working each day to ensure that the U.S. maintains competitiveness.

Cybersecurity is another area that requires particular attention. Given the global availability of cybersecurity tools, many of which make use of the emerging technologies under review, McAfee understands that great care needs to be taken by our government before imposing additional export controls on American cyber companies. These rules can have the unintended and harmful consequence of stunting the growth and technical capabilities of the very companies that currently protect vital U.S. critical infrastructure, including federal and state government infrastructure, from cyber-attacks. As a leading nation, it is critical to stay ahead of threats by criminal actors. This is only possible if cyber companies have the ability to access global markets to fund the research and development needed to keep pace with rapid innovation. Controls should be implemented with a great understanding of the need to stay competitive in global innovation, particularly when it comes to cybersecurity.

Overregulation could cause great harm, and the U.S. government must tread carefully in administering a carefully-crafted, targeted approach. Rather than burdening U.S. software companies with new and substantial export control compliance costs, the U.S. should seek to empower these companies. Any controls deemed essential by the government should be as narrowly tailored as possible, especially given the broad range of current and future companies and technologies. A multilateral approach to export controls on emerging technologies is vital for U.S. companies to remain innovative and competitive in the global marketplace. This cautious approach would ensure alignment between the private and public sectors, ultimately allowing for emerging technology to be front and center. Providing an ecosystem in which the technology of tomorrow can flourish is essential to the U.S. continuing to blaze the trail on emerging technologies.

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/feed/ 0
New DHS Agency Will Provide Needed Emphasis on Cybersecurity https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/#respond Mon, 03 Dec 2018 14:00:54 +0000 https://securingtomorrow.mcafee.com/?p=92843

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm. Last week, a critical […]

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.

]]>

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm.

Last week, a critical step was taken in how the Department of Homeland Security (DHS) manages cybersecurity. The long-awaited Cybersecurity and Infrastructure Security Agency (CISA) Act was signed into law by the president, reorganizing the former National Protection and Programs Directorate (NPPD) into CISA. The permanent establishment of a stand-alone federal agency equipped to deal with cyberthreats is long overdue and welcome among the cybersecurity community.

CISA will be its own department within DHS, similar to the Transportation Security Administration (TSA), and will be led by cybersecurity expert, NPPD Under Secretary Christopher C. Krebs, who has had a distinguished career in both the public and private sectors. Establishing CISA as a stand-alone agency within DHS elevates both the mission of cybersecurity in the federal government and cybersecurity’s importance and solidifies the position of cybersecurity in our economy.

This is a smart decision on the part of Congress and the White House. It will help the newly created agency outline its priorities, advocate for a separate budget, and further develop recruitment efforts. CISA’s leaders will have the ability to continue to drive a culture of cybersecurity within our federal agencies and workforce while enhancing their capabilities to partner with the private sector to address our nation’s most critical cybersecurity threats.

McAfee looks forward to continuing to work with Christopher C. Krebs and his able team, led by CISA Assistant Director for Cybersecurity Jeanette Manfra.

 

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/feed/ 0
Securing the Social Security Number to Protect U.S. Citizens https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/ https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/#respond Wed, 10 Oct 2018 13:01:19 +0000 https://securingtomorrow.mcafee.com/?p=91724 With cyber criminals having more flexibility in funding and operations than ever before, U.S. citizens are vulnerable not only to breaches of security but also of privacy. In the United States, no article of personal information is meant to be more private or secure than the Social Security Number (SSN). This is for good reason. […]

The post Securing the Social Security Number to Protect U.S. Citizens appeared first on McAfee Blogs.

]]>
With cyber criminals having more flexibility in funding and operations than ever before, U.S. citizens are vulnerable not only to breaches of security but also of privacy. In the United States, no article of personal information is meant to be more private or secure than the Social Security Number (SSN). This is for good reason. The SSN has become a common identifier in the U.S. and is now integrated into many identification processes across different institutions.

The SSN is also the gateway to all sorts of other personal information – health records, financial positions, employment records, and a host of other purposes for which the SSN was never designed but has come to fulfill. What do all these pieces of information have in common? They are meant to be private.

Unfortunately, the unforeseen overreliance on the SSN as an identifier has left citizens’ identities vulnerable. The reality is that the SSN can easily be stolen and misused. It is a low-risk, high-reward target for cybercriminals that is used for fraudulent activities and also sold in bulk on the cybercrime black market. This has resulted in major privacy and security vulnerabilities for Americans, with some estimates saying that between 60 percent and 80 percent of all SSNs have been stolen. For example, Equifax and OPM breaches exposed probably millions of SSNs.

