Privacy and Cybersecurity in the Age of Data Analytics, Part 2

家政及其他

第一部分(6/4/20发布), we saw how governments deploying data analytics need sound policies in place to preserve citizens’ expectations of privacy.  在第二部分中, we look at the fat target presented by government’s massive collection of online data, and how to protect it from theft and exploitation by the wrong people.

****

比尔·伯尔道歉.  Even if you’ve never heard of Bill, you are likely affected by his work every day of your life.  Bill was the principal author of the National Institute of Standards and Technology (NIST) Special Publication 800-63 Appendix A, 2003年哪家公司建议所有企业都这样做, academic institution and government agency adopt complex passwords for each user and change them every 90 days.  As everyone knows, implementing that policy has led to 1) machine-guessable passwords (“p@S$w0rd123!”), 2)不受保护的, 密码列表, 3) porous password recovery procedures (“What was the make of your first car?)，以及数十亿小时的生产力损失.

The vulnerabilities are so well known that they’ve entered the realm of comedy.  在新的史蒂夫·卡瑞尔系列中 空间力量, the Russian liaison officer who is a mole hiding in plain sight suggests to the general’s grownup daughter that they should get to know each other better – for instance, 她小时候最喜欢的宠物是谁? 她父亲的母亲的娘家姓什么?

The advent of data analytics and other comprehensive information management systems has permitted governments to collect sensitive information on a scale that was unimaginable just a decade or so ago. 如果有不怀好意的人进入, the tools to exploit these breaches are numerous and readily available. 其后果可能是灾难性的.  私人数据不仅会落入坏人之手, but the entire operation of government can be halted by a ransomware attack, as it is for hundreds of counties and municipalities each year.

The challenge for governments is even more complex than it is for the private sector.  Where companies can (and probably should) lock down all of their sensitive information, governments must balance security against transparency and public participation.  诸如财产所有权和税收等信息, 房价和抵押贷款条款, political party affiliations and public employee salaries are just a few of the categories that are essentially in the public domain, 为坏人提供了绝佳的起点.  No wonder the Center for Digital Government reported in 2019 that as of the previous year, 35 million voter records from 19 states were being offered for sale on a single site frequented by hackers.

大多数政府雇员现在在家工作, a new risk has appeared as millions of work computers are deployed on home networks, secured in many cases by no more than a manufacturer’s default admin password.

So what can smart governments do to reduce the risks and plug the holes? 培训是一个三管齐下的项目, 更新的密码策略, 全面的网络防御:

培训.  幸运的是, a majority of state and local governments in the US have instituted regular cyber security training for their employees. 编写良好的, engaging programs can be found online at reasonable prices, and usually contain modules on protecting personally identifiable information (PII), 保护健康记录(HIPAA), 防御网络钓鱼攻击. Especially useful are those that continuously probe for weaknesses, sometimes simulating phishing attacks and praising employees who respond correctly.  Governments should add to these practices minimum requirements for home network security and a way to routinely update work machines that are now living in employees’ homes.

密码策略.  大概在他从NIST退休的时候, Bill Burr was interviewed in the Wall Street Journal about his password guidance, 说, “我现在对我所做的很多事情感到后悔.2017年，NIST更新了该政策 特别刊物800-63B; 它包含了主要的变化:

• 更长的、更简单的密码(“密码短语”).  These are easily remembered strings of mostly unrelated words without special characters, like “cowtableuranium” or “minimizesaltvaluecollisions” (okay, 这是800-63B中的一个短语).  They can be combined with a password manager and/or single sign-on to reduce the burden of recalling multiple passwords and the urge to write them down.
• 消除密码更改.  To the great relief of all, passwords now only need to be changed if there’s a breach.
• 多因素认证(MFA).  This means having a second (or third) way to verify your identity.  While biometrics are making headway, they are still clunky and unreliable.  Inexpensive MFA apps such as Duo that only require registering a second device like your phone are simple to deploy and easy to use.

负责. As cyber-threats and the consequences of a breach increase, smart organizations are turning to more sophisticated ways to protect themselves and in some cases, 反击.  Active measures include good housekeeping like cloud backups, 防病毒程序和, 最近, 基于人工智能的入侵检测软件. Those who choose to 反击 need a robust ransomware policy and a strong relationship with law enforcement.  If your organization finds itself the target of a cyber-attack, the FBI has teams in every field office ready to investigate and take down cyber-criminals (see http://www.美国联邦调查局.gov /调查/网络).