The headlined question was the subject of a 6 March hearing by the House Science Subcommittees on Oversight and Technology. The hearing’s purpose was to examine the state of technology and standards to protect Americans from international cybercriminals, ranging from rogue hackers to foreign governments and sophisticated crime syndicates.
According to hearing organizers, recent cyber-crimes perpetrated against retailers Target, Neiman Marcus, Easton-Bell Sports, Michaels and others, appear to be cases of “RAM scraper,” which is memory-scanning malicious software used by cybercriminals to grab unencrypted data during the split-second while it’s being processed at the cash register.
As reported by Reuters, the FBI distributed a confidential report to U.S. retailers in January describing risks posed by RAM scraper malware that infects point-of-sale (POS) systems, including cash registers and credit-card swiping machines. In this memo, the FBI said it has uncovered around twenty cases of large-scale cyber-attacks against retailers in the past year that utilized similar methods to those uncovered in the Target incident — with more attacks expected in the near term.
According to the FBI, “the accessibility of the malware on underground forums, the affordability of the software, and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors.”
Hearing participants were asked to address whether current voluntary Payment Card Industry-Data Security Standards are adequate to ward off such cyber-attacks, and/or whether new technologies and processes are required.
Dr. Charles Romine, Director of the Information Technology Laboratory at the National Institute of Standards and Technology, testified that “technology alone cannot solve these problems. However, we do believe that effective use of technology can make it more difficult for criminals to perpetrate these crimes, can make it easier for organizations to recover from serious incidents, and can, in some cases, prevent such incidents from occurring.” He then went on to summarize the ongoing cybersecurity work being done at NIST, including its efforts to develop a National Strategy for Trusted Entities in Cyberspace.
In his prepared statement, Bob Russo, General Manager, Payment Card Industry Security Standards Council, noted that the Council is supporting U.S. adoption of EMV Chip technology (i.e. “Smart Cards”) already widely used in Europe as a means to reduce fraud related to use of counterfeit and lost-stolen credit cards. He cautioned, however, that EMV technology does not preclude the need for a strong data security posture to prevent the loss of cardholder data from intrusions and data breaches, nor does it negate the need for secure passwords, patching systems, monitoring for intrusions, firewalls, access management, secure software, educated employees and having clear processes for the handling of sensitive payment card data. EMV technology also does not prevent malware-based attacks or memory-scraping, as in the Target case.
Russo noted, however, that the latest versions of security standards for POS devices, (PCI PIN Transaction Security Requirements) includes “improved tamper responsiveness so that devices will ‘self-destruct’ if they are opened or tampered with, and the creation of electronic signatures that prevent applications that have not been ‘whitelisted’ from being installed.”
On behalf of the Smart Card Alliance, Executive Director Randy Vanderloof also endorsed the move to EMV technology, which is based on embedding chips into “smart cards” that are “ideal for many applications, especially payments, because they provide high levels of security and privacy protection, are easily carried, and do not require their own power source to operate effectively.”
He noted that the U.S. payments industry is approximately halfway into a four-year planned migration to adopt EMV chip technology, but cautioned that “the migration to chip cards in the U.S. is complex, expensive and difficult to coordinate.”
Justin Brookman, Director, Consumer Privacy at the Center for Democracy & Technology, recommended that “rather than prescribing specific technologies, Congress should enact legislation to sufficiently incentivize companies to implement innovative solutions to minimize data breach. At the very least, Congress should specifically empower the Federal Trade Commission to continue to bring actions against companies that fail to deploy reasonable security to safeguard consumer data.”
As an alternative to EMV technology, Brookman noted that “another possible security measure that could be effective in limiting future data breaches is the use of disposable credit card numbers. Because the credit card number is created for each transaction and disposed of after use, unauthorized individuals who were able to access the record of the financial transaction would not be able to use the credit card number to commit a fraudulent transaction.
Brookman also called on Congress to provide baseline privacy legislation, noting that “unlike other developed countries, the U.S. currently lacks a comprehensive privacy law that would protect consumers across all sectors of the economy. The current patchwork of state laws does not provide the most effective protection for consumers. A baseline data privacy law would require companies to collect only as much personal information as necessary, be clear about with whom they’re sharing information, and expunge information after it is no longer needed.”
Closing out the witness panel, Steven Chabinsky, former head of the FBI’s Cyber Division, now affiliated with the cybersecurity technology firm Crowdstrike, provided an overview of the evolution of cyber intrusions against U.S. industry — from rogue hackers, to sophisticated international crime syndicates, and to foreign governments. He highlighted the escalation of cyber threats over the past ten years, noting that “foreign intelligence services are siphoning off our intellectual property and weakening American competitiveness, while organized criminal groups steadily gain access to corporate and consumer credentials that have been used to defraud Americans out of billions of dollars.”
In order to combat the rising cyber-threat, Chabinsky urged a fundamental rethinking of our cybersecurity emphasis away from securing systems against unauthorized access to rapidly detecting intrusions and punishing intruders. He asserted: “We need to ensure that our cybersecurity strategies, technologies, market incentives, and international dialogue focus greater attention on the challenges of more quickly detecting and mitigating harm, while in parallel locating and penalizing bad actors. Doing so would align our cybersecurity efforts with the security strategies we use in the physical world.”