Tom Olzak

Cyber-terrorism: Private organizations have responsibilities, too

In Cyber Terrorism on March 5, 2009 at 12:56

Reports of corporate and government database breaches aren’t new.  Neither are reports of Chinese and Russian efforts to find ways of compromising the national infrastructure, and therefore the public’s economic and personal welfare.  Couple this with years of U.S. government fiddling with security instead of trying to actually fix it, and we find ourselves in a familiar place.  What isn’t always clear, however, is the failure of private organizations to properly protect their critical systems and information.

The TJX incident, although beaten to death in the media, is still a good example of how to expose a large company to criminals or terrorists.

The Federal Trade Commission (FTC) investigated the case and found that TJX engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for information contained in its networks.  Specifically, the FTC found that TJX: stored personal information in “clear text;” maintained unsecured wireless access; lacked password security; lacked a firewall to protect credit card information; failed to patch or update anti-virus software; and did not follow up on security warnings and cyber alerts.  The FTC settled with TJX in March of 2008 and TJX agreed to, among other things: maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information that TJX collects from or about consumers; designate an employee or employees to coordinate the information security program; develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years.

Source: Cyber Security & Waiting for Godot, Scott Weber, 4 March 2009

The Federal government can step in and ‘help’ direct cyber security efforts, bringing all critical infrastructure under a single standard.  This is something the Obama administration has ostensibly started.  In the meantime, business managers have to look within their own organizations to ensure they aren’t pointing a finger in the wrong direction.

To take down a national economy doesn’t necessarily take a massive cyber strike against defense installations.  Instead, it might simply be a concerted attack against key corporations, the failure of which may lead to partial or complete collapse of the economic framework–and our ability and will to wage war.

%d bloggers like this: