In short, it will probably happen again. ...and
hackers can read.
OMB –
Federal Information Security Modernization Act Audit FY 2015
by Sabrina
I. Pacifici on Nov 20, 2015
“In FY 2015 OPM was the victim of a massive data
breach that involved the theft of sensitive personal information of
millions of individuals. For many years we have reported critical
weaknesses in OPM’s ability to manage its information technology
(IT) environment, and warned that the agency was as an increased risk
of a data breach. In the wake of this data breach, OPM is finally
focusing its efforts on improving its IT security posture.
Unfortunately, as indicated by the variety of findings in this audit
report, OPM continues to struggle to meet many FISMA requirements.
During
this audit we did close a long-standing recommendation related to
OPM’s information security management structure – [Report
Number 4A-CI-00-15-011, November 10, 2015] However, this audit also
determined that there has been a regression in OPM’s management of
its system Authorization program, which we classified as a material
weakness in the FY 2014 FISMA audit report. In April 2015, the Chief
Information Officer issued a memorandum that granted an extension of
the previous Authorizations for all systems whose Authorization had
already expired, and for those scheduled to expire through September
2016. Should this moratorium on Authorizations continue, the agency
will have up to 23 systems that have not been subject to a thorough
security controls assessment. We continue to believe that OPM’s
management of system Authorizations represents a material weakness in
the internal control structure of the agency’s IT security program.
The moratorium on Authorizations will result in the IT security
controls of OPM’s systems being neglected. Combined with the
inadequacy and non-compliance of OPM’s continuous monitoring
program, we are very
concerned that the agency’s systems will not be protected against
another attack.”
(Related) And it could happen almost anywhere.
Most federal agencies overseeing the security of
America’s critical infrastructure still lack formal methods for
determining whether those essential networks are protected from
hackers, according to a new government report.
Of the 15 critical infrastructure industries
examined in the Government Accountability Office (GAO) report —
including banking, finance energy and telecommunications — 12 were
overseen by agencies that didn’t have proper cybersecurity metrics.
-
Highlights Page: (PDF, 1 page)
-
Full Report: (PDF, 82 pages)
My after-turkey reading.
Stacey Gray writes:
Each year, FPF invites privacy scholars and authors to submit articles and papers to be considered by members of our Advisory Board, with an aim toward showcasing those articles that should inform any conversation about privacy among policymakers in Congress, as well as at the Federal Trade Commission and in other government agencies.
[…]
Our top privacy papers for 2015 are, in alphabetical order:
A Design Space for Effective Privacy Notices
Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor
Anonymization and Risk
Ira S. Rubinstein and Woodrow Hartzog
A Precautionary Approach to Big Data Privacy
Arvind Narayanan, Joanna Huey, and Edward W. Felten
Privacy and Markets: A Love Story
Ryan Calo
Taking Trust Seriously in Privacy Law
Neil Richards and Woodrow Hartzog
Our two papers selected for Notable Mention are:
Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy
Peter Swire (Testimony, Senate Judiciary Committee Hearing, July 8, 2015)
The Transparent Citizen
Joel R. Reidenberg
Congratulations to all those whose work has been
recognized!
Start from the premise, “They're all
terrorists!”
Because of the
difficulties civil litigants have encountered in challenging
section
702 of the Foreign Intelligence Surveillance Act (as created by
the FISA Amendments Act of 2008), the most realistic forum for
judicial review of the constitutionality of section 702 has been
through a motion to suppress evidence derived from section 702 in a
criminal case (especially once the government actually
began disclosing that it was relying upon such evidence).
Yesterday, Judge Kane (D.
Colo.) issued
perhaps the most significant ruling to date on a motion to suppress
702 evidence. In a nutshell, Judge Kane denied the motion, holding
that, both on its face and as applied to the defendant, Jamshid
Muhtorov, section 702 violates neither the Fourth Amendment nor
Article III. In the post that follows, I briefly summarize Judge
Kane’s reasoning, and then explain why each conclusion is deeply
incomplete — and should raise serious grounds for a post-conviction
appeal to the Tenth Circuit. In a nutshell, though, yesterday’s
decision may well have raised more questions than it answered.
This could kill the drone stocking stuffer.
Even Some
Toy Drones Would Need Registration in U.S. Proposal
Owners of all but the smallest toy drones will
have to register them with the U.S. government before the end of the
year if the Obama administration adopts proposals being issued by a
task force it appointed.
Registration -- designed to make it easier for
authorities to track down the growing numbers of illegal flights --
should be free, easy to complete online and permit multiple devices
on an owner’s filing, the task force is proposing, according to
three people familiar with its recommendations who weren’t
authorized to speak about it.
… The task force members, some of whom are
still uneasy about elements of the compromise, agreed to include
anything weighing more than
250 grams (9 ounces) in the registration program,
according to the people who asked not to be named.
… The
FAA believes that the law requires the agency to charge $5
to register an aircraft and there may be no way to exempt drone
owners from the fee, according to one of the people familiar with the
task force’s debate.
My industry is funny.
Hack
Education Weekly News
… “Texas rejects letting academics vet
public school textbooks,” the
AP reports.
… Via
The San Jose Mercury News: “A 17-year-old Lincoln High School
student has been criminally cited after he hosted an Instagram
account that featured nude photos of underage girls, authorities say,
including some from Lincoln.”
… “It Won’t Be Long Now Until Every School
Has Internet Access,” Wired
trumpets. According to EducationSuperHighway, the schools which
meet the FCC’s minimum requirements for Internet speed has jumped
from 30% to 77% since 2013. (Mark Zuckerberg also announced this
week he’s giving EducationSuperHighway $20 million. While
headlines
read
that the money will help schools get faster Internet, it will
actually go towards more staff and consultants for
EducationSuperHighway.) Education
Week has a good series of stories on how schools are charged
outrageous fees for lousy Internet service.
… Via
NPR: “U.S. Colleges See A Big Bump In International Students.”
… Meanwhile…
“Northern Virginia Community College’s Extended Learning
Institute (ELI) and open courseware provider Lumen Learning announced
a collaboration to publish 24 online college courses for two complete
degree programs. All courses were developed for zero student cost
using open educational resources (OER) (i.e., no textbooks, just
public access Internet).” [The
future? Bob]
… Via
Politico: “The Education Department is doing a poor job on
everything from responding to cyber attacks to updating its software
and hardware, but it’s especially bad at monitoring its computer
networks for threats, according to an annual inspector general
audit.”
… A
report from Australia’s National Assessment Programme says that
tablets are “eroding” children’s digital skills.
No comments:
Post a Comment