Quick Hits for Oct. 26
*** In an Oct. 25 letter, Sen. James Lankford (R-Okla.) wants to know what the Treasury Department is doing to protect Suspicious Activity Reports from being accessed in unauthorized ways.
SARs are in the news because they figured into media leaks regarding Paul Manafort, who was convicted in federal court on financial fraud charges and also pleaded guilty to conspiracy to obstruct justice and other crimes.
On Oct. 18, the Justice Department charged Natalie Mayflower Sours Edwards, a senior advisor for Treasury’s Financial Crimes Enforcement Network (FinCEN), with leaking a SAR report detailing Manfort’s financial activity to multiple media outlets between October 2017 and October 2018.
Lankford wants to know how many FinCEN employees are authorized to access SARs; how FinCEN monitors access requests; how the office assesses whether access to a report is within an employee’s official responsibilities; the policy for punishing unauthorized access; what Treasury is doing to prevent future unauthorized access; and copies of policies and guidelines related to the program.
"The systems of SARs is critical to FinCEN’s work," Lankford wrote. "Access to extremely sensitive information should be appropriately controlled, monitored and compartmentalized, so as to eliminate unnecessary risk."
*** The White House is looking to jump-start efforts to get federal agencies to relinquish or share spectrum with the private sector as demand for wireless bandwidth, in particular for 5G, continues to grow. In an Oct. 25 strategy memo, the administration tasked agencies with a review of current and anticipated spectrum needs. The process will be managed by the National Telecommunications and Information Administration. The memo also called for a "secure, automated capability" to conduct spectrum assessments and support spectrum sharing.
***A Department of Energy Inspector General audit found that an agency responsible for safeguarding the nation's nuclear stockpile must still address dozens of cybersecurity vulnerabilities and weaknesses.
Auditors singled out the National Nuclear Security Administration as ripe for opportunities "to enhance its ability to protect information systems and data."
Even as the NNSA successfully remediated all 12 of the specific cybersecurity weaknesses identified in an audit last year, the new report found that many of those same areas still suffered from other shortfalls. While the specifics around each concern were withheld due to the sensitive nature of NNSA's work, unpatched and unsupported software, insecure user credentials, poor access control policies and failure to implement IT security trainings for staff were all listed as ongoing problems.
In a response included within the report, Department of Energy CIO Max Everett concurred with the IG's findings and said corrective actions had been taken on all 25 weaknesses identified, with an estimated completion date of September 2019.
*** The Department of Homeland Security's Science and Technology Directorate wants to improve academic research into cyber risk management by helping scholars to incorporate more real-world economic challenges that force cybersecurity tradeoffs within organizations.
A new report looks at four metrics that tend to influence organizations to invest in cybersecurity: the extent that it will help them manage cyber risk, the business and financial return on investment in cybersecurity, the incentives that encourage organizations towards effective cyber risk management and how those investments impact outcomes to information, systems and people.
On the government side, poor understanding from lawmakers at the state and federal level about how laws and liability concerns impact organizational decision making and a lack of accountability for how organizations manage and keep track of their supply chains were also cited as factors contributing to an environment of uncertainty around how to manage cyber risk.
Researchers at S&T believe the report is merely "a solid start" and note that a more holistic approach that incorporates perspectives from other social and behavioral sciences is needed to fully flesh out the economic incentives of cybersecurity.