Business intelligence software solution
The Department of Homeland Securitys Computer Emergency Readiness Team (US-CERT) raised a few eyebrows in late November when it sent a warning out to U.S. banks and financial institutions about a possible cyber attack by Islamic militants.
The alert, dated Nov. 30, was triggered by a posting on what the DHS considered an Islamic jihadi Web site calling for hackers to attack U.S. financial and banking Web sites, apparently to protest the detention of Muslims at Guantanamo Bay, Cuba. However, the warning was heavily qualified, with DHS calling the threat more aspirational than operational. Financial firms downplayed the danger, too. One security executive at a major brokerage told InfoWorld that the warning was a non-event.
But could repeated warnings about such non-events eventually make critical infrastructure owners deaf to DHSs warnings InfoWorld Senior Editor Paul F. Roberts recently chatted with John Carlson, senior director of security and risk Assessment at BITS, a financial-services industry consortium focused on security, fraud, and risk management, about the DHS warning and state of the public-private partnership on cybersecurity.InfoWorld: Im guessing that your members received the US-CERT warning about the cyber terrorist attackJohn Carlson: There were two messages sent: the first was [Nov. 30]; then a second revision came out [Dec. 1].
The gist of it was that these reports were not corroborated.IW: What was the reaction of BITS members to the warningJC: Our members have an all hazards approach to business-continuity planning. Theyve got well-developed approaches that have been bolstered since 9/11. In response to new regulatory requirements, firms have done a lot to improve backup, theyve done tests with the various exchanges. Theyre also working in closer harmony with the federal government to share information on threats and vulnerabilities. I think theres a spirit of appreciation that the government is willing to share information with the financial services industry. The firms take that information into account in responding and activating their business continuity plans.IW:
How do your members apply information like this that comes from DHSJC:
Im not sure I can give a blanket answer. Each firm has its own
mechanisms for gathering information. Risk-management professionals at these firms read the paper and understand the military conflicts and theyre mindful of that. They take it into account when they have employees traveling. Theyll monitor where they are. With the [bird flu] pandemic issue, firms were monitoring that closely and trying to figure out what impact it would have on their organizations.IW: Is there a danger from these warnings of creating a Boy Who Cried Wolf situation, where firms begin to disregard the warningsJC: Theres always a concern about the crying-wolf syndrome. But our firms appreciate getting the information even if its not corroborated.
A continuous flow of information helps build trust between the private and public sectors.IW: Was this warning about the jihadist threat something that your members see all the time, or was this an unusual kind of warning from DHSJC: I think the warning came across the transom at a high level [saying] pay attention to this. So it was different from what we normally get. Were getting a steady stream of information on threats and vulnerabilities and a range of things. For example, if theres a known virus thats being perpetrated in [the United States] or against a financial institution. Were also getting information on political changes around the world.IW:
Do you think DHS has its arms around the cybersecurity problemJC: My personal opinion is that the government has some capabilities, but not all capabilities. In general, our firms would like more information, but there are many reasons why if (the government) has the information they dont provide it. But its a touchy question. People have lots of different views.IW: Do you feel like your members are getting all the information they needJC: Theres some filtering, but I dont have information to compare or validate what the filter is. We talk about issues through coordinating councils that meet quarterly. Its a two way conversation.
The Electronic Frontier Foundation (EFF) has filed a lawsuit against the U.S. Department of Homeland Security, demanding the agency turn over information about an "invasive" data-mining system used to assess the terrorist threat posed by U.S. travelers.The EFF, an advocacy group focused on privacy and civil liberties, asked the U.S. District Court for the District of Columbia for the expedited release of records related to the DHS Automated Targeting System, or ATS, a program DHS unveiled in a November privacy notice in the Federal Register. The EFF filed Freedom of Information Act requests for information on the program on Nov. 7 and Dec. 6.ATS creates and assigns "risk assessments" to virtually all travelers as they enter and exit the U.S. by air or other means, according to the DHS filing.
The DHS filing on the program raised objections from privacy advocates, who said ATS could violate federal privacy law and civil rights. ATS might also violate a federal law prohibiting DHS from developing algorithms assigning risks to passengers not on government watch lists, the EFF said.The program, as described, would track tens of millions of travelers, including U.S. citizens, the EFF said. "Individuals have no right to access information about themselves contained in the system, nor request correction of information that is inaccurate, irrelevant, untimely or incomplete," EFF lawyers David Sobel and Marcia Hofmann wrote in their complaint, filed Tuesday in the district court.The U.S. government will retain the risk assessment information for 40 years, according to DHS records.
The information will be made available to "untold" numbers of federal, state, local and foreign agencies, the EFF said in a press release."You dont know what information that assessment comes from," Hofmann said. "You dont know how that information will be used against you."The ATS program for cargo coming into the U.S. has been in place since the early 1990s, and its passenger screening capabilities since the mid-90s, said DHS spokesman Jarrod Agen. DHS, which was created in March 2003, published the Federal Register notice about the program now after reviewing ATS and finding it had not yet been disclosed to the public, Agen said.
The notice was "an effort to be transparent," Agen said.Agen declined to comment on the EFF lawsuit, but defended ATS. Its used to identify potential terrorists and terrorist weapons entering the U.S., he said. DHS is "expected to protect this country" from those threats, he added. "Without [ATS], wed be virtually blind."The EFF wants to see DHS records that discuss possible redress for people who dispute the ATS assessments, records showing the number of arrests resulting from an ATS screening and records of complaints from people about the assessments.The EFF also wants to know if DHS has looked at the error rates in the government and private databases used in ATS, whether DHS has set up an oversight board to monitor the use of ATS and whether DHS has implemented security measures to protect the system against hackers."DHS needs to provide answers, and provide them quickly, to the millions of law-abiding citizens who are worried about this risk assessment score that will follow them throughout their lives," the EFFs Sobel said in a statement.
Other Articles
