Privacy and Security:An Update From Washington

Rodney J. PetersenGovernment Relations Officer

EDUCAUSE

Background About EDUCAUSE

EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. The current membership comprises over 2,200 colleges, universities, and education organizations, including more than 200 corporations, and more than 16,500 active member representatives. EDUCAUSE programs include leading edge initiatives, professional development activities, print and electronic publications, strategic policy initiatives, research, awards for leadership and exemplary practices, and a wealth of online information services. EDUCAUSE has offices in Boulder, Colorado, and Washington, D.C.

EDUCAUSE Washington Office

Public Policy and Government RelationsCongressional AffairsFederal Agency RelationsCoordination with Other Higher Ed AssociationsAlliances with Industry and Other Non-Profits

Networking ProgramsNet@EDU – Leading Edge InitiativeNetwork Policy CouncilPKI and Identity Management ActivitiesDot EDU Administration

Cybersecurity InitiativesEDUCAUSE/Internet2 Security Task Force

Washington Update

Bi-monthly online newsletter with summary information about:

Federal Legislation• Introduced• Committee Action• House, Senate, or Executive Branch Action

Congressional HearingsFederal Agency News and Action

New blog of Washington news as it occurs Subscribe: listserv.educause.edu/archives/update.html

Partner AssociationsHigher Education Presidential Associations

American Council on Education (ACE)Association of American Universities (AAU)National Association of State Universities & Land-Grant Colleges (NASULGC)American Association of State Colleges and Universities (AASCU)National Association of Independent Colleges and Universities (NAICU)American Association of Community Colleges (AACC)

Higher Education Professional AssociationsAssociation for Communications Technology Professionals (ACUTA)Association of Research Libraries (ARL)Council On Government Relations (COGR)International Association of Campus Law Enforcement Administrators (IACLEA)National Association of College and University Business Officers (NACUBO)

Congressional Affairs

U.S. House of RepresentativesU.S. SenateCongressional Internet Caucus Advisory CommitteeCongressional Committees

CommerceEducationHomeland SecurityJudiciaryScience and Technology

Federal Agency RelationsDepartment of CommerceDepartment of Education

Office of Safe and Drug-Free SchoolsDepartment of Homeland Security

National Cyber Security DivisionU.S. Secret Service – Electronic Crimes Task Force

Department of JusticeFBI InfraGard Program

Federal Communications CommissionFederal Trade CommissionNational Science Foundation

Public Policy Issues

Competitiveness & InnovationCopyright & Intellectual PropertyInternet Content RegulationInternet GovernanceInvestment in Advanced Networking and ITPrivacy and SecurityTelecommunications

Privacy and Security

Critical Infrastructure ProtectionData Security and PrivacyIdentity TheftSocial Security Number UseMonitoring and SurveillancePrivacy Policies and Fair Information Practices

Headlines from Washington

The Federal government is broke!Extensive focus on the war on terrorismCongress suffers from ADDControl of Congress has changedAgency leadership is turning overElection dominatesIT issues are not well understood

Other Headlines

If con is the opposite of pro, then congress is the opposite of

progress?

Critical Infrastructure Protection

Plans, Plans, and more Plans . . .The National Strategy for Homeland Security (2002)National Strategy for Physical Protection of Critical Infrastructures and Key Assets (2003)National Strategy to Secure Cyberspace (2003)Homeland Security Presidential Directive #7 (2003)National Strategy Pandemic Influenza (2005)National Infrastructure Protection Plan (2006)Sector Specific Plans for NIPP (2007)

Partnership for CI Security

"Government at the federal, state and local level must actively collaborate and partner with the private sector, which controls 85 percent of America's infrastructure. ... The Nation's infrastructure protection effort must harness the capabilities of the private sector to achieve a prudent level of security without hindering productivity, trade or economic growth."

