Menu
Increasing malware sophistication vexes lawmakers, industry

Increasing malware sophistication vexes lawmakers, industry

But members of the US Senate Judiciary Committee also point to failure of industry to implement stronger measures

The failure of U.S. financial institutions and retailers to implement more robust cybersecurity measures, such as the smart-card technology widely used in Europe, was questioned and criticized by members of the U.S. Senate Judiciary Committee at a hearing Tuesday.

Senators also questioned notification procedures following recent high-profile breaches and whether federal law enforcement agencies are doing enough to go after cybercriminals. Lawmakers repeatedly noted the vulnerability of U.S. consumers, who make half of all credit-card transactions globally, with a quarter of all data breaches occurring in the U.S.

Senator Richard Blumenthal, a Connecticut Democrat asked what seemed to be a rhetorical question given the discussion at the hearing. "Am I right in thinking that the U.S. is behind the rest of the world in its data-security safeguards?"

Executives from Target and Neiman Marcus, which have recently revealed massive breaches of shoppers' data, were among the witnesses called before the committee, with some lawmakers expressing frustration at the laggardly pace in which industry is moving toward technology that provides additional layers of security. For instance, Visa and Mastercard have said they will implement the use of smart cards by October 2015, yet such technology is already widely used in other countries.

Lawmakers and witnesses also spoke of the lack of federal standards and legislation, including the need for stronger notification laws -- businesses currently have up to 60 days to notify customers when a breach has occurred -- at a time when cybercriminals are developing increasingly sophisticated malware capable of evading detection. For instance, the data breach at high-end retailer Neiman Marcus occurred between July and October of last year, with different stores in the retail chain affected at different times, but the intrusion was not detected until Jan. 2, according to testimony from Michael Kingston, senior vice president and CIO of The Neiman Marcus Group.

A Secret Service report regarding that breach concluded that malware "comparable and perhaps even less sophisticated to the one in our case had a zero-percent detection rate" using available security software, he said.

That means, witnesses agreed, that any standards or legislation implemented by the government must be flexible to adapt to the evolving threats. Legislation must be "multilayered," said Fran Rosch, a senior vice president at security-software vendor Symantec. Smart cards, with embedded chips and data that changes per transaction, are just one method of protecting consumers better from data theft, he said. Two-factor authentication and data encryption at all steps of a transaction are other mechanisms.

"We think any legislation should reflect that, [and impose] those layers," he said.

The need for such protection was evident well before the most recent data breaches, in which as many as 110 million shoppers were affected in the Target intrusion and 1.1 million in the Neiman Marcus attack. U.S. shoppers transact one-fourth of credit-card purchases globally but yet one-half of all data breaches occur in the U.S., noted Senator Al Franken, a Democrat from Minnesota.

Target had been implementing the use of chip-and-PIN cards in its stores before the breach occurred and had worked toward that implementation previously, but without other retailers joining in and financial institutions moving toward smart cards, such efforts fall short, noted Target Executive Vice President and CFO John Mulligan.

"To prevent this from happening again," he said of data breaches "none of us can go it alone. We need to do this together."

Senator Dianne Feinstein, a California Democrat, questioned the notification procedures of retailers, saying that for about 13 years she has been tracking data breaches and has been frustrated by how reluctant companies have been to come forward.

"Up until recently, companies would not step forward," she said. Directing her attention to Kingston, she added that she shops at Neiman Marcus, but "I don't recall getting any notice that my data had been breached. When would I have had notice? I would have shopped during that period of time."

After Kingston laid out the time frame in which notifications were sent to shoppers and how the company has gone about dealing with the data breach, Feinstein said she would check to see if she did, in fact, receive notification about the breach.

As the hearing progressed, lawmakers asked officials from the Federal Trade Commission, the Department of Justice and the Secret Service to elaborate on the steps being taken to combat cybercrime, as well as specifics of how the criminals operate.

Organized cybercrime rings are large and widespread, with different people in charge of different aspects of the thievery, and the ability to hide their financial trail, said William Noonan, deputy special agent in charge of the Criminal Investigative Division of the U.S. Secret Service.

"They're moving their money back and forth with virtual currency," he said, adding that makes it all the more difficult to bust such rings.

The difficulties of investigating cybercrimes and making arrests didn't seem to sway Sheldon Whitehouse, a Democrat from Rhode Island and a former U.S. attorney, as he questioned Mythili Raman, acting assistant attorney general at the DOJ, regarding how many times cybercriminals have been indicted following data-breach cases. She provided information on previous cases, saying that the DOJ has "resolve" to hunt down cyberthieves and prosecute them, even when they are overseas, as has been the case in the past.

"Actually, the numbers involved show anything but resolve," Whitehouse replied, adding that he understand that it is "immensely difficult" to investigate and prosecute such cases but since cybercrime resulting in data breaches has been referred to as the "greatest illicit transfer of wealth in history" it is incumbent upon federal law enforcement to step up its game.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Targetsecuritydata breachU.S. Senate Judiciary CommitteeNeiman Marcusgovernment

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments