New Cybersecurity Legislation Proposed
Following recent attacks on major corporations, including the breach of Sony’s PlayStation system, the Obama administration has submitted a proposal to Congress for new cybersecurity legislation for companies. The announcement of this proposal highlights a renewed focus for the White House on computer and data security as a matter of national and financial stability, although there are still many questions as to how any laws regarding corporate network security could be written or implemented.
Some concerns involve the possibility of actually limiting progress by writing any specific methods or requirements for protecting data and network systems into law. Any explicit stipulations may force businesses to keep dated measures in place after they have become obsolete, potentially driving resources away from the implementation of newer and more sophisticated security technology. In acknowledgement of these issues, the proposal introduced on May 12th does not recommend specific requirements but instead offers potential incentives to companies for meeting or exceeding standard expectations for security that the Department of Homeland Security will decide.
The reach of the Department of Homeland Security, and even the White House itself, is also a matter of discussion here. CNET reported the following regarding a comment from an unnamed Department of Homeland Security official: “If ‘industry does not come forward’ with an ‘appropriate’ standard, the draft legislation would give the government the power to ‘pick one, to create one, to modify one and choose that one. We believe that won’t be necessary.’” If this line of thinking is incorporated into law, this would leave open the possibility for the Department of Homeland Security to create and promote a standard that the Department determines to be appropriate for corporate information security.
Further, the New York Times reports that the Obama administration announced that under the proposed law, the Department of Homeland Security would be able to identify private organizations that are considered important to national stability and to have increased control over the computer system and networks of these companies, so that federal government could intervene in case of a security breach to prevent the spread of damage.
In this environment, a proactive approach to data security is best. The ShareFile service offers a hosted solution to protect information using the same encryption technology used by online banking and ecommerce companies. Further, SAS 70 type II servers, password protection, and even the ability to limit the IP addresses that may access a ShareFile account online keep account data secure and available only to authorized parties.
ShareFile has recently been able to offer consistent, secure file transfer and storage where other services have failed because of our focus on infrastructure and staying up to date with changes in data protection and migration. The recent interruption in Amazon Web Services which affected many companies did not affect ShareFile clients although our servers are hosted by Amazon, because our worldwide network of servers is designed to allow data to be migrated to the healthiest server on short notice. Further, data is backed up in real time to alternate server locations to allow ShareFile to restore client data as quickly as possible in case of server failure.
European researchers also recently released a report on how some file transfer services compromise information security by using unique ids for files stored on their service which can be predicted and exploited to gain access to files. The method used by the services cited in the report creates ids by making incremental changes from id to id, which makes it possible to determine the pattern used. The ShareFile service employs a random string of characters too long to guess to identify and store each file, and there is always the option to require login to access any files or links created, preventing access to the file by unauthorized users even if they had a file id. If an IP address attempts 20 wrong ‘guesses’ at a file id to try to access a file, the system will lock out any attempts by that IP address to access the account or any stored files for 10 minutes.
For more information on how our world-class large file transfer and storage service can help you keep your confidential files safe, please see our website at www.sharefile.com.