President’s Strategy for Homeland Security

Homeland Security Presidential Directive #7

It is the policy of the United States to enhance the protection of our Nation's critical infrastructure and key resources against terrorist acts that could:

cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction;impair Federal departments and agencies' abilities to perform essential missions, or to ensure the public's health and safety;undermine State and local government capacities to maintain order and to deliver minimum essential public services;damage the private sector's capability to ensure the orderly functioning of the economy and delivery of essential services;have a negative effect on the economy through the cascading disruption of other critical infrastructure and key resources; undermine the public's morale and confidence in our national economic and political institutions.

Critical Infrastructuresand Key Resources

Agriculture and FoodBanking and FinanceChemicalCommercial FacilitiesCommunicationsDamsDefense Industrial BaseEmergency ServicesEnergyGovernment Facilities

Information TechnologyNational Monuments and IconsNuclear Reactors, Materials, and WastePostal and ShippingPublic Health and HealthcareTransportation SystemsWater

NIPP Risk Management Framework

National Infrastructure Protection Plan, 2006

Campus Safety and SecurityClose Scrutiny Post-Virginia Tech TragedyCongressional Hearings

Senate Homeland Security and Governmental Affairs CommitteeHouse Homeland Security CommitteeHouse Education and Labor Committee

Report to the President on Issues in the Aftermath of the Virginia Tech Tragedy Congressional Hearings and President’s Report Key Issues:

Emergency Preparedness• All-hazards planning

Managing Individuals at Risk• Family Educational Rights and Privacy Act (FERPA)• Health Information Privacy and Accountability Act (HIPAA)

Emergency Response• Emergency Notification Systems

Identity Theft

Strategy Recommended in The President’s Identity Theft Task Force Report:PREVENTION:

Keep Consumers Data Out of the Hands of CriminalsMake it Harder to Misuse Consumer Data

VICTIM RECOVERY:Help Consumers Repair Their Lives

LAW ENFORCEMENT:Prosecute and Punish Identity Thieves

Use of Social Security Numbers

Federal Trade Commission InquiryInterviewsCommentsWorkshop

Topics for Comment:Current Private Sector Collection and Uses

of the SSN The Role of the SSN as an Authenticator The SSN as an Internal Identifier The Role of the SSN in Fraud Prevention The Role of the SSN in Identity Theft

Information SecurityFederal Information Security Management Act (FISMA)Other Mandates on Federal Agencies & DeptsNational Strategy to Secure CyberspaceRegulation of Private Sector ~ ResistanceCorporate Information Security Working Group

Best Practices and Metrics for InfoSecNational Cyber Security PartnershipCross-Sector Cyber Security Working Group

Cyber Components of Sector Specific Plans

Data Security and Privacy

An attempt to regulate the protection of personally identifiable informationExtend the GLB Act requirements (i.e., the establishment of an information security program) to all types of PIIVarious approaches and authorities

Data held by the Federal governmentExtension of FTC Act (to “businesses”)Extension of FTC authority like GLB Act

Security Breach Notification36 States have passed security breach notification lawsUniform, national approach is neededDiscrepancies over:

What should trigger the need for notificationWhen should notification occurWho should breaches be reported toHow will consumers be compensated

There are efforts to de-couple notification bills from related attempts to establish privacy and security requirements

Essential Body of Knowledge

Information Technology (IT) Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce DevelopmentFramework addresses:

IT Competency AreasThe IT Security Essential Body of KnowledgeIT Security Roles, Competencies and Functional PerspectivesMatrix of Roles, Competencies, and Functions

EDUCAUSE Live: November 14, 1 p.m. ETWebinarwww.educause.edu/live

Commission on Cyber Security

Independent, Bi-Partisan Commission on Cyber Security for the 44th Presidency

Chartered by:• Congress – House Homeland Security Committee• Center for Strategic International Studies

Co-Chairs:• Scott Charney, corporate vice president for trustworthy

computing at Microsoft, and • Retired Navy Admiral Bobby Inman, Lyndon B. Johnson

