Defense approach to cybersecurity includes greater separation from Internet

Based on details about IT security spending in the publicly available fiscal 2011 budget estimates for the Defense Information Systems Agency (DISA), one area of emphasis for improving cybersecurity for military networks is to reduce their connectivity to the Internet. More specifically, the justification for the $14.625 million DISA Information Systems Security Program (ISSP) budget is to “procure the necessary hardware and software to reduce the attack surface of the DoD network to prevent the exploitation by hackers and adversaries” as well as to improve capabilities and security of information sharing within Defense networks. One notable initiative is the almost $6 million proposed to fund the creation of a new DMZ between the military’s unclassified network (the NIPRNet) and the Internet. In theory, the goal of reducing points of connectivity to the Internet should also be facilitated by the government-wide Trusted Internet Connections (TIC) initiative, which seeks to reduce federal Internet points of presence to from over 2750 in 2008 to fewer than 100. Nevertheless, the stated intent for the NIPRNet DMZ is to eliminate the need for direct connections to the Internet. Other initiatives in the 2011 budget estimate include:

  • Almost $1.8 million for an expansion of the Host-Based Security System (HBSS), developed in collaboration with security vendor McAfee, that will “provides a consistent way to accomplish configuration and management control across all endpoints” and enhance the system’s capabilities to support greater situational awareness and provide better defense against emerging threats.
  • New hardware and maintenance support to the tune of $2.3 million for strengthening the externally-facing firewall infrastructure protecting the SIPRNet, the military’s classified network.
  • A little under $2.2 million to augment DISA’s insider threat capability “to help with the automation of detecting and mitigating DoD’s insider threats” stemming from individuals with authorized access to the network environment.
  • An additional $2.5 million to expand the Cross Domain Enterprise Service (CDES), which supports information transfers between DoD’s classified and unclassified networks.

Requests for health data by insurer raise questions

In a story reported by the Hartford Courant, a series of requests for health records sent to Connecticut doctors by Ingenix have garnered attention both for the nature of the requests and the manner in which they were received. It seems the health analytics firm — a subsidiary of health insurer UnitedHealthcare — sent medical record requests by fax to doctors, as part of an ongoing program to review data in medical charts associated with Medicare claims. On its face, this is a valid use of personal health information, at least under HIPAA, but a representative for a physicians’ organization in the state suggests that doctors do not ordinarily receive such requests by fax or respond in kind to an unknown requester. For its part, Ingenix says when it surveyed doctors, most indicated they preferred to be contacted by fax, so that’s the channel the company used.

Despite the use of relatively old-school technology, this situation raises issues similar to those likely to be encountered in the coming era of electronic (and automated) health information exchange, where systems are configured to respond with medical records as long as the requester can be authenticated and the stated purpose for the request is valid. For instance, the interface specifications and legal agreements established for the Nationwide Health Information Network (NHIN) obligate a participating organization that receives an authenticated request for records to respond if the purpose in the request is “treatment.” It’s pretty easy to imagine a major health insurer like UnitedHealthcare would someday be a participating entity in the NHIN, and the automation of responses to requests such as this — while they would certainly be logged and made part of the accounting of disclosures required under HIPAA — might go unnoticed by individual practitioners and therefore be less likely to attract the attention of anyone wanting to validate that the record exchanges were actually appropriate.

Some would argue that Connecticut is experiencing a period of heightened sensitivity to health data disclosures, following the delayed notification of Connecticut residents who were affected by Health Net’s breach of personal information and subsequent legal action taken by the state attorney general. The sincere hope in this case is that Ingenix was not misusing the trust in it (or its corporate parent) to solicit health data under false pretenses.

More action, not just talk, needed on cybersecurity

Former acting federal cybersecurity chief Melissa Hathaway used the public forum afforded her by the Internet Security Alliance yesterday to warn that the government is losing the sense of urgency it needs to tackle the many pressing cybersecurity challenges it faces. After receiving an award for her work reviewing national cybersecurity policy for the Obama administration, Hathaway called for more collaboration and more explicit action by both private and public sector organizations on improving security. In addition to a call for “bold steps forward,” she said there needs to be more dialogue and transparency about the realities of the threats facing computing infrastructure. Her comments presumably would be well received by the current administration, which through new cybersecurity czar Howard Schmidt and policy statements by Secretary of State Hilary Clinton has emphasized a need for greater cooperation on security across sectors and among countries. Her words were probably welcomed by her hosts as well, as the ISA has called publicly in the past for greater government engagement with the private sector on security, including a recommendation that the government should offer incentives to companies to fix security problems.

Without at all diminishing the critical importance of moving forward aggressively on enhancing cybersecurity defenses and protecting critical infrastructure, it seems that nature of the dialogue and frequency with which the urgency is expressed is becoming part of the problem. Every new incident that comes to light is quickly labeled a “wake-up call,” most recently including the Google attacks suffered in China. A quick Google search this morning for “cybersecurity wake up call” returns 376,000 hits — is this not sufficient to rouse us from our collective slumber? It’s also hard to find fault with an approach that seeks to leverage public and private sector expertise, but given the breadth of collaboration routinely called for, it also seems likely that encompassing such broad input will impose its own set of barriers to taking action. The cybersecurity review for which Hathaway received the ISA’s Dave McCurdy Internet Security Award was noteworthy not just for its ambitious scope and content of its recommendations, but also for the relative brevity (60 days) of the review in contrast to government analyses that can drag on for months or years. However, the report from the review was released over eight months ago, and only recently has any progress been made even on basic recommendations like the appointment of the cybersecurity czar and increases in federal cybersecurity programs for education and research and development. If the most recent wake-up calls are sufficient jarring to prevent once again hitting the figurative snooze button, the results should be seen in explicit actions, not in more or broader discussions.