This is not a new problem.

Twenty-five years ago, computer scientists voiced concerns about sharing a single piece of permanent information as a means of proving a person’s identity. The issue has only recently gained national attention due to major breaches where cyber criminals were able to access millions of consumers’ personal online information. So, why hasn’t there been any significant measure put in place to safeguard digital identities?

A major reason for a lack of action on this issue has been a lack of incentives or forcing functions to change the way identity transactions work. But it’s time for policymakers to modernize the systems and methods that identify citizens and enable citizens to prove their identity with minimal risk of impersonation and without overtly compromising privacy.

The good news is that the U.S. has the technology pieces to put in place a high-quality and high security identity solution for U.S. citizens.

There are reasonable and near-term steps we can take to modernize and protect the Social Security Number to create better privacy and security in identification practices. McAfee and The Center for Strategic and International Studies (CSIS) recently released a study on Modernizing the Social Security Number with the aim of turning the Social Security Number into a secure and private foundation for digital credentials. The report’s ultimate recommendation is to replace the traditional paper Social Security card with a smart card — a plastic card with an embedded chip, like the credit cards that most people now carry. Having a smart card rather than a paper issued SSN would make the SSN less vulnerable to misuse.

A smart card is a viable solution that already has the infrastructure in place to support it. However, there are other potential solutions that must not be overlooked, such as biometrics. Biometrics measure personal features such as voice, fingerprint, iris and hand motions. Integrating biometrics into a system that relies on two-factor authentication would provide a security and privacy threshold that would make it very difficult for cybercriminals to replicate.

What is most critical, however, is that action is taken. This is an issue that deserves immediate attention and action. Every day this matter remains unresolved is another day cyber criminals continue their efforts to compromise consumer data in order to impersonate those whose data has been breached.

With the Social Security Number serving as the ultimate identifier, isn’t it time that we modernize it to address today’s evolving privacy vulnerabilities? Modernizing the SSN will help with authentication, will provide more security, and will help safeguard individual privacy. Modernizing the SSN must be a high priority for our policymakers.

The post Securing the Social Security Number to Protect U.S. Citizens appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/feed/ 0
Insider Threats Deserve Attention, Solutions in Government: Report https://securingtomorrow.mcafee.com/business/insider-threats-deserve-attention-solutions-government-report/ https://securingtomorrow.mcafee.com/business/insider-threats-deserve-attention-solutions-government-report/#respond Thu, 25 Jun 2015 17:48:48 +0000 https://blogs.mcafee.com/?p=44149 As the persistence of insider threats remain a critical issue for government agencies to face. Security leaders like McAfee  have responded by prioritizing solutions that can mitigate insider threats in their pipeline. Government agencies have begun implementing policy changes that can help reduce the risk of an insider threat that can lead to critical data […]

The post Insider Threats Deserve Attention, Solutions in Government: Report appeared first on McAfee Blogs.

]]>
As the persistence of insider threats remain a critical issue for government agencies to face. Security leaders like McAfee  have responded by prioritizing solutions that can mitigate insider threats in their pipeline. Government agencies have begun implementing policy changes that can help reduce the risk of an insider threat that can lead to critical data loss. Still as a recent report shows, there’s work to be done.

The report, which was released by GAO this month, finds that even DoD, which has an overall superior security posture to some of the other agencies, still needs to do more to protect itself against insider threats. The report finds that while some DoD divisions have implemented effective training for insider threat risks, other areas have not. Furthermore, the report found that no agency-wide solution to unauthorized data disclosures yet exists.

So what can agencies like DoD do to close the gaps that remain? McAfee solutions like McAfee Data Loss Prevention (DLP), implemented in a DoD enterprise environment, may hold the key. DLP enforces per-user policy on access to sensitive data and allows IP protection and data encryption/decryption to be centrally managed from McAfee endpoint management solution – ePO. Combined with a Next-Generation Firewall that can identify and detect discrete data packets entering or exiting a network, DLP has the potential to completely shut out any insider threat, even in an organization as large as DoD.

Insider threat isn’t purely a technology or policy problem, and will require a solution with elements of both. We commend GAO for their comprehensive report on this very serious issue. But this report has also paved a way toward solutions that may help agencies reduce this critical threat someday soon. The report is a vital read for any technology or security practitioner in government

To read the full report, click here.

 

The post Insider Threats Deserve Attention, Solutions in Government: Report appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/insider-threats-deserve-attention-solutions-government-report/feed/ 0