National Policy Chair at the University of Texas at Austin

Promises to be the most comprehensive treatment of cybersecurity since the National Strategy to Secure Cyberspace

White House Cybersecurity Plans

President Bush quietly announced this week his plans to launch a program targeting terrorists and others who would seek to attack the United States via the Internet, according to lawmakers and budget documents. Bush requested $154 million in preliminary funding for the initiative, which current and former government officials say is expected to become a seven-year, multibillion-dollar program to track threats in cyberspace on both government and private networks. The proposal "will enhance the security of the Government's civilian cyber networks and will further address emerging threats," Bush wrote to Congress as part of his request for additional money for cyber security and other counterterrorism measures.The initiative would first develop a comprehensive cyber security program for the government and then do the same for private networks, the former government official said.

Source: Baltimore Sun

P2P IssuesJoint Committee Between the Entertainment and Educational CommunitiesCongressional Hearings

House JudiciarySenate JudiciaryHouse Education and LaborHouse Science and Technology

Proposed Amendments to Higher Education ReauthorizationGovernment Accountability Office StudiesLetters from Congress to 20 University PresidentsP2P as a Security Risk

House Oversight & Government ReformCongressional request to FTC for enforcementState Governor’s Executive Orders

Comprehensive Privacy Legislation

Why a Federal Approach is Needed:An increasingly complex patchwork of state, federal, and even international laws related to data privacy and security;Consumer fears about identity theft and other online dangers to dampen online commerce;Consumer desire for more control over the collection and use of online and offline personal information

Microsoft Corp., on behalf of the Consumer Privacy Legislative Forum

Core Principles on Privacy Legislation

Create a baseline standard across all organizations and industries for offline and online data collection and storage;Increase transparency regarding the collection, use, and disclosure of personal information;Provide meaningful levels of control over the use and disclosure of personal information;Ensure a minimum level of security for personal information in storage and transit

Microsoft Corp., on behalf of the Consumer Privacy Legislative Forum

Monitoring and Surveillance

USA PATRIOT ActComputer trespass exception

National Security LettersNo court review and use is underreported

Communications Assistance for Law Enforcement Act (CALEA)Protect America Act of 2007

Amendments to Foreign Intelligence Surveillance Act (FISA)

RFID TechnologiesREAL ID Act and HSPD 12Digital Passports

Internet Safety

Concerns:Protection of children from online predatorsDissemination of child pornographyUnanticipated risks of social networking

Legislative ResponsesData retention by Internet Service ProvidersDeleting Online Predators Act (DOPA)Protecting Children in the 21st Century ActSafeguarding America’s Families by Enhancing and Reorganizing New and Efficient Technologies Act of 2006 (SAFER NET)

Security Awareness

National Cyber Security Alliancewww.StaySafeOnline.orgFederal Trade CommissionOnGuardOnline.govGet Net Wisewww.GetNetWise.orgInternet KeepSafe Coalitionwww.ikeepsafe.org/iSAFEwww.isafe.org/Project Safe Childhoodwww.projectsafechildhood.gov/

State of the Net Conference

January 30, 2008, in Washington, D.C.Organized by the Congressional Internet Caucus Advisory CommitteeUnparalleled opportunities to network and dialogue on key technology and information policy issuesAttendees include a mix of academics, consumer groups, industry, and governmentFor more information:http://netcaucus.org/conference/2008/

EDUCAUSE Policy Conference

Premier higher education conference on IT policy issues ~ emphasis on Federal policy1 ½ day of plenary sessions

Keynote SpeakersFeatured SpeakersPanel Discussions

Policy 2008May 7-8, 2008, Arlington, Virginiawww.educause.edu/conference/policy

For More Information

EDUCAUSE Federal Policy ProgramWebsite: www.educause.edu/policyPhone: 202.872.4200Email: policy@educause.edu

Washington UpdateBlog: http://connect.educause.edu/tag/Washington+Update/5405Newsletter: listserv.educause.edu/archives/update.html

My Contact InformationEmail: rpetersen@educause.eduPhone: 202.331.5368

Security Task Force

Establish in 2000Organized by EDUCAUSE and Internet2With the Support of Higher Education AssociationsSector representative to government and industry for higher education cyber securityAnnual Security Professionals ConferenceWorking Groups: Awareness & Training Effective Practices and Solutions Policies and Legal Issues Risk Assessment

Internet2/SALSa Initiatives

Mission and Strategy

Mission: to improve cybersecurity across the higher education sector and actively promote effective practices and solutions for the protection of information assets and critical infrastructures.

