The European Network and Information Security Agency began operations in October 2004. ENISA will collect and analyze security information, advise and assist the European Commission and the European Union (EU) member states on information security, and raise information-security awareness and cooperation among European industry and government. The agency has a budget of €34.3 million over five years and will be based in Heraklion, Crete.
About 80 percent of the world's hackers live in Brazil, according to the country's federal police force. Brazil is currently reviewing proposed cybercrime laws, but none have been enacted, forcing the federal police to pursue hackers under theft and fraud laws. Cybercrimes now account for more financial losses in Brazil than bank robberies.
The US Department of Homeland Security (DHS) is planning several pilot projects to address the lack of real-world attack data available for cybersecurity research. In February 2004, the DHS started the Protected Repository for Defense of Infrastructure Against Cyber Threats (Predict) program, which encourages large private-sector infrastructure companies to volunteer real-world incident data that researchers can use to test prototype security products. DHS is also developing a new vendor-neutral cybersecurity test bed, known as Deter (for Cyber Defense Technology Experimental Research), a homogeneous emulation cluster based on the University of Utah's Emulab facility. The project will receive US$14 million, and the DHS should award pilot project contracts in January 2005. DHS has also formed an ad hoc government and industry committee to study and develop security projects for the Domain Name System, a critical part of Internet infrastructure.
A poll of 493 people conducted by the National Cyber Security Alliance (NCSA) at the Digital Edge Expo in Washington, D.C., in September 2004 showed that 30 percent of respondents thought that they were more likely to win the lottery, get hit by lightning, or be audited by the IRS than become the victims of a cyberattack. The poll results show a general lack of awareness of cybersecurity threats. Ken Watson, NCSA chairman, declared October 2004 National Cyber Security Awareness Month. "Cybersecurