Monthly Archives: February 2014

Just how safe is Sochi?

BobNo doubt, you’ve already seen all the complaints from journalists in Sochi about sub-standard bathroom facilities.  Heck, a dear friend was locked *inside* her hotel room on her first day reporting there.   These are funny stories, but can sound a bit like first-world problems.

I’m worried about something much more serious happening during the next three weeks, and I have enough friends there that it’s personal. Not surprisingly, we’ve already learned that visitors to Sochi should expect their entire lives to be hacked. Indeed, the Committee to Protect Journalists cites a Russian government decree published in the state newspaper in November which announces the government’s intention to collect metadata on all telecommunications. (Question: Is that better or worse than what the NSA does?).  And NBC’s Richard Engle demonstrated this week how his cell phones were hacked.

When Russians say they need to pry to keep Sochi safe, they aren’t inventing reasons. There are many credible threats of terrorism at the Games.

  • Chechen rebel leader Doku Umarov — some experts call him the Russian bin Laden — called for attacks on Sochi last summer.  Suicide bombings in Vologagrad (formerly Stalingrad) during December that killed 40 people show the threats are real, even if the connection between the attacks and Umarov is tenuous.
  • This week, the U.S. Department of Homeland Security warned airlines flying into Russia that bombs might be concealed in toothpaste tubes or cosmetic cases.
  • U.S. athletes have been told not to wear U.S. logos outside the Olympic Village. Many athletes chose to leave their families at home
  • And there are real threats of kidnappings, too — this week, two Austrian athletes were directly threatened in a letter sent to the Austrian Olympic Committee.

Until figure skating and hockey heat up, you will hear more and more about the threat of terrorism in Sochi. So for some level-headed analysis of the real threat, I turned to  Charles Hecker, Director of Global Research and Russia expert at Control Risk, a private global security team.  Here’s what Hecker told me.

“There is this ‘cordon sanitaire’ (secure perimeter – Russians are calling it a Ring of Steel) around the area. There is extensive surveillance—including underwater sonar—and in the air and through the electronic waves, every single move that anybody makes in and around Sochi is going to be monitored and recorded,” he said. “There hasn’t been this sort of peacetime security effort in Russia—or in too many other places, frankly—as we’re seeing now down in the North Caucasus and Southern Russia. This is the ultimate test of Russia’s capability.”

Expect Russia to spare no expense — or at least no civil liberty — while monitoring for potential threats, he said. Any family or employee in Sochi should expect everything they do to be watched.

He did offer this comforting message to those worried about direct attacks on Sochi during the Games.

“The security of the games and the Olympic Games sites should be pretty well taken care of, barring something none of us can anticipate,” he said. ”There is very little—in fact no—precedent in Russia for terrorist attacks being aimed specifically at tourists and visitors. Almost all of the terrorist activity in Russia has been aimed at government targets and at infrastructure targets.”

Islamic separatists believed to be loyal to Umarov have recently attacked train stations and an airport, for example. And while Umarov lifted an alleged ban on attacking civilians in July while calling for attacks on the Olympics, his ability to execute on such threats is unclear. A security report issued by Control Risks in January makes clear that Caucasus Emirate, the group Umarov leads, is “not a military organization with a reliable line of command.”  Any attacks would be planned and carried out “locally and autonomously.”

Russian and Vladimir Putin have every incentive to prevent an embarrassing attack, Hecker noted.

“Forget about it as a sporting event, the Olympics in Russia are far more than that. This is Russia’s attempt at imprinting an entire new image of itself on the world,” he said.

Attacks in other areas of Russia during the Games — in Moscow, St. Petersburg, or other large cities outside Sochi — are more likely, Control Risks says.

But even without an attack, the separatists might be able to claim victory anyway, argues Uval Mond, in an opinion piece that appeared this week in The Times of Israel.

“Before the games even begin, Umarov’s threats have succeeded in generating anxiety to the level of real panic, which has fueled an international debate over the security situation in Russia and the authorities’ ability to guarantee the safety of the visiting athletes and fans,” he wrote. “This arch-terrorist has positioned himself as a geostrategic player whose presence is definitely troubling the sleep of one of the most powerful world leaders. That alone is a victory for Doku Umarov.”

Congress: The real risks at are real

Larry Ponemon

Larry Ponemon

I have been asked to testify about the possibility of identity theft on the website and the potential consequences to the American public. Identity theft and medical identity theft are not victimless crimes and affect those who are most vulnerable in our society – such as the ill, elderly and poor.

Beyond doing numerous empirical studies on this topic, this issue that really struck home. Last year my 88-year-old mother who lives in Tucson suffered a stroke. She was rushed to the hospital and admitted. Unbeknownst to her, an identity thief was on the premises and made photocopies of her driver’s license, debit card and credit card she had in her purse. The thief was able to wipe out her bank account and there were charges on her credit card amounting to thousands of dollars. In addition to dealing with her serious health issues, she also had to cope with the stress of recovering her losses and worrying about more threats to her finances and medical records.

The situation with my mother in the hospital and those who are sharing personal information on the website are not dissimilar. My mother had a reasonable expectation that the personal information she had in her wallet would not be stolen – especially by a hospital employee.  Those who visit and enroll in also have an expectation that the people who are helping them purchase health insurance will not steal their identity. They also have a reasonable expectation that all necessary security safeguards are in place to prevent cyber attackers or malicious insiders from seizing their personal data.

In my opinion, the controversy regarding security of the website is both a technical and emotional issue.  In short, security controls alone will not ease the public’s concerns about the safety and privacy of their personal information.  Based on our research, regaining the public’s trust will be essential to the ultimate acceptance and success of this important initiative.

Following are some key facts that we have learned from our consumer research on privacy, data protection and information security:

First, the public has a higher expectation of the protection of their personal information when using or browsing government websites such as the USPS or IRS than when accessing commercial websites such as or

Second, the loss of one’s identity can destroy a person’s wealth and reputation.  Further, the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for Americans to procure goods and services.

Third, medical identity theft negative impacts the most vulnerable people in our nation. Beyond financial consequences, the contamination of health records caused by imposters can result in health misdiagnosis and in extreme cases could be fatal. Because there are no credit reports to track medical identity theft, it is nearly impossible to know you have become a victim.

Based on our Institute’s research, I would like to recommend a three-part approach to raising the trust and confident of Americans when using

  • First, is accountability. It is important to demonstrate to the public that the government is accountable for the security of the information and can be trusted. This translates into standards that do not just meet basic practices but exceeds them to ensure the website is safe and secure. As an example, one requirement should be to encrypt all personal data at rest in backend systems.
  • Second, is ownership by the CEO. In this case it is the president of the United States who should take ownership of the website and ensure good security and privacy practices are met as a priority.
  • Third, is independent verification or audit of the website to ensure all areas and underlying systems meet high security standards.

This is an excerpt of Congressional testimony Larry Ponemon recently gave before the House Committee on Science, Space and Technology