Support The Wire

Cybersecurity: Public Sector’s Growing Concerns and Washington’s Growing Industry: Part 1

Target, Home Depot, K-Mart and Neiman Marcus all fell victim to hackers in the last year, resulting in hundreds of millions of compromised accounts. Public sector security breaches are recently taking their place next to Target on the evening news. Late last month, news reports broke of thousands of leaked student files from the Seattle School District, including names, addresses and in some cases more detailed information. And as President Obama arrived in Beijing earlier this month, the U.S. Postal Service confirmed more than 800,000 workers had been targeted in a security breach reportedly conducted by Chinese government operatives. Those were only the incidents that made headlines. According to the Department of Homeland Security’s Computer Emergency Readiness Team (CERT), hackers breached energy companies on 79 separate occasions in 2014. And last year, 800 million records were lost in connection to cybersecurity attacks.

What if someone or group accessed your contact with the legislature’s data base or other sites that share information about state government? Emails, views to committee meetings and agendas, who is hitting certain sites at TVW? The Public Records Act gives almost anyone access to public information with few exceptions including personnel, and real estate. But as the public sectors “sells” more services on line, more personal data is collected; your credit card when you renew your license, you tax records at DOR, or your investment and pension information if you are a state or local government employee.

The Washington Legislature is conducting hearings on the subject of cyber security for state web sites at hearings this week.

In an era of growing data and communication and an evolving digital ecosystem, the private and in some cases public sector, is often legions behind in the security game. Fortunately for the Northwest, states like Washington have become somewhat of a hub for the cyber-security industry. That’s helped along by the leading tech giants of the region — the Amazons and Microsofts, whose success depends on the security of both intellectual property and their consumers.

The Industry:

“I think the Northwest [has] a lot of companies concerned about these issues,” explains Craig Spiezle, founder of the Online Trust Alliance (OTA), a non-profit based in Bellevue, committed to enhancing online trust and promoting innovation and vitality over the internet.

Spiezle is part of a growing community of cybersecurity businesses and alliances. He is joined by companies like WatchGuard, which provides network security products and is headquartered in downtown Seattle. IID a Tacoma company, deals in anti-phishing, malware and security services for as varied a customer base as e-commerce companies, financial firms and Internet Service Providers. Their customers include Microsoft, Monster.com and the Boeing Employees’ Credit Union. And it doesn’t end there. The University of Washington’s Center for Information Assurance and Cybersecurity (CIAC) is a nerve center for innovation, research and public awareness. In April, eight students from the UW took first place in the National Collegiate Cyber Defense Competition.

Barbara Endicott-Popovsky, a professor at the University of Washington Tacoma and director of CIAC, says the surge of cybersecurity threats began largely as an unorganized movement, but has quickly become the new frontier of war. In that time span, the crimes have become as varied as the criminals behind them. The plethora of new data available in school districts, via HealthCare.gov and over online shopping forums, poses a growing set of risks.

“In the last decade organized criminals [started to] understand that they could make more money by putting their guns away and robbing people online,” explains Endicott. “Then we started [becoming aware of] other countries, 14 to 20, with programs going on. [And we realized] we don’t want some countries out there on the internet without having a heavy U.S. presence.”

Though the burden has until now, fallen largely on private industries, the changing digital landscape will require a shift in thinking, says Spiezle.

“This is not just a problem for [private] industry. These problems are complex,” he says.

Spiezle spent ten years at Microsoft, most recently as the director of Security and Private Product Management. When he founded OTA in 2005, he was working on Microsoft’s own internal security problems, but soon realized the need for an industry-wide set of best practices. Spiezle left Microsoft in 2009 to commit himself full-time to the Online Trust Alliance. Now a global organization, OTA works across the entire ecosystem on supply chain issues undermining business models, commerce and a set of cybersecurity “best standards.”

“In the initial years, the IFPs — the Comcasts and Yahoos and Microsofts — didn’t know how to play nice with each other. We used to joke at Microsoft that friends don’t let friends go on AOL,” remembers Spiezle. “But the reality, we learned, is if we don’t a good job with spam it becomes Comcast’s problem. And if Comcast doesn’t do a good job, it becomes our problem. I started taking the view that we need to do something that helps us all and is collaborative.”

Washington has always been progressive in its laws surrounding cybersecurity. In 2010, for instance, it passed a law requiring business or credit card processors be made liable for unauthorized access to cards, if they didn’t meet certain industry-wide security standards. But Spiezle says a large part of the problem is a lack of policy cohesion and a reluctance among trade groups and organizations, to change.

“I like to use this analogy: In the 1800s in the industrial revolution, nobody paid much attention to carbon or acid rain. Nobody wanted to change until, in some ways, it was too late,” he says. “We’re at a critical crossroads today. We need to take a look at data collection and use and sharing. And instead, when a company has a problem it has to navigate 48 different states.”

Professionals in the field acknowledge there are real risks ahead, as information becomes more available. Acknowledging concerns about the availability and type of data handled by city departments, Mayor Ed Murray of the city of Seattle, announced a privacy initiative in early November to determine principles and standards for how such information was used.

Seattle Councilmember Bruce Harrell said the city owed it to its citizens to address how it used, deleted and stored the data it collected, which can range from credit cards to video footage and library information.

“Society as a whole is lagging behind in the realization of what we’re doing to ourselves. Society hasn’t grappled with the unintended consequences,” says Endicott. “People in the field get it, but the average consumer does not.”

To learn more about the policies and initiatives surrounding cybersecurity in Washington state, read part two of this series on Friday, December 5.


Your support matters.

Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.