• Woman holding a digital tablet and a credit card in seasonal attire on a shag rug with milk and Christmas cookies.

    Picks of the Week: Protect Yourself from a Digital Grinch During the Holiday Season!

    Don’t Get Grinched by Cybercrime During the Holiday Season | The New York Times

    Retailers Scrambling Against Latest Credit Card-Stealing Malware | Fortune

    Avoid Scams This Holiday Season | U.S. Immigration and Customs Enforcement

    With exactly two weeks left in the holiday season, online sales—which, according to comScore, surpassed $3 billion on Cyber Monday, making it the largest online spending day in history—are expected to bring in at least $1 billion a day for online retailers from now until the holidays are over.

    But as millions of consumers flock to the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind, as they aim to take advantage of the holiday rush by preying on the naiveté of shoppers looking to score a holiday deal. As a result, consumers should be prepared for an even higher risk of online fraud across all channels than in past years. In fact, one in 86 transactions may be fraudulent, according to new data from ACI Worldwide, and hackers are also targeting retailers with a new wave of malware intended to steal credit card and debit card information directly from payment terminals at the stores.

    The recent push by banks to implement security chip-enabled credit cards and by merchants to install chip-reading terminals in stores may prevent hackers from creating counterfeit credit cards, but they are no defense against fraudulent “card not present” transactions, such as those that occur online.

    While security experts are still working to find possible solutions against the latest malware and scam techniques, here are some tips on how to protect yourself from online Grinches this holiday season:

    • Buy only from reputable merchants and websites, and be wary of emails and pop-up messages asking for your password, credit card number, or personal information—No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look at the specific email address and domain name of the sites first to make sure it’s really from the retailer and not a close derivative, and then contact the legitimate organization directly to verify the request.
    • Use strong passwords and use a different one for each online account—Create long, complex passwords using upper and lower-case letters, special characters and numbers. A password with at least 10 characters is generally recommended. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
    • Be skeptical of deals that sound too good to be true—Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is.
    • Do not send cash or wire money for payment—Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
    • Check your credit card activity daily and keep an eye out for “microcharges”—Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
    • Be alert for potential charity donation scams—Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
    • Secure your computer and mobile devices—Keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your computer from viruses, worms, Trojan horses, and other types of malicious programs.
    • Don’t use public Wi-Fi for personal banking or online shopping—Personal information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
    • Use your smartphone wisely—Mobile devices offer convenient consumer resources but may also provide cyber criminals with your personal and account information.

    Follow Francesca on Twitter @Francesca_cyber.

  • Senior Fellow contributes to international publication on countries’ Cyber Readiness

    Pell Center Senior Fellow Francesca Spidalieri provided extensive research and analysis for a new international publication on countries’ cyber readiness levels and the practical steps national leaders can take to protect their increasingly interconnected society and digital economy.

    Newport, R.I. – The “Cyber Readiness Index 2.0, A Plan for Cyber Readiness: A Baseline and an Index,” published by the Potomac Institute for Policy Studies (PIPS), examines 125 countries and evaluates their maturity and commitment to securing their cyber infrastructure and services. The methodology includes over 70 unique data indicators across seven essential elements: national strategy, incident response, e-crime and law enforcement, information sharing, investments in research and development, diplomacy and trade, and defense and crisis response. By applying this actionable blueprint, countries can better understand their Internet-infrastructure dependencies and vulnerabilities and assess their preparedness to cyber risks.wld

    Dozens of country examples are used to illustrate innovative and multicultural solutions towards becoming cyber ready. As lead author Melissa Hathaway stated, “the Cyber Readiness Index 1.0 was launched in Australia two years ago and has influenced many countries around the world. We hope the CRI 2.0 has even broader impact.”

    Today, most nations recognize what fast, reliable, and affordable communication systems and Internet-facing services can yield for their economic growth. But few of them consider the exposure and costs of less resilient critical services, theft of corporate proprietary data and state secrets, and the impact of e-fraud and e-crime—all of which lead to economic and national security instability. Put simply, a country’s cyber insecurity is a tax on growth; and resilient, connected societies must drive modernization with security at its core.

    Cyber Readiness Index 2.0 Cover Image“Instead of simply studying the problem,” said Pell Center Senior Fellow Francesca Spidalieri, “the CRI represents a new way of approaching the interconnected nature of information communication technologies and offers a framework that we hope will spark international discussion and inspire global interest in addressing the economic erosion from cyber insecurity.” Indeed, the CRI methodology identifies areas where national leaders can improve their country’s current cyber security posture by leveraging laws, policies, standards, and market levers (e.g. incentives and regulations), and implementing other initiatives to preserve the security of their connectivity and protect the value of their economy.

    In addition, Spidalieri applied a modified version of the CRI 1.0 methodology in her most recent study on the “State of the States on Cybersecurity” to assess current levels of cyber readiness across states in the United States. The study, published by the Pell Center, highlights effective mechanisms and innovative solutions that state governments and their leaders can adopt to better protect critical infrastructure, enhance cyber incident response, promote information sharing, grow their cybersecurity industry, and attract qualified talent to their states. The full report is available for download here.

  • Picks of the Week: How Paris Attacks Will Change Cybersecurity

    What the Paris Attacks Means for the Future of Cybersecurity | Fortune

    Poisoning the Internet won’t Stop more Paris Attacks | The Christian Science Monitor

    After Paris, Encryption will be a Key Issue in the 2016 Race | Wired

    The recent terrorist attacks in France, Egypt, and Lebanon have rapidly reopened the global debate on the appropriate balance between national security and our privacy online. While many of us believe our right to privacy extends to the Internet, others have used the unspeakable violence of recent weeks to advocate for backdoors into secure communications and increased online surveillance. As Jason Healey recently wrote, “the Islamic State’s brutality in France may tilt the pendulum toward security [in this debate,]. But even he acknowledges that “whether tamping down on the Internet will keep anyone safer is unknown, but it will certainly diminish the Web as an engine of global innovation.”

    The events in Paris have thrusted these issues onto the front pages of newspapers worldwide because, in the wake of the attacks, many of us have asked the same question: how could ISIS execute such a complex attack while evading detection from intelligence services? The answer so far appears to be that the perpetrators employed some type of encryption in their digital communications. Experts have hypothesized at least three different possibilities: either the attackers used powerful over-the-counter encryption to communicate and coordinate the attacks; or they collaborated on the dark web; or they just stopped using technology for coordination once they reached a certain level of operational readiness.

    Today, virtually anyone—terrorists, criminals, state actors, non-state actors, etc.—can employ advanced encryption techniques in addition to other software and services to slip through security and surveillance.”

    In the aftermath of the Paris attacks, US officials are rehashing their argument that would-be terrorists have “gone dark” after the Edward Snowden revelations, making the case that Snowden’s actions tipped-off potential criminals as to how the US conducts surveillance online, enabling them to take counter-measures to avoid it.

    Technology companies, privacy advocates, computer security personnel, and encryption experts, however, oppose the idea of providing so-called “backdoor” access to encryption, which they argue would make Internet data more vulnerable and significantly weaken Internet security for everybody. “Hacking of personal information and web sites,” they argue, “seem like the more possible outcome rather than detection of terrorist activity.”

    Just last month, in fact, the White House overruled law enforcement’s request to push tech companies to create such backdoors. Indeed, the White House concluded that creating such backdoors would increase US citizens’ vulnerability to foreign government, cyber criminal, and terrorist intrusions.

    Time will tell whether the Paris attacks will change the White House and other countries’ view on this sensitive debate, and whether cybersecurity will finally take center stage on the national security conversation going into the 2016 presidential race.  What is certain is that the battle over encryption and other privacy-related technologies won’t be over anytime soon and it will continue to reflect the larger public policy debates on the balance between national security and civil liberties. As we move in the next decade into a world where far more powerful computing capability will come on line, such as quantum computing, the ability for every person to encrypt their communications at levels that may not be able to be decrypted will only help sharpen that debate.  – Senior Fellow Francesca Spidalieri

  • Photograph of the front of the Capitol Building in Washington D.C.

    Picks of the Week: Senate’s Cybersecurity Bill is a Starting Point, not the Finish Line

    The Problems Experts and Privacy Advocates Have with the Senate’s Cybersecurity Bill | Forbes

    Senate Passes Cybersecurity Information Sharing Bill Despite Privacy Fear | The Washington Post

    Ex-NSA Chief Warns of Cyberspace Dangers | U.S. News and World Report


    Last week, the bipartisan and long-anticipated Cybersecurity Information Sharing Act (CISA)—a bill designed to bring together the departments of Defense, Justice, and Homeland Security in their efforts to combat cyber crime and to encourage the voluntary sharing of cyber threat information—passed in the Senate by a wide margin. The Act’s passage, however, was not without controversies.

    Proponents of the bill have called it a necessary tool in the fight against the constant cyber threats facing businesses and government alike, and have highlighted the need for greater collaboration between the public and private sectors following the mega data breaches of the past couple of years. Under the legislation, government agencies, corporations, and other organizations would be legally allowed to share information that could potentially help identify cybercriminals, mitigate the risks from cyber attacks, and help them take preemptive measures against those potential attacks and their perpetrators. Retired Army Gen. Keith Alexander, former chief of the NSA and U.S. Cyber Command, testified in favor of the measure before the Senate Armed Services Committee on Wednesday and praised lawmakers for passing the CISA bill, but also warned that more incentives will be needed to promote information sharing and to encourage companies to promptly alert government agencies of cyber intrusions. “In cyberspace, to go halfway around the world takes 67 milliseconds,” he said. “I believe that those that want to do us harm can do that in one swipe … if that happens, the cost to our nation could be measured in the trillions.”

    Opponents of the bill argue that it would impinge on civil liberties by effectively opening the door to the unchecked sharing of information between private companies and the government. Critics believe that the vague language in the bill could pave the way to short-circuit warrant requirements that government agencies must abide by when seeking certain domestic information.  There are major concerns regarding how cyber threat information will be shared, to what extent companies will be required to anonymize the information they share with other entities, and how that information will be managed and disseminated.

    Doubts and critics aside, most view the fact that the Senate passed a cybersecurity bill at all as a success in and of itself. Lawmakers have spent nearly a decade attempting to pass comprehensive cybersecurity legislation, so it is no surprise that the passage of this bill was hailed as a significant step in the right direction in the fight against hackers and cybercriminals. The problem, however, is that the legislative process never moves as fast as cyber-criminals. While this and other similar bills grew stale during seemingly-endless years of compromise and contention in Congress, hackers refined their criminal craft and developed more sophisticated methods of attack. As a result, CISA may not be as effective as hoped in the prevention of cybercrime and it may have not prevented some of the most damaging data breaches that have made headlines in recent months, such as the ones at OPM, Sony, and Target.

    That being said, although supporters of the information sharing bill assure the public that sufficient privacy protections are included in it, the bill still has many hurdles to pass before it can become the law of the land. It will have to be reconciled with the two similar bills passed by the House in April—the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act—and ultimately a combination of the three Acts will make its way to the White House for final authorization through the President’s signature.

    These developments notwithstanding, we must remember that sharing threat intelligence alone is not going to prevent or mitigate specific threats if that information is not properly and timely processed, operationalized, and ultimately incorporated into an overarching cybersecurity strategy and risk mitigation platform within any given organization. The road to that goal is a long one, and we have only just begun to pull away from the starting line. – Senior Fellow Francesca Spidalieri

  • Pell Center Releases “State of the States on Cybersecurity” Report

    Eight States Lead the Rest in Cybersecurity Readiness

    New Pell Center study establishes benchmarks for state government in meeting the cyber threat

    Newport, R.I. — Eight U.S. states are leading the rest in cybersecurity readiness.  In a new report from the Pell Center at Salve Regina University, Senior Fellow Francesca Spidalieri reviews the efforts of state governments in California, Maryland, Michigan, New Jersey, New York, Texas, Virginia, and Washington.  These states provide a collective overview of sound approaches to “protect infrastructure, information, and operations.”

