Malware sophistication vexes lawmakers, retailers and the financial industry
Members of the Senate Judiciary Committee also point to failure of industry to implement stronger measures
IDG News Service - The failure of U.S. financial institutions and retailers to implement more robust cybersecurity measures, such as the smart-card technology widely used in Europe, was questioned and criticized by members of the Senate Judiciary Committee at a hearing Tuesday.
Senators also questioned notification procedures following recent high-profile breaches and whether federal law enforcement agencies are doing enough to go after cybercriminals. Lawmakers repeatedly noted the vulnerability of U.S. consumers, who make a quarter of all credit-card transactions globally, but half of all data breaches occur in the U.S., with a quarter of all data breaches occurring in the U.S.
Sen. Richard Blumenthal, a Connecticut Democrat asked what seemed to be a rhetorical question given the discussion at the hearing. "Am I right in thinking that the U.S. is behind the rest of the world in its data-security safeguards?"
Executives from Target and Neiman Marcus, which have recently revealed massive breaches of shoppers' data, were among the witnesses called before the committee, with some lawmakers expressing frustration at the laggardly pace in which industry is moving toward technology that provides additional layers of security. For instance, Visa and Mastercard have said they will implement the use of smart cards by October 2015, yet such technology is already widely used in other countries.
Lawmakers and witnesses also spoke of the lack of federal standards and legislation, including the need for stronger notification laws -- businesses currently have up to 60 days to notify customers when a breach has occurred -- at a time when cybercriminals are developing increasingly sophisticated malware capable of evading detection. For instance, the data breach at high-end retailer Neiman Marcus occurred between July and October of last year, with different stores in the retail chain affected at different times, but the intrusion was not detected until Jan. 2, according to testimony from Michael Kingston, senior vice president and CIO of The Neiman Marcus Group.
A Secret Service report regarding that breach concluded that malware "comparable and perhaps even less sophisticated to the one in our case had a zero-percent detection rate" using available security software, he said.
That means, witnesses agreed, that any standards or legislation implemented by the government must be flexible to adapt to the evolving threats. Legislation must be "multilayered," said Fran Rosch, a senior vice president at security-software vendor Symantec. Smart cards, with embedded chips and data that changes per transaction, are just one method of protecting consumers better from data theft, he said. Two-factor authentication and data encryption at all steps of a transaction are other mechanisms.
"We think any legislation should reflect that, [and impose] those layers," he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts