No doubt, you’ve already seen all the complaints from journalists in Sochi about sub-standard bathroom facilities.  Heck, a dear friend was locked *inside* her hotel room on her first day reporting there.   These are funny stories, but can sound a bit like first-world problems.

I’m worried about something much more serious happening during the next three weeks, and I have enough friends there that it’s personal. Not surprisingly, we’ve already learned that visitors to Sochi should expect their entire lives to be hacked. Indeed, the Committee to Protect Journalists cites a Russian government decree published in the state newspaper in November which announces the government’s intention to collect metadata on all telecommunications. (Question: Is that better or worse than what the NSA does?).  And NBC’s Richard Engle demonstrated this week how his cell phones were hacked.

When Russians say they need to pry to keep Sochi safe, they aren’t inventing reasons. There are many credible threats of terrorism at the Games.

• Chechen rebel leader Doku Umarov — some experts call him the Russian bin Laden — called for attacks on Sochi last summer.  Suicide bombings in Vologagrad (formerly Stalingrad) during December that killed 40 people show the threats are real, even if the connection between the attacks and Umarov is tenuous.
• This week, the U.S. Department of Homeland Security warned airlines flying into Russia that bombs might be concealed in toothpaste tubes or cosmetic cases.
• U.S. athletes have been told not to wear U.S. logos outside the Olympic Village. Many athletes chose to leave their families at home
• And there are real threats of kidnappings, too — this week, two Austrian athletes were directly threatened in a letter sent to the Austrian Olympic Committee.

Until figure skating and hockey heat up, you will hear more and more about the threat of terrorism in Sochi. So for some level-headed analysis of the real threat, I turned to  Charles Hecker, Director of Global Research and Russia expert at Control Risk, a private global security team.  Here’s what Hecker told me.

“There is this ‘cordon sanitaire’ (secure perimeter – Russians are calling it a Ring of Steel) around the area. There is extensive surveillance—including underwater sonar—and in the air and through the electronic waves, every single move that anybody makes in and around Sochi is going to be monitored and recorded,” he said. “There hasn’t been this sort of peacetime security effort in Russia—or in too many other places, frankly—as we’re seeing now down in the North Caucasus and Southern Russia. This is the ultimate test of Russia’s capability.”

Expect Russia to spare no expense — or at least no civil liberty — while monitoring for potential threats, he said. Any family or employee in Sochi should expect everything they do to be watched.

He did offer this comforting message to those worried about direct attacks on Sochi during the Games.

“The security of the games and the Olympic Games sites should be pretty well taken care of, barring something none of us can anticipate,” he said. ”There is very little—in fact no—precedent in Russia for terrorist attacks being aimed specifically at tourists and visitors. Almost all of the terrorist activity in Russia has been aimed at government targets and at infrastructure targets.”

Islamic separatists believed to be loyal to Umarov have recently attacked train stations and an airport, for example. And while Umarov lifted an alleged ban on attacking civilians in July while calling for attacks on the Olympics, his ability to execute on such threats is unclear. A security report issued by Control Risks in January makes clear that Caucasus Emirate, the group Umarov leads, is “not a military organization with a reliable line of command.”  Any attacks would be planned and carried out “locally and autonomously.”

Russian and Vladimir Putin have every incentive to prevent an embarrassing attack, Hecker noted.

“Forget about it as a sporting event, the Olympics in Russia are far more than that. This is Russia’s attempt at imprinting an entire new image of itself on the world,” he said.

Attacks in other areas of Russia during the Games — in Moscow, St. Petersburg, or other large cities outside Sochi — are more likely, Control Risks says.

But even without an attack, the separatists might be able to claim victory anyway, argues Uval Mond, in an opinion piece that appeared this week in The Times of Israel.

“Before the games even begin, Umarov’s threats have succeeded in generating anxiety to the level of real panic, which has fueled an international debate over the security situation in Russia and the authorities’ ability to guarantee the safety of the visiting athletes and fans,” he wrote. “This arch-terrorist has positioned himself as a geostrategic player whose presence is definitely troubling the sleep of one of the most powerful world leaders. That alone is a victory for Doku Umarov.”

Larry Ponemon

I have been asked to testify about the possibility of identity theft on the Healthcare.gov website and the potential consequences to the American public. Identity theft and medical identity theft are not victimless crimes and affect those who are most vulnerable in our society – such as the ill, elderly and poor.

Beyond doing numerous empirical studies on this topic, this issue that really struck home. Last year my 88-year-old mother who lives in Tucson suffered a stroke. She was rushed to the hospital and admitted. Unbeknownst to her, an identity thief was on the premises and made photocopies of her driver’s license, debit card and credit card she had in her purse. The thief was able to wipe out her bank account and there were charges on her credit card amounting to thousands of dollars. In addition to dealing with her serious health issues, she also had to cope with the stress of recovering her losses and worrying about more threats to her finances and medical records.

The situation with my mother in the hospital and those who are sharing personal information on the healthcare.gov website are not dissimilar. My mother had a reasonable expectation that the personal information she had in her wallet would not be stolen – especially by a hospital employee.  Those who visit and enroll in healthcare.gov also have an expectation that the people who are helping them purchase health insurance will not steal their identity. They also have a reasonable expectation that all necessary security safeguards are in place to prevent cyber attackers or malicious insiders from seizing their personal data.

In my opinion, the controversy regarding security of the healthcare.gov website is both a technical and emotional issue.  In short, security controls alone will not ease the public’s concerns about the safety and privacy of their personal information.  Based on our research, regaining the public’s trust will be essential to the ultimate acceptance and success of this important initiative.

Following are some key facts that we have learned from our consumer research on privacy, data protection and information security:

First, the public has a higher expectation of the protection of their personal information when using or browsing government websites such as the USPS or IRS than when accessing commercial websites such as Amazon.com or ebay.com.

Second, the loss of one’s identity can destroy a person’s wealth and reputation.  Further, the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for Americans to procure goods and services.

Third, medical identity theft negative impacts the most vulnerable people in our nation. Beyond financial consequences, the contamination of health records caused by imposters can result in health misdiagnosis and in extreme cases could be fatal. Because there are no credit reports to track medical identity theft, it is nearly impossible to know you have become a victim.

Based on our Institute’s research, I would like to recommend a three-part approach to raising the trust and confident of Americans when using healthcare.gov.

• First, is accountability. It is important to demonstrate to the public that the government is accountable for the security of the information and can be trusted. This translates into standards that do not just meet basic practices but exceeds them to ensure the website is safe and secure. As an example, one requirement should be to encrypt all personal data at rest in backend systems.
• Second, is ownership by the CEO. In this case it is the president of the United States who should take ownership of the website and ensure good security and privacy practices are met as a priority.
• Third, is independent verification or audit of the website to ensure all areas and underlying systems meet high security standards.

This is an excerpt of Congressional testimony Larry Ponemon recently gave before the House Committee on Science, Space and Technology

Lancope, Inc., a leader in network visibility and security intelligence, today announced the results of a Ponemon Institute report entitled, “Cyber Security Incident Response: Are we as prepared as we think?” Findings show that while security threats are imminent, CEOs and other members of the management team are in the dark about potential cyber-attacks against their companies. The research also shows that, as a result, Computer Security Incident Response Teams (CSIRTs) often lack the resources necessary to fend off the continuous onslaught of advanced threats facing today’s organizations.

Commissioned by Lancope, the Ponemon Institute research surveyed 674 IT and IT security professionals in the United States and the United Kingdom who are involved in their organization’s CSIRT activities. The study concludes with key recommendations for organizations looking to improve their incident response process.

Key findings from the study include:

Security incidents are imminent – Sixty-eight percent of respondents say their organization experienced a security breach or incident in the past 24 months. Forty-six percent say another incident is imminent and could happen within the next six months.
Management is largely unaware of cyber security threats – Eighty percent of respondents reported that they don’t frequently communicate with executive management about potential cyber-attacks against their organization.
Organizations are not measuring the effectiveness of their incident response efforts – Fifty percent of respondents do not have meaningful operational metrics to measure the overall effectiveness of incident response.
Breaches remain unresolved for an entire month – While most organizations said they could identify a security incident within a matter of hours, it takes an entire month on average to work through the process of incident investigation, service restoration and verification.
CSIRTs lack adequate investments – Half of all respondents say that less than 10 percent of their security budgets are used for incident response activities, and most say their incident response budgets have not increased in the past 24 months.
Network audit trails are the most effective tool for incident response – Eighty percent of respondents say that analysis of audit trails from sources like NetFlow and packet captures is the most effective approach for detecting security incidents and breaches. This choice was more popular than intrusion detection systems and anti-virus software.
“The findings of our research suggest that companies are not always making the right investments in incident response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “As a result, they may not be as prepared as they should be to respond to security incidents. One recommendation is for organizations to elevate the importance of incident response and make it a critical component of their overall business strategy.”

“If 2013 is any indication, today’s enterprises are ill-equipped to identify and halt sophisticated attacks launched by nation-states, malicious outsiders and determined insiders,” said Mike Potts, president and CEO of Lancope. “Now is the time for C-level executives and IT decision-makers to come together and develop stronger, more comprehensive plans for incident response. This communication is critical if we want to reduce the astounding frequency of high-profile data breaches and damaging corporate losses we are seeing in the media on a near-daily basis.”

Results to be presented at RSA Conference 2014 and via webinar

Dr. Larry Ponemon will join Lancope, The Coca-Cola Company, General Motors and Viewpost executives in an RSA Conference 2014 panel discussion to explore the results of the study and share insights on how to build a great CSIRT with the executive support and respect it needs. The panel, “Why Cyber Incident Response Teams Get No Respect,” will take place on Wednesday, February 26, at 9:20 a.m. U.S. Pacific time in Room 3009 at the Moscone Center in San Francisco.