Security Task Force Strategic Plan Executive Commitment and Action Professional Development for ISO’s Awareness of Available Resources Security of Packaged Software New Tools and Technologies

Awareness and Training

Goal: Education and Awareness

Awareness and Training Working Group

Examples of Activities: 2006 & 2007 Student Video Contest Confidential Data Handling Blueprint SANS EDU Partnership Series Program Online Training Tool

October as NCSAM

National Cyber Security Alliancewww.StaySafeOnline.org

Resource Kit for National Cyber Security Awareness Monthwww.educause.edu/security/resourcekit

Professional Development

EDUCAUSE & Internet2 Security Professional Conference May 4-6, 2008, Arlington, Virginia Call for Proposals: Due November 16th

Tracks:• Forensics and Incident Handling• Policy, Law, and Compliance• Security Management and Operations• Technology Solutions• Vendors and Partnerships of IT Products and Services

For more information, see www.educause.edu/sec08

CAMP: Bridging Security and Identity Management February 13-15, Tempe, Arizona

Academic Medical Centers Privacy and Security Conference March 1-4, 2009, Chapel Hill, North Carolina

NSF Cybersecurity Summit

NSF Cybersecurity Summit for Large Research FacilitiesHeld in 2004, 2005, and 2007Next: May 7-8, 2008, Arlington, VA (tentative)Target Audience: NSF program officers Individuals who are employees of federally funded

research facilities or the host organization (e.g., university) who have responsibility for:

• facilities operation and management, • IT security management and policy, • network or computer security engineering, or • facility users

Effective Practices & Solutions

Goal: Security Architecture and Tools

Effective Practices and Solutions Working Group

Examples of Activities: Effective IT Security Practices Guide

www.educause.edu/security/guide• Refining process for submitting an effective practice• Striving for more flexibility through the use of wiki and blogs• Table of Contents mapped to standards and compliance

New subgroups are developing practices in these areas:• PCI-DSS Compliance• Security Metrics• Encryption – at rest and in transit

Policies and Legal Issues

Goal: Standards, Policies, and ProceduresPolicies and Legal Issues Working GroupExamples of Activities: business continuity resources data sanitization resources responding to legal requests model security policy

New Areas of Focus: data classification and the handling of sensitive data e-discovery/Electronically Stored Information (ESI) security issues with P2P

Risk Assessment

Risk Assessment Working GroupExamples of Activities: Refinement of Risk Assessment Framework

New Project Underway: Information Security Risk Assessment Consultants Reference list To provide a starting place for institutions looking for

risk assessment consultants Will include sample RFP’s May include podcasts of campus experiences, advice,

pros/cons, etc.New Project Coming Up: Examination of Risk Assessment Management Products Both commercial and home-grown

Internet2 Security Initiatives

SALSa – an oversight group consisting of technical representatives from Internet2 who advise on leading edge technology issues, provide prioritization, and set directions in the security space.

Working Groups and Projects Computer Security Incidents – Internet2 (CSI2) Disaster Planning and Recovery DNSSEC NetAuth

REN-ISAC

Research and Educational Networking Information Sharing and Analysis Centerwww.ren-isac.netA private trust community for R&E security protection and response Purpose: to collect, derive, analyze, & disseminate threat information and support member understanding of threats, protection, and mitigation. 24x7 Watch Desk ren-isac@ren-isac.net (317)274-6630)