It’s good to have a contingency plan for Web site traffic surges

The record snowfall in the Washington, D.C. area since last weekend has been notable for the widespread closings it has caused, and came with an unanticipated side effect for the federal government: the unavailability of its official operating status page on the Web. The Office of Personnel Management (OPM) provides an Operating Status page on its agency website, to which many federal employees turn to see if the government will be open (or, in an non-weather-related example, to check if the president closes the government early on Christmas Eve or other holiday). The volume of visitors to the Web site spiked to such a degree on Monday evening (according to a story in the Washington Post, Web traffic during the afternoon and evening hours on February 8 was approximately 4000 percent of the average daily volume) that the site was rendered unavailable; in response OPM configured its Web server to redirect traffic to a copy of the operating status notice posted on servers at OMB’s data.gov site instead. This serves both as an example of quick thinking and suggests some pretty good contingency planning, although it’s unclear if the need for an alternate Web hosting site was anticipated in advance or not.

As a mini-case study in contingency planning (or incident response, since this was an organic denial-of-service), OPM’s actions demonstrate one approach among multiple alternatives. The agency chose to stand-up a backup site using existing data center capacity made available to it, so this was a sort of warm-site failover. Another approach would have been to mirror the primary site to an alternate and configure front-end routers or load balancers to automatically re-route traffic to the alternate site whenever volume exceeded a given threshold; the threshold would properly be tied to the existing Web server capacity, so no estimate of traffic spike levels would be necessary. A third option would be to scale the capacity of the existing Web server environment to be able to accommodate spikes in traffic. This option requires the ability to make good estimates of maximum traffic levels, or else at some point availability would still suffer. Still another option would be replicate key Web pages to an content distribution network provider, such as Akamai, so that user requests for popular content wouldn’t hit the OPM server at all. The content replication approach has been used successfully in the government in the past — for instance, when the Centers for Disease Control and Prevention (CDC) experienced an unprecedented surge in volume to its Web site due to concerns over the anthrax attacks in the fall of 2001, the agency quickly contracted with Akamai to replicate most of its public Web content (which at the time was all static HTML), while it re-engineered its infrastructure to accommodate higher demand.

In many cases, it’s simply not cost-effective to build infrastructure to accommodate exceptional loads, but it’s foolish for any large organization to assume that traffic will never exceed its capacity, so having a contingency plan is an important element of any business continuity plan. Choosing the appropriate options often depends on whether the rise in traffic volume is a one-time (or very infrequent) event (as in OPM’s case), or whether the spike corresponds to an ongoing increased demand (as it did for the CDC).

Latest US-EU privacy divergence: pictures of your house

The “street view” feature of Google maps is proving to be yet another example of innovative uses of new technology raising legal and ethical questions about personal privacy, and of differing perspectives on just what is and isn’t considered personal information here in the U.S. and abroad. In January, the 3rd U.S. Circuit Court of Appeals ruled that Google did not violate the privacy of a couple who sued the search giant, arguing that showing a picture of their home along with their street address was an unlawful invasion of privacy. In its ruling, the court said that to constitute an invasion of privacy subject to a private right of action, the behavior would have to be “highly offensive to a reasonable person,” and someone approaching a home and taking a picture doesn’t rise to that standard. The only part of Google’s practice of employing armies of photographers to take the photos displayed in the street view was the fact that the photographer in this particular case drove into the couple’s driveway in order to take the pictures; the appellate court ruled that the couple could proceed with a trespassing claim.

In contrast, Google’s addition of street view images in Europe might be more problematic, as the Consumer Minister of Germany said publicly last week that she wanted to force Google to get the consent of individual citizens before pictures of their homes could be published online. This follows similar criticism of Google Earth by the German Justice Minister, and could result in new legal requirements to get Google to proactively solicit consent, rather than wait for people to object to photos after they are taken. Google has offered to obscure personally identifying features that might appear in the photos, such as license plates and faces, but only if individuals request that they do so. Fundamentally at issue here is when photographic images constitute personal information — there seems little debate that a photograph of a person is subject to privacy protections, but no clear handling for a picture of a person’s possessions or domicile. The apparent divergence in U.S. and European perspectives on this issue is reminiscent of the disagreement about treating IP addresses as personally identifiable information. Standards about personal privacy are markedly different in European countries, so it seems at least feasible that Germany or another EU country could legislate new or existing personal data protections applied to residential photographs, regardless of American judicial opinions like the 3rd Circuit panel’s that “no person of ordinary sensibilities would be shamed, humiliated, or have suffered mentally” from the simple act of having a picture taken of one’s house.