January 25, 2009 · 7:52 pm

The word is “Data”

Stephen Baker of Newsweek, starts this week’s essay with the following line:

About three minutes into his speech on Jan. 20, President Barack Obama spoke a word never before uttered in a Presidential inauguration speech: “data.”.

The Obama campaign managed data like no other campaign before.  One would expect, and hope, that data, and the interpretation thereof, will have a prominent place in policy debates.

Which brings me to my point –  data is essential to building an information stream.  Without data, you have no information from which to make valid choices.  No data – no information — and you have either market failure, public failure or both.

How many bills do you think become law – federal, state and local, without data.  How many bills become law without sufficient data?  And how many bills become law without necessary data?

—-

Chasing the link to The Numerati (Baker’s book), led me to ThinkingAnalytically – where I found a mindmap of the book.  Remember to check out mindmeister for more info.

Leave a comment

Filed under Policy, public failure

Tagged as , ,

January 25, 2009 · 5:51 pm

New NIST Standards to protect PII

As you read the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Draft, it looks more like the same ole’ policy : categorize, classify, protect the most important and pray for the rest!

PII should be graded by “PII confidentiality impact level,” the degree of potential harm that could result from the PII if it is inappropriately revealed. For example, an organization might require appropriate training for all individuals who are granted access to PII, with special emphasis on moderate- and high-impact PII, and might restrict access to high-impact PII from mobile devices, such as laptops and cellphones, which are generally at greater risk of compromise than non-portable devices, such as desktop computers at the organization’s headquarters.

Would be interesting to know how much these standards will cost to implement.

From NIST announcement

1 Comment

Filed under cybersecurity

Tagged as ,

January 25, 2009 · 8:51 am

Cyber Policy – Safety and the Internet

Post reports Berkman study challenging assertions that the internet makes children more likely to be abused than real life circumstances:

“The risks minors face online are complex and multifaceted and are in most cases not significantly different than those they face offline.”

There are opposing views from law enforcement and other advocacy groups:

Jeffrey Chester, executive director of the Center for Digital Democracy, a District-based consumer advocacy group, has been critical of the report because its expenses were underwritten by interested parties such as MySpace, Google and Microsoft. “Surprise, surprise,” he said. “They pay for a study, and it says there’s no problem. It was kind of a brilliant PR move.”

However, note that Chester doesn’t provide data to oppose the report, he attackes the source of funding for the report.  The lack of data is actually a concern, for both sides of the argument do not have enough data from which legislators and policy makers can make competent choices:

One online safety advocate, named as a member of the report’s task force, said she is embarrassed by the report because it highlights the fact that there isn’t enough good data on the subject and it doesn’t give lawmakers a clear to-do list. Parents’ concerns about Internet predators are sometimes overblown, said Parry Aftab of WiredSafety.org, but it’s nearly impossible to tell how overblown they are; when quizzed about online activity, kids don’t usually tell the truth if their parents are around, she said.

Market failure occurs, among other reasons, for lack of sufficent information for the market to behave efficient and effectively.  Public failure occurs for the same reason.

2 Comments

Filed under Market Failure, Policy, public failure

Tagged as , , ,

January 24, 2009 · 12:11 pm

A digital Pearl Harbor?

Conficker — the most recent pandemic in cyber space — is said to be connecting machines, at home, office and campuse, into botnets controlled by masters spread throught cyber space.  One consultant describes the potential of conficker as:

“If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,” said Rick Wesson, chief executive of Support Intelligence, a computer security consulting firm based in San Francisco.

More later…

Leave a comment

Filed under cybersecurity

Tagged as ,

January 24, 2009 · 7:16 am

Policy in the Margins

Jim Wooten notes that projects funded in tough times should be “marginally useful”:

Times are tough. People are out of work. Don’t take their money and buy them toys, and don’t take it to spend on programs that are marginally useful.

So, do marginally useful policies succeed?  If not, why do we support iterative policy adjustments when they do not succeed?  Do marginally useful policies represent a border area between public success and public failure?

Leave a comment

Filed under Policy, public failure

January 23, 2009 · 3:13 pm

DHS – Additional Cyber Security Directives

From DHS today:

Cyber Security. Given the increasingly sophisticated number of threats to all areas of national cyberspace and considering the authorities provided by the Homeland Security Act, the Post-Katrina Emergency Management Reform Act, and Homeland Security Presidential Directive 23/National Security Presidential Directive 54, what are the authorities and responsibilities of DHS for the protection of the government and private sector domains, what are the relationships with other government agencies, especially the departments of Defense, Treasury, and Energy, and the National Security Agency, and what are the programs and timeframes to achieve the department’s responsibilities and objectives? An oral report is due by Feb. 3, with a final report due Feb. 17.

Leave a comment

Filed under cybersecurity

Tagged as ,

January 23, 2009 · 8:56 am

Stem Cells – Policy Alternatives – Coalition beliefs

CQ reports two alternatives under consideration by the Obama Administration to revise current federal stem cell policy:

Obama could issue an executive order lifting the restriction — which permits federal funding for research only on those stem cell colonies extracted before Aug. 9, 2001 — and authorize research on all embryonic stem cell lines, as long as the cells are “ethically derived.”

This would not award more money for the field per se, but dramatically expand the kind of stem cell research that’s eligible for federal grants, as long as donors give informed consent and are not paid to donate eggs or embryos.

The approach is outlined in a new policy paper from the Center for American Progress (CAP), a left-leaning think tank founded by John Podesta, who also headed Obama’s transition team.

But some patient advocates and research institutions favor a more minimalistic approach they say would keep politics and science apart.

The Coalition for the Advancement of Medical Research (CAMR) has been urging Obama to simply rescind the Bush policy — a move that would, by implication, leave it to the National Institutes of Health to issue guidelines for the field.

Coalition President Amy Comstock Rick said that policy making should be put in the hands of scientists and bioethicists, instead of elected officials. If Obama’s is too prescriptive in the way he undoes Bush’s policy, future president might feel compelled to tweak or revise Obama’s policy.

Whichever path he chooses, Obama can rest assured that the Democratic Congress will weigh in and try to codify the stem cell position into law later this year.

The executive summary from CAP has a rebuttal to the argument that all the benefits of stem cell research can be gained without use of embryonic stem cells:

Opponents also point to so-called induced pluripotent stem cells, which are created when adult cells—say, skin cells—are reprogrammed to become all-purpose “pluripotent” cells. These arguments are valid, but only up to a point. The reason: embryonic stem cells are both the original “master cells” capable of turning into any cell in the body as well as the “gold standard” against which all other stem cells must be compared

A full report and links to other information are provided in the CAP link above.  CAMR argues for relaxed federal restrictions along these lines:

Stem cell research is one of the most exciting fields of study for young researchers, yet many are hesitant to enter a field with an uncertain future and funding restrictions. In addition, the restrictions fly in the face of the diversity requirements established by the Federal government for clinical research. The federally approved lines do not represent the diversity in our society, which is a critical part of ensuring that new medicines work for everyone.

1 Comment

Filed under stem cell

Tagged as , ,

January 22, 2009 · 10:10 am

DHS – Reviewing directions

This release from DHS Secretary Napolitano indicates an opportunity to evaluate current policies and policy directions:

“One of my top priorities is to unify this department and to create a common culture. These action directives are designed to begin a review, evaluation and dialogue between the various functions of this department and me,” said Secretary Napolitano.

  • DHS intends to revitalize its relationship with state, local, and tribal governments effective immediately with the intent of creating a working partnership.
  • Critical infrastructure protection. — This entails extensive dealings with other federal agencies, states, and the private sector, involving collaboration, data collection, risk analysis, and sharing of best practices.
  • Risk analysis. — What is the status of risk analysis metrics and what is the plan and time frame for setting up a full-blown system to govern the establishment of critical infrastructure programs, the priorities among national planning scenarios, and the distribution of grants to state, local, and tribal entities? More broadly, how can DHS enhance risk management as the basis of decision making?
  • State and local intelligence sharing. Provide an evaluation of which activities hold the most promise for achieving the smooth flow of information on a real time basis.
  • The inventory and evaluation should take into account the voices of all stakeholders, especially state, local and tribal entities.
  • The evaluation should also consider the private sector’s perspective and its relationship to these stakeholders.

From her confirmation hearing statement:

Cyber security and the protection of the technology critical infrastructure have been a top priority in Arizona. As Attorney General, I created the Computer Crimes Unit to train law enforcement in the identification and investigation of cybercrimes; the Unit successfully prosecuted some of the first cybercrime cases in Arizona. As Governor, I created the Statewide Information Security and Privacy Office to ensure adequate controls and safeguards are in place for all State of Arizona government technology systems and business practices.

And from WhiteHouse.gov, an outline of Obama Cyber Security Policy:

    Barack Obama and Joe Biden — working with private industry, the research community and our citizens — will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America’s competitive advantage, and advances our national and homeland security. They will:

  • Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
  • Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
  • Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
  • Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
  • Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
  • Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

SecurityFix is a great place to watch developments in this regard.

Leave a comment

Filed under cybersecurity

Tagged as , ,

January 21, 2009 · 9:23 am

Cyber Security – Current Policies Not working

An update to the Heartland breach:

The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable. All this is happening after credit card companies and merchants spent over $2 billion on establishing the Payment Card Industry standards, Ms. Litan said. “And yet the breaches continue and they get more serious.”

Standards are promoted by both industry and DHS as the means to manage the issue.  So, what do you do when standards are not enough?

More from the Post on how long it took to discover how the breach was made:

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland Payment Systems, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports from MasterCard and Visa in October.

Heartland called the U.S. Secret Service, which investigates financial crimes, and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software on the company’s processing network was recording payment card data as it was being sent to Heartland by thousands of the company’s retail clients.

Baldwin said Heartland does not know how the software got there, how long it was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

According to the WSJ:

More than 40 states have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were reported, according to the nonprofit Identity Theft Resource Center, up from 446 in 2007.

Leave a comment

Filed under cybersecurity

Tagged as , , ,

January 21, 2009 · 8:54 am

Cyber Security – How to encourage non-compliance

Why should employees or students dare to point out deficiencies in security on college campuses when the reaction from the administration may be to terminate the discoverers instead of those responsible for the original violation of policy (i.e. leaving files with id out in the open).

A student journalist at Western Oregon University was reprimanded, and the newspaper adviser was fired, after publishing an article showing the institution had not secured sensitive, private information about some applicants.

Leave a comment

Filed under cybersecurity

Tagged as ,