Category: Regulations

Part of the 1,724-page energy bill that President Bush signed last week calls for federal bureaucrats to create an “electric reliability organization” that would draft mandatory standards–including cybersecurity guidelines–for electric power system operations.

The Federal Energy Regulatory Commission, or FERC, would be tasked with setting standards to prevent system instability or failures that can be tied to a “sudden disturbance, including a cybersecurity incident.”

FERC may impose penalties for violations and has 180 days to begin the process of certifying the reliability organization.

The new regulations come about three months after a Government Accountability Office report cited “a general consensus–and increasing concern” among officials that systems controlling utility infrastructures face real threats of attack.

A visit from the Slammer worm, for instance, may have been in part to blame for failures at a nuclear power plant in 2003, the report said.

And in March, electric industry security consultants reported numerous intrusions into control systems.

No serious damage was done, they said, but the activity “heightened concerns” about future foul play.

One of the reasons why the control systems are so vulnerable is that they’re increasingly being connected to private networks that use the Internet, so that they can be managed remotely, the GAO report said.

The current computer system used by utilities and public transportation facilities was not designed with the Internet in mind, said Clarence Morey, senior manager for product strategy at Internet Security Systems, a company that counts public utilities among its clients.

“As companies connect these systems to the Net to allow remote access or drive efficiency, they’re opening themselves up to risk,” Morey said.

Morey said his company supported the new legislation, adding that a “three-legged stool” composed of technology, legislation and good policy is the way to fend off attacks.

Right now, no mandatory cybersecurity standards exist for power grid operators, but many of them adhere to voluntary ones set by the North American Electric Reliability Council, said council spokeswoman Ellen Vancko.

The council, which first adopted 24 pages of cybersecurity guidelines in 2003, is on its third draft of permanent, “more defined” standards, she said.

Vancko said she expects that FERC will certify the council as its official Electric Reliability Organization.

The U.S. Department of Energy has already designated the council as coordinator of infrastructure protection for the electric sector, and the council works closely with Homeland Security.

FERC did not return calls for comment on Tuesday.

“We pushed the legislation through, and we’re the only entity out there developing reliability standards,” Vancko said.

“So we’re really the only entity out there qualified to perform such a role.”

New law may tighten power plant security

It also helps protect consumers by giving them the information they need to head off possible identity theft when sensitive details such as Social Security, driver’s license and credit card numbers become exposed.

The Information Security Breach and Notification Act in New York is broadly similar to security breaches laws enacted in California more than two years ago.

Legislation requiring consumer notification of data security breaches has been approved in at least 15 states since then.

New York’s decision to go ahead with its legislation follows a series of high profile consumer data security breaches involving US firms including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others.

http://www.xatrix.org/article4032.html

The Wall Street Journal reported recently that security breaches exposing customer data have triggere
d lawsuits across the country. The Federal Trade Commission says 9 million Americans had their identities stolen last year, costing businesses and consumers $50 billion a year in fraudulent spending.

Last month, U.S. Rep. Artur Davis, D-Birmingham, co-sponsored the Consumer Data Security and Notification Act of 2005, along with Democratic Reps. The bill provides stronger consumer protections and enforcement against credit-card fraud and identity theft by expanding federal protections against improper collection and sale of sensitive consumer information. It also provides consumers with advance warning when their personal information is at risk. Davis was joined at a recent press conference at Birmingham Police headquarters by several attorneys general who outlined the challenges they face fighting ID theft. Among Davis’ supporters was Birmingham Police Chief Annetta Nunn, who said someone recently stole a credit card mailed to her home and ran up thousands of dollars in charges. “Congress needs to strengthen federal standards to provide more rigorous safeguards against the rising problem of identity theft,” Davis said.

Also in July, a Senate Commerce Committee unanimously approved a bill that would clamp down on how corporations handle consumers’ personal information. The Identity Theft Protection Act would require nonfinancial companies, such as data brokers, that handle sensitive personal information to ensure its security and confidentiality with safeguards specified by the Federal Trade Commission. If the security is breached and the company determines it creates a “reasonable risk” of identity theft, the company would have to notify affected consumers or face fines of up to $11,000 per consumer. Ted Stevens, R-Alaska, who chairs the commerce committee, said the full Senate will not vote on the Identity Theft Protection Act until he completes negotiations on a jurisdictional dispute with Senate Banking Committee Chairman Richard Shelby, R-Tuscaloosa.

The Alabama Republican has asserted jurisdiction over sections of the Senate Commerce bill that deal with the Fair Credit Reporting Act. The American Banker recently reported that Shelby is drafting a bill that sources speculate may bar financial services companies from using service providers that do not follow strict data security standards. Gardner said recent high-profile data security breaches have exposed the vulnerability at many U.S. companies. “Identity theft is a major problem and businesses must adjust to prevent it,” he said.

http://www.al.com/business/birminghamnews/index.ssf?/base/business/11243568066180.xml&coll=2

Norris also says only 10% of spam originates in New Zealand and the bill is aimed at reinforcing international law.

Internet New Zealand’s Executive Director Pete Macaulay says with around 80% of emails being spam, it is important to free up the internet. But he says the bill puts an unfair emphasis on Internet Service Providers for enforcement.

http://tvnz.co.nz/view/page/411419/600773

A similar bill was pitched in March but was defeated by the timetable for the general election.

The Labour MP for Glasgow South called for amendments to the Computer Misuse Act of 1990 in his Ten Minute Rule Bill a type of Private Member’s Bill that rarely becomes law, but serves to raise Parliamentary awareness of a need for legal reform. Tom Harris’s Computer Misuse Act 1990 (Amendment) Bill picks up on the key recommendations of an inquiry into the original Act by the All Party Parliamentary Internet Group, known as APIG, published in June 2004.

Like Mr Wyatt’s recent proposal, Mr Harris’s Bill amends section three of the Computer Misuse Act in order to explicitly criminalise all means of interference with a computer system, in particular creating a specific offence for denial of service (DoS) attacks. The Bill also increases the tariff for hacking offences (dealt with in section one of the Act) from six months to two years, and from five to ten years for further related offences.

“We welcome this Bill particularly as it reflects the work of the All Party Group over the last two years and especially my own Ten Minute Rule Bill from earlier this year. We hope that the Government adopts the measures proposed in the Bill as a matter of urgency, reflecting the significant threat that cybercrime poses to the UK.”

In his speech to the House of Commons, Harris highlighted the inconsistency between the severe financial consequences of hacking attacks that can cause losses of millions of pounds and the sentences currently possible to punish such attacks. He gave some examples of DoS attacks, including one that had been launched by one of his own constituents, a gun enthusiast, who bombarded a gun control website with so many emails that its server crashed. “This is an issue that up until now hasn’t been taken seriously enough. So much of the UK economy depends on the internet, and so many services are vulnerable if we allow these attackers to go unpunished. It’s time we faced up to this new threat.”

Wyatt’s bill ran out of Parliamentary time. It would otherwise have been read a second time. Nobody opposed Mr Harris’s bill and it is scheduled for a second reading on 2nd December 2005.

http://www.theregister.co.uk/2005/07/15/mp_pitches_denial_of_service_law_to_parliament/

Joe Barton, R-Texas, and John Dingell, D-Mich., the chairman and ranking minority member of the House Committee on Energy and Commerce, respectively, floated a draft bill requiring businesses engaged in interstate commerce to encrypt sensitive personal data.

The IT industry, however, has become increasingly vocal on the need for Congress to act. “The public has been crying out for help, and businesses have not responded,” said Mike Gibbons, vice president of Federal Security Services for Unisys Corp., based in Philadelphia. “I say the sky has already fallen; it’s just a matter of when a piece is going to hit you.”

Definitions are a thorny issue in identity-theft legislation. Many details will likely be left to regulators, who will have to show nuanced technological understanding. For example, a blanket mandate to encrypt sensitive data is not practical, but mandated encryption for data traveling over the Internet or backed up on tapes might make sense, industry experts say.

The Barton-Dingell draft bill would require companies holding sensitive data to hire an information security officer, and the bill sets up a national breach notification requirement, pre-empting state laws.

If a breach could result in identity theft, the compromised company must provide a free credit report and a one-year subscription to a credit-monitoring service to potential victims.

“I intend to support tough legislation mandating enhanced security practices and swift and strong punishment for those who violate the law and harm consumers,” Dingell said.

The latest proposal in the Senate focuses more on penalties than on technology mandates. It sets fines for failing to provide adequate security and strengthens criminal penalties for hackers and identity thieves, as well as anyone attempting to cover up a security breach. Companies that have personal data on more than 10,000 Americans would need to have privacy and security programs and screen third-party data processors.

The Barton-Dingell proposal will be aired at a hearing that the House Subcommittee on Commerce, Trade and Consumer Protection plans to hold in the near future.

http://www.eweek.com/article2/0,1759,1835281,00.asp?kc=EWRSS03119TX1K0000594