    State of the States Report CoverThe study, “State of the States on Cybersecurity,” highlights effective mechanisms and creative solutions that state governments and their leaders have devised to take advantage of existing assets, to better protect critical infrastructure, to promote information sharing, to grow their cybersecurity industry, and to attract qualified talent to their states.

    States were chosen based on their recognition of cybersecurity as a priority and their strong commitment to increase their security and resilience against cyber threats. “These states are exercising their responsibility through both government action by leveraging policies, plans, laws, regulations, and standards, and by providing the right set of incentives and assistance for other stakeholders,” said Spidalieri.

    “With greater and greater frequency, state governments are falling victim to an array of cyber threats, including data breaches, tax fraud, and political hacktivism,” said Pell Center Executive Director Jim Ludes.  “This new study shines a light on the states that are leading the way in preparing for and mitigating these threats so that others can follow.”

    According to Spidalieri, “Local and state governments, just like the federal government, hold the information of millions of people and depend on information communication technologies and the Internet to provide a number of services to their citizens, to maintain critical infrastructure as public utilities, to share information across states and federal networks, and to make sure that first responders receive the data they need in crisis situations. This is why it is critical,” she continued, “that states protect their cyber infrastructure and digital investments and develop comprehensive plans to increase their preparedness and resilience.”

    It is important that cybersecurity measures are enforced at the state-level to protect citizens and reduce cyber risks. Maintaining the most recent security products, tools, and plans is just as important as educating users in the proper practices to reduce their cyber risks. The initiatives exemplified throughout this new report provide models for other states and jurisdictions to follow and offer a useful set of effective mechanisms and activities at the state-level to put recommended action into practice.

    “State of the States on Cybersecurity” is part of the ongoing Cyber Leadership Project at the Pell Center and follows previous reports that investigate critical issues in cybersecurity leadership development across the United States.

    The full report is available for download here.



  • Picks of the Week: Government Struggles with Cybersecurity Vulnerabilities

    How the Story of Hillary Clinton’s Emails Has Changed | The New York Times

    AP Exclusive: Under Clinton, State’s Cybersecurity Suffered | Associated Press

    Teen Who Hacked CIA Director’s Email Tells How He Did It | Wired

    While Hillary Clinton continues to face scrutiny for her email practices and the use of a private server during her tenure as Secretary of State, other government officials have recently had other problems with their email. This week, a hacker claimed to have broken into the personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson. It remains unclear whether the officials were using their personal accounts to conduct government business or if they simply used them to occasionally store email and documents from work. Nonetheless, the hackers were able to access highly sensitive information, such as the SF-86 application Brennan had filled out to obtain his top-secret government security clearance, which is similar to the millions of SF86 applications that were obtained when hackers broke into the networks of the Office of Personnel Management (OPM).

    News of this latest breach came on the same day as the Associated Press reported that the State Department was assessed as being among the worst agencies in the federal government at protecting its computer networks. Although inspectors generals have expressed concerns about the cybersecurity posture of the State Department since 2009, these deficiencies point to a broader problem in the government’s handling of security issues and sensitive data that can be difficult to correct, according to experts and official reports. Indeed, another report released by the Government Accountability Office (GAO) back in September had identified “persistent weaknesses” in information security and the lack of strong cybersecurity measures in over 20 federal agencies.

    OPM, for instance, was harshly criticized over the summer after acknowledging that breaches of government databases exposed sensitive personal information of over 22 million people. Months later, we still get reports revealing the hack was worse than previously disclosed. Just a few weeks ago, OPM admitted that five times as many fingerprints were stolen as originally estimated!

    While the State Department may be a higher target for foreign intelligence services than other government agencies due to the sensitivity of the information exchanged, the latest breaches are indicative of government-wide security problems that need to be addressed. The Department of State’s inspector general, in fact, identified many of the same basic cybersecurity shortcomings found in other agencies, and there is really no oversight to make sure individual agencies follow even basic compliance.

    Policymakers and other government leaders will continue to struggle to be taken seriously in this space as long as their own defenses remain so bad and the agencies they lead or work for do not improve their cyber deficiencies and implement effective risk management programs. As I have argued before, our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information. This means that politicians and public officials at the highest levels need to have a basic understanding of cybersecurity, and—critically—that we can’t let important cybersecurity lessons be lost in a political turf war. Unfortunately, few of them have actually taken the time to educate themselves about the most pressing cyber threats and the basics of cybersecurity, and even fewer are taking proactive steps to make cybersecurity a priority.

    During the first Democratic debate, for example, candidate Jim Webb was the only one to mention cybersecurity as one of the major threats facing the U.S. right now, and former Florida Governor and Republican candidate Jeb Bush is the only one to have articulated some kind of plan on his website for dealing with it so far. All presidential candidates, however, should be more articulate and proactive on cybersecurity issues, just like they are on issues from debt to foreign policy to immigration. The future president, regardless of the party, will have to make cybersecurity (e.g. resiliency, privacy, and security) a priority for their administration and think of this issue in terms of both national security and economic stability. – Francesca Spidalieri

  • The Pell Center declares its Cyber Awareness for National Cyber Security Awareness Month

    Picks of the Week: Cybersecurity Awareness Month at the Pell Center

    National Cyber Security Awareness Month Kicks Off In Nation’s Capital | PR Newswire

    Presidential Proclamation – National Cybersecurity Awareness Month, 2015 | The White House

    Rhode Island Cybersecurity Commission Report Delivers Plan to Enhance Cybersecurity Efforts Statewide and Nationally | Rhode Island Office of the Governor

    October marks National Cyber Security Awareness Month, in which citizens and businesses alike are encouraged to learn more about online safety and information security with the goal of raising awareness about cybersecurity and increasing the nation’s resilience in the event of a cyber incident.

    Recognizing the importance of cybersecurity issues, President Obama designated October as National Cyber Security Awareness Month in 2004, and this year kicked things off with a presidential proclamation that highlighted his executive order to promote information sharing between government and industry, as well as the implementation of the National Cybersecurity Framework. “We now live in an era of the Internet—our children will never know a world without it,” Obama’s proclamation reads. “Our financial systems, our power grid, and our health systems run on it, and though widely helpful, this reliance reminds us of our need to remain aware, alert, and attentive on this new frontier. By working together to prevent and disrupt threats to our digital infrastructure, America can continue pioneering new discoveries and expanding the boundaries of humanity’s reach.”

    National Cyber Security Awareness Month is a coordinated effort of the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MSISAC), as well as companies, schools, and nonprofit organizations around the country.

    To assist with this national effort, the Pell Center is posting cybersecurity tips daily on social media throughout the month, and is hosting multiple cybersecurity-related events, including a panel discussion on “Cybersecurity, the Internet, and the U.S. Presidential Race,” and a Cyber Resilience Workshop. The Pell Center will also host the second Summit of the Rhode Island Cybersecurity Commission, which was created by RI Governor Gina Raimondo in May 2015 to assess the state’s cybersecurity infrastructure and recommend ways to enhance the resiliency of government operations within all executive branch agencies and to promote the growth of a cybersecurity industry and workforce in Rhode Island. In addition, the Pell Center has provided extensive research and insights for the first RI Cybersecurity Commission’s report—released yesterday—which includes detailed recommendations to enhance the cybersecurity posture of the state and start developing a strong cyber ecosystem in Rhode Island. In addition, later this month the Pell Center will publish a more detailed study of the current level of ‘cyber readiness’ for states across the nation.

    Although the theme of this second week of National Cyber Security Awareness Month is “Creating a Culture of Cybersecurity at Work,” the reality is that no individual, business, or government entity is immune to cyber risks and none of them is solely responsible for securing their own Internet connectivity and digital assets. All of us have a role to play in securing our part of cyberspace and the information we create, store, and process through the devices and networks we use. Cybersecurity is a shared responsibility—we are, as they say, in this together. Individual actions have a collective impact, and when we use the Internet safely we make it more secure for everyone. If each of us does our part by implementing stronger security practices and adopting better cyber hygiene, we can collectively become a more resilient and safer digital society. – Francesca Spidalieri, Senior Fellow for Cyber Leadership