The results will also be presented via a free webinar on January 29, 2014 at 8:00 a.m. U.S. Pacific time. Participants can join Dr. Ponemon and Lancope’s director of security research, Tom Cross, to hear about the key mistakes organizations are making when it comes to incident response, and how the right mix of people, processes and technology can dramatically improve incident response efforts. Those interested can register at: http://www.lancope.com/company-overview/webinar/ponemon-cyber-security-incident-response/.

Further Information

For media inquiries related to the Ponemon Institute incident response study, or to schedule briefings with Lancope and Dr. Larry Ponemon at RSA Conference 2014, please contact Lesley Sullivan or Kendra Dorr at Lancope@SchwartzMSL.com. For a full copy of the study, “Cyber Security Incident Response: Are we as prepared as we think?” please visit: http://www.lancope.com/ponemon-incident-response/.

With all the screaming about the NSA hacking into our lives, Americans have kind of missed the point.  We’ve voluntarily given our lives to private companies for years.  Government agents don’t have to hack us. They can simply ask any of these companies for everything they have. The Supreme Court says so.  It’s known as the “third-party doctrine.”  Give your data to a private company, and you lose your rights to any expectation of privacy. Even if it’s illegal for the Feds to spy on us directly (whatever that means now), it’s perfectly legal for the Feds ask private companies for whatever data they have and use it against us. Data given voluntarily by you to any company can be given voluntarily to the Feds. This odd three-step process is often a mere inconvenience. And if you don’t think it happens, just ask Nico Sell.

Sell is co-founder and CEO of Wickr, a company that enables private messaging.  At a recent conference, she told the audience that Wickr was upgrading to better encryption for more privacy.  As she tells Max Eddy of PC Mag, Sell was barely off the podium before a Fed walked up to her and casually asked for back-door access to Wickr so the FBI could access users’ secret messages.  He said it the way you and I might invite someone to coffee.

“I was surprised the agent asked me because if he had done any homework, he would have known the answer was no.  Doesn’t he use surveillance?:)  Or at least Google?  I think he was trying to intimidate me,” Sell told me.  ” If this was the first time I had dealt with the FBI, I would have been scared.”

Sell says she turned the tables on the agent. She started asking for official documentation, asked who his boss was, and so on.  He slunk off, tail between his legs. But you and I know many companies are star-struck by the business card with the FBI logo, and say yes. Others fear they don’t have a choice, or don’t know better. Sell even admits that she might have caved when she was younger. After all, who doesn’t want to help catch bad guys?

That’s how this works.  As a reporter, I’ve had plenty of encounters with agents who asked me to share what I know.  In fact, once, I was even summoned before a grand jury.  Fortunately, I had a boss named Merrill Brown who forcefully explained to me that reporters don’t do cops’ work for them.

The Edward Snowden disclosures are fascinating because they demonstrate the radical steps our government will take to make sure that no one, no where, can keep a secret.  Note that in Sell’s story, the agent was not hot on the trail of a terrorist.  He was just looking to open a one-way communication channel for future fishing expeditions. As anyone who’s ever interfaced with the FBI or other three-letter agencies in this manner knows, the agency wants to suck up every piece of information in the world, but doesn’t want to share a thing about what it’s doing.  It wants to make sure there are no secrets. Often, all that requires is a simple question.

It’s great we are all engaged in the dialog now – for now.  But I fear we’ve lost sight of the real problem. Americans share everything about themselves with hundreds, even thousands of companies every day. And those companies often have casual relationships with law enforcement to rat us out.  By the time all the hearings and lawsuits are over, I’m sure there will be strict new “procedures” limiting when the  NSA can and can’t hack into Google’s computers and hijack our digital lives. But that won’t matter much if agents can keep making their casual sales pitches to people like Nico Sell.

We are pleased to announce the release of our 2013 Survey on Medical Identity Theft. This is the fourth year of the study and as in previous years we find that medical identity theft continues to be a costly and potentially life-threatening crime. However, unlike other forms of identity theft, the thief is most likely to be someone the victim knows very well. In this study of more than 700 victims of this fraud, most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission.
We believe that individuals, healthcare organizations and government working together can reduce the risk of medical identity theft. First, individuals need to be aware of the negative consequences of sharing their credentials despite possible good intentions. They should also take the time to read their medical records and explanation of benefits statements to ensure that their information is correct. Second, healthcare organizations and government should improve their authentication procedures to prevent imposters from obtaining medical services and products.
Sponsored by the Medical Identity Fraud Alliance (MIFA), with support from ID Experts, the report can be found at http://medidfraud.org/2013-survey-on-medical-identity-theft.