Feds considering $6M legislation for small biz cyber guidelines

April 20th, 2017, Rep Daniel Webster of Florida introduced a new bill for the National Institute of Standards and Technology (NIST) to disseminate guidance to help reduce small business cybersecurity risks. (NIST already released similar guidelines in November 2016.)  Two Congressional findings stated:

  • 54% of US sales and 55% of US jobs are accounted for by small business
  • 60% of small business cyber attacks close business in 6 months

Requirements of the bill are that the Director (of NIST) should ensure usable, variable, awareness creating, technology neutral, and internally standard resources are disseminated.  Resources would include guidelines, tools, best practices, standards, methodologies, and other ways of providing information.

The Congressional Budget Office (CBO) estimated it to cost approximately $2M for NIST to consult in 2018 and then $4M for maintenance/updates through 2022 – a total cost of $6M for implementation.

100k FAFSA apps hacked using autopopulate bug

It started with criminals filling out federal application for federal student aid (FAFSA aka federal studnet loan) forms but then circumventing access controls of the website.  The hackers were then able to get other applicants' information used for tax returns and then submit their own phony false tax returns to try to steal refunds.

The hackers were taking advantage of the faulty module in the site called IRS Data Retrieval which auto populates your online federal studnet loan application by using your already known tax return info.

The IRS claimed that in November 2015 they notified the Department of Education about these security concerns (breach) but the IRS didn't actually disable the exposure until March 2017.  The IRS has flagged at least 100,000 accounts as a result.

Individuals can still apply through FAFSA but will need to enter their information manually.

1M+ Aadhaar numbers published on India’s Jharkhand govt website

In India, the Aadhaar is a paperless online anytime-anywhere identity assigned to an Indian citizen to cover his/her entire lifetime. The verification of his identity is uses authentication devices which connect to the Unique Identification Authority of India's (UIDAI’s) Central Identity Repository.  The Repository responds with only a ‘yes’ or ‘no’ response to the basic query-“Is the person who he/she claims to be?” based on the data available with UIDAI.   An Aadhaar Card or e-Aadhaar (electronic copy of Aadhaar) are provided to each enrolled citizen.  

According to the Free Press Journal in India, Aadhaar card holders have had their data exploited to the public domain since November.  Aadhaar data can be used to exploit many things such as post office accounts, rural employment and pension details, and banking information.  It is estimated that there are more than 1.4 million pensioners who are affected.  

According to Section 29 (4) of the Aadhaar Act, publishing Aadhar numbers of consumers is illegal and Hindustan Times reports that the Aadhar numbers were compromised by a programming glitch on the Jharkhand Directorate of Social Security website.  The data exposed includes the names, addresses, Aadhaar numbers and bank account info of beneficiaries of Jharkhand’s old age pension scheme.

Federal Air Marshal leaves gun in Delta 221 bathroom

In the wake of September 11, President GW Bush announced on September 20, 2001 a new department in the Department of Homeland Security for a major overhaul of aviation security to dramatically expand the number of air marshalls on domestic flights.  Within one month, the newly created Transportation Security Administration began to hire, train, and deploy 600 Air Marshalls (referred to as FAMs).  Thousands more FAMs have been hired since that time.  The air marshal services was started in 1961 by President Kennedy to protect against hijackings of commercial flight.  TSA's FAM budget is $1B annually which is approximately 10% of the TSA budget.

For applicants, they apply for a TSA position with a goal of being a FAM.  Applicants are then given access to a candidate dashboard or app in the early stages and have an HR hotline to call with questions.  Candidates who make it to the panel interview can expect a 1 in 4 chance of an offer.  Successful applicants typically have a law enforcement or military background with criminal justice or similar degree, a mindset which doesn't fixate on the hours or worries about being away from home, and one who will not end up hating the job once they realize it is boring and has no glamour.

New recruits who make it through vetting to the training have major challenges.  They are expected to be in the top percentage of shooters and to be agile since with no back up what's taught to them on paper doesn't necessarily apply at 30,000 feet in they sky where there are height restrictions and crowded seats.  The FAMs are taught to always search for suspicious behavior such as whether someone is not sleeping, eating their meal or how long they've been out of their seat.  FAMs are expected to be vigilant and adaptable because they have an adversary which continues to make aviation a top terror target and may be using non-metallic improvised explosive devices.

Vigilance is of utmost importance in a job involving the security of others. Viewing a laptop/tablet or listening to music in the course of security duties could seriously impair one from staying on point and or noticing something out of the ordinary – though policy allows for it for FAMs since they are often aboard an 8 hour flight and prohibited from sleeping.

On April 6, 2017, a passenger found a loaded weapon in an aircraft bathroom.  The flight was international flight Delta 221 from Manchester to JFK International.  An air marshall had left her loaded service weapon in the bathroom where the passenger found it and then promptly gave it to flight crew who returned it to the air marshall. The NY Times has reported that the air marshall in question was a new employee and assigned to a flight a few days later.   A loaded weapon unattended constitutes a signficiant security breach which would typically warrant an investigation and possible disciplinary action.  Often, air marshals are forced to resign or are fired for minor transgressions.  

Australia’s new data breach notification law

The Australian Federal Government has recently passed the Notifiable Data Breaches Bill 2016.  This will introduce laws over the next twelve months which apply to businesses and nonprofits of $3M revenue, and also to Australian government agencies.  Small businesses with less than $3M annual turnover but providing health services are also required to participate.  Some of those small businesses affected include weight loss clinics, child care centers, chiropractors, gyms, hospitals, and pharmacists.

The penalties for noncompliance in promptly reporting suspected breaches to the Australian Privacy and Information Commissioner plus customers may result in penalties up to $350,000 for individuals and $1.8M for corporations.

Information Assurance & Cyber Security Research and Education, a 501(c)(3)