  • Picks of the Week: As One World Leader Leaves the Nation’s Capital, Another Arrives

    Same (Red) Carpet, Different Climate

    Conflict Flavors Obama’s Meeting With Chinese Leader | New York Times

    Full Transcript: Interview With Chinese President Xi Jinping | The Wall Street Journal

    A President and A Pope Head to Washington | The Washington Post

    Two prominent world leaders—Pope Francis and Chinese President Xi Jinping—are in Washington DC on official state visits this week, and although both leaders will be afforded red-carpet treatment they come with different agendas and will find DC host to different climates. The stark contrast between the Pope’s visit and President Xi’s visit has been palpable in recent days and is testing Washington’s diplomatic, political, and organizational abilities.  While the Pope has been welcomed by ceremonial displays of respect and cooperation by state officials, and has drawn hundreds of thousands of people to his events, President Xi will have state ceremonies and meetings with business leaders (largely behind closed doors), but has also already been confronted by a series of demonstrations of human rights activists protesting against China’s repression of online expression and other human rights abuses.

    President Xi leads an economic superpower that U.S. officials believe is responsible for widespread theft of government and corporate secrets, from nuclear power plant designs to search engine source codes to confidential negotiating positions of energy companies to the massive breach of the Office of Personnel Management’s computers. Indeed, his visit comes as the U.S. is wrangling over whether to impose economic sanctions against Chinese companies and individuals who have benefited from the thefts of U.S. intellectual property and trade secrets. Tensions between the two countries extend to a range of other issues as well, including maritime skirmishes in the South China Sea and China’s efforts to devalue its currency in the face of the recent stock market plunge.

    China has consistently denied accusations of cyberspying, but the dispute with China highlights the different climates that are preceding—and characterizing—the visits of Pope Francis and President Xi. In an interview with The Wall Street Journal, President Xi said that “China takes cybersecurity very seriously,” and that his government “does not engage in theft of commercial secrets in any form,” and that China doesn’t encourage it from Chinese companies.

    Sanctions are unlikely to be imposed while President Xi is visiting the U.S., and it is even expected that President Xi and President Obama may announce an agreement on principles governing the use of cyber attacks against critical infrastructure, embracing a commitment by each country that it will not be the first to use cyber weapons to cripple the other’s critical infrastructure during peacetime. President Xi has declared that China is ready to collaborate with the U.S. and the international community “to build a peaceful, secure, open and cooperative cyberspace on the basis of the principles of mutual respect and mutual trust,” but it remains to be seen whether President Obama will confront President Xi directly over the contentious issues, in an attempt to push parties to draw some lines around their behavior, or whether President Obama will celebrate an unexpected partnership on issues like climate change and Iran, choosing instead to handle the frictions over cyber espionage, maritime security, and human rights in private.

    As the same red carpet was ceremonially rolled up after the Pope’s departure yesterday afternoon, then ceremoniously unrolled in the same spot for President Xi’s arrival in the evening, the world was watching to see whether either state visit will have any practical effect in the fight to end poverty, income inequality, climate change, human rights abuses, and economic espionage. Most likely than not, progress will not be achieved over one state dinner, and more discussion and time will be needed before results are reached. – Francesca Spidalieri

  • Second Italian Renaissance Revival Rural Villa Style, IRS, Washington DC

    IRS Hacked…Again!

    Although many people may seek to avoid phone calls from the IRS, this is one you’ll want to take—the IRS is contacting nearly 100,000 people because hackers stole their personal (and sensitive) tax information. In addition, the hackers attempted to pilfer an extra 100,000 tax returns but were unsuccessful, according to the agency. The IRS breach is just the latest bullet point in an endless list of cyber exploits that we have now grown accustomed to.

    Officials said this was part of an elaborate scheme that began in February and most likely originated in Russia in order to steal identities and claim fraudulent tax refunds. The entry point for the hackers was an online service run by the IRS called “Get Transcript,” which is used to download previous filings. The hackers used previously-stolen information—probably retrieved from other hacks and then sold in online black markets—to access the IRS website and obtain even more information about the taxpayers, including their Social Security number, date of birth, tax filing status, and street address. As an immediate countermeasure, the IRS shut down the affected website and is notifying affected taxpayers of the breach and providing them with credit-monitoring services.

