In response to the increasing incidence of authentication-based cyber-attacks – primarily exploiting the myriad weaknesses of passwords – policy makers around the world are developing policies and regulations focused on driving the adoption of multi-factor authentication (MFA) solutions that can prevent password-based attacks and better protect critical transactions, data, communications and infrastructure. This paper examines the current state of threats associated with inadequate authentication, reviews the types of technologies available on the market today to address these threats, and outlines eight key principles for governments to consider as they craft authentication policies and initiatives.
No technology or solution can completely eliminate the risk of a cyberattack, but adoption of biometric-enabled, multifactor authentication is one of the most impactful steps that can meaningfully reduce a company’s cyber risk. Given the emerging array of new requirements for authentication in sectors such as health, financial services and government, organizations can prepare for cloud compliance by moving to implement MFA now. A new White Paper, produced in collaboration between Microsoft and The Chertoff Group, seeks to do the following:
- Explore why authentication is so important
- Discuss barriers to the implementation and uptake of strong authentication solutions
- Detail the ways in which biometrics and other next-generation authentication technologies are addressing these barriers
- Lay out key security and privacy risks associated with biometrics, as well as discuss how governments and compliance organizations are framing policies around authentication and biometrics
- Detail how the right standards and architecture can ensure that biometrics are deployed in a way that addresses important regulatory and compliance concerns
Transnational mergers and international investments in U.S.-based companies are a common and important part of U.S. economic activity. While these transactions can enable companies to make critical investments and expand capabilities, these investments can also have national security implications, especially when the domestic system or asset being considered for foreign investment provides a critical service to the U.S. government or controls technologies or assets vital to U.S. national security.
“Insider threat” is no longer just a security buzzword; it has become an enterprise concern commanding executive-level attention. A new white paper, Stopping The Insider Threat, produced in collaboration between The Chertoff Group and SailPoint, a leading independent identity and access management (IAM) provider, seeks to inform the conversation around the importance of a complete Identity and access Management strategy in protecting against insider attacks.
The “Cybersecurity Sprint” of July 2015, launched by the White House in the wake of major breaches at the Office of Personal Management (OPM), was critical to efforts to improve the security of Federal IT systems. Federal agencies made significant progress in this initial 30 day sprint, closing the vulnerabilities associated with passwords and pushing agencies to increase their use of two-factor authentication to mitigate the risk of stolen credentials. However, it is important that agencies do not simply check the two-factor authentication box and proclaim they have “solved” identity security.
A new white paper, “Securing Identity Does Not Stop with Strong Authentication,” produced in collaboration between The Chertoff Group and SailPoint, a leading independent identity and access management (IAM) provider, seeks to inform the conversation around the importance of identity governance for federal agencies.
U.S. policy makers are currently engaged in a debate regarding the merits of mandating a means of “extraordinary access” to encrypted data for U.S. law enforcement or what is sometimes referred to as an encryption “backdoor.” This paper examines modern encryption technologies, the feasibility of providing law enforcement with extraordinary access, the impact that encryption technology is currently having on U.S. law enforcement (which some have referred to as “going dark”), and the likely impacts that an extraordinary access requirement would have on U.S. national security, the technology sector, and continued innovation in the security field.
The transition to a global Internet economy has been accompanied by a significant change in the nature of law enforcement activity. Evidence that formerly was available within the boundaries of a single jurisdiction and could be collected through the operation of domestic law now is often collected, stored, and processed globally by transnational companies. As a result significant potential exists for the disruption of law enforcement activities because those who hold relevant evidence may be subject to conflicting legal obligations, unilateral actions by a single jurisdiction, and significant economic pressures. Authored by experts within The Chertoff Group, Law Enforcement Access to Data in the Cloud Era outlines the scope of the problem and surveys existing technical, legal, and policy conflicts. While it does not endorse a single solution, this paper identifies potential responses to the changing dynamic.
On November 14, 2014, The Chertoff Group released a new report examining the resiliency of the American electric grid against cyber and physical security threats. The report, Addressing Dynamic Threats to the Electric Power Grid Through Resilience, outlines the industry’s multipronged approach to grid security, including critical infrastructure standards, voluntary security initiatives, incident response preparations, and partnership with the government to enhance the reliability of our nation’s electric power grid.
Cyber-attacks are a present and growing danger. Massive data breaches and a steady stream of reports about vulnerability have put boardrooms on high alert and spurred companies to dedicate more resources to cyber-breach preparedness, response, and recovery. In 2013, the US budget for cybersecurity products and services exceeded US$67 billion. In addition, cyber-insurance premiums reached US$1.3 billion, and Marsh & McLennan Companies data indicates that take-up rates are climbing for a wide range of industries. With hackers constantly refining techniques and succeeding in their efforts, are we closing the gap on the cyber threat or falling farther behind?