    Thieves, however, can still use the information to claim fraudulent tax refunds in the future and use the old tax returns to complete credible-looking forms, thus helping hackers avoid the IRS defenses. Typically, thieves try to file fake tax returns with made-up information early in the filing season, before the legitimate taxpayers can file their returns—and before employers and financial institutions file wage and tax documents with the IRS. While efforts to combat fraud have increased, too many instances of preventable fraud are slipping through the cracks. Criminals continue to adapt and outpace security measures, and even the filters and additional safeguards added by the agency to its computer system to prevent similar schemes are unable to identify all suspicious returns and stop brute force techniques to break into apps like the “Get Transcript” one.

    This latest incident should be a wake-up call for government agencies, regulators, and even Congress to work with private tech firms to end reliance on weak online authentication schemes and commonly-known flaws in the use of text passwords and security questions, and to work with the tax preparation industry to utilize some of their data and tools that can help identify potential fraudsters.

    This is not the first time the IRS has been targeted by identity thieves, both foreign and domestic, and most likely won’t be the last time either. The IRS hack, while small in overall numbers, demonstrates the vulnerability of the US tax system and of people’s most sensitive data. It is particularly disturbing since the risk isn’t confined just to online users, but every US resident. Just as the data breaches in 2013 and 2014 lit a fire under Visa and Mastercard to accelerate deployment of more secure point-of-sale systems to counteract credit card vulnerabilities, this incident should create momentum around the need to move beyond passwords and personally identifiable (and guessable) security questions for login access and work with the tax preparation industry to combat fraud, prevent theft from the US treasury, and strengthen the integrity of the US tax system. Clearly, this will require concerted efforts from the government and industry to work together to strengthen the nation’s financial system against similar threats. Until then, you might want to answer the phone if the IRS is calling.

    IRS Hacked, 100,000 tax accounts breachedUSA Today 

    IRS Believes Massive Data Theft Originated in Russia | CNN

    The IRS Could Have Prevented Its Latest Data Hack. Time For Some TFAForbes

  • Roger Cressey speaks about cybersecurity at the Pell Center.

    Pell Center Lecture Discusses U.S Government and Private Sector Cybersecurity Efforts, the Impacts of the NIST Framework

    NEWPORT, R.I.—The Pell Center hosted a major cybersecurity lecture this month that featured Roger Cressey, an internationally known cybersecurity expert and counterterrorism analyst with NBC News, and Kiersten Todt, President and Managing Partner of Liberty Group Ventures, LLC.

    Over 50 senior leaders representing Rhode Island’s private and public sectors took part in the event to discuss cyber risk management and the impacts of the National Institute of Standards and Technology’s (NIST) National Cybersecurity Framework one year after its release.

    Mr. Cressey praised the Pell Center’s ongoing Rhode Island Corporate Cybersecurity Initiative (RICCI), which has become the de facto venue for major RI companies and state agencies—including Raytheon, Citizens, CVS, IBM, Mass Mutual, National Grid, RI Emergency Management Agency, RI State Police, as well as the U.S. Attorney’s office—to discuss some of the most pressing cybersecurity issues, share information, and encourage cybersecurity best practices. Cressey encouraged leaders to continue to engage in these types of discussions to maximize Rhode Island’s potential to become a cybersecurity incubator and role model for other states.

    Roger CresseyMr. Cressey and Ms. Todt provided a compelling overview of the increasingly complex cyber threat environment and defined it as “an arms bazaar of attack code and weapon grade arsenal,” including over 300 new malware programs discovered daily, enhanced cyber tactics, techniques and procedures (TTPs), an incredibly profitable black market, and the growing threat of data destruction and manipulation. They detailed some of the most common cybersecurity challenges to the private sector, such as the expansion of the attack surface due to the increased use of mobile devices, web applications, social engineering techniques, and the advent of the Internet of Things (IoT). They also focused on the growing cyber risks from accidental and premeditated insider threats and third party vendors, as the supply-chain often presents multiple opportunities for adversaries to penetrate networks and it is increasingly the vector of choice for hackers to access corporate systems. “Don’t throw money at the problem after a breach happens,” Mr. Cressey stressed. “It’s time to invest in cyber before an attack, not after. What we need is a change of corporate culture and a shift of mindset from prevention to resiliency that requires management buy-in and attention from the C-suite. Treat cybersecurity as a risk equal in importance to other business risks—financial, brand, reputation, and integrity. And plan for the inevitable breach… it will happen… and most likely has already happened.”

    First and foremost, however, companies need to understand their interdependencies and threat environment. Ms. Todt explained that one of the main issues with detecting an attack is that most companies do not have a centralized procedure in place to process all the information and potential red signs that they see on their networks. “Companies are drowning in data, but starving for information,” she said. “They must establish processes across the enterprise to identify threat-critical data. Employee education is the foundation of corporate cybersecurity—they are both your weakest link and your first line of defense. Companies should also establish threat information-sharing policies and have a cyber risk management plan in place—managing cyber risk means understanding that you will be breached and knowing how to mitigate the breach.”

    Their main recommendation was to use the NIST Framework to create a profile that would help their respective organizations understand their dependencies with business partners, vendors, and suppliers, and then to follow the set of cybersecurity guidelines to better identify, protect, detect, respond, and recover from cyber threats. “The Framework is your friend,” said Mr. Cressey, “it provides your organization a template to track efforts for cybersecurity practices.”

    The blueprint for the Framework grew out of President Obama’s Executive Order on “Improving Critical Infrastructure Cybersecurity,” in which he directed the National Institute of Standards and Technology (NIST) to work with various stakeholders to develop a comprehensive approach towards mitigating cyber risks to critical infrastructure. The Framework, “a product of industry, not government,” as Mr. Cressey emphasized, creates a common language for cybersecurity within and across sectors, applies a market-driven approach to cyber risk management, and provides a set of voluntary standards, guidelines, and best practices for cybersecurity. Since its release, the Framework has facilitated behavioral change in organizations, encouraged them to examine and understand key priorities and vulnerabilities, and supported cyber resiliency within and across sectors. All throughout 2014 and 2015, critical industry sectors have taken steps to align their own security guidance to the Framework, and U.S. federal agencies and departments—as well as state governments and associations—have engaged and embraced the Framework as the key standard for the various industries that they regulate.

    The Framework has also sparked an enhanced national debate about related controversies regarding cybersecurity and the controls necessary to improve it.

    Panelists-blog-postLast year, the Pell Center organized the first event of its kind hosted in New England after the release of the Framework in February 2014—a panel discussion on “Improving Critical Infrastructure Cybersecurity: The National Cybersecurity Framework and Beyond.” The panel discussed the specifics of the NIST Framework and other national and state initiatives to support its implementation. The distinguished speakers from both the federal and state government—including Adam Segewick, NIST senior information technology policy advisor; Michal Leking, the Department of Homeland Security’s cybersecurity advisor for the Northeast region; and Jamia McDonald, former executive director of the state’s Emergency Management Agency—explored how organizations charged with providing the nation’s financial, energy, healthcare, and other critical systems could use the Framework to better protect their information and physical assets from cyber attacks.

    One year later, the Framework continues to be increasingly used and lists among its greatest benefits the establishment of a common language, collaboration opportunities, the ability to demonstrate due care in adopting the Framework, the ability to promote better security within the vendor supply chain, and cost efficiency in cybersecurity spending. In addition, as more U.S. federal agencies and state governments adopt the Framework, and strongly encourage private sector organizations to implement its approach, there can be little doubt that the Framework has or will soon evolve into the de facto standard for cybersecurity. It may remain a voluntary undertaking, but it seems clear it will become the standard against which all other developments are measured.

    For more information on the Pell Center cybersecurity initiative and future events, visit the RICCI webpage or contact the Pell Center at pellcenter@salve.edu.


    The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.Verizon Foundation

Page 4 of 8« First...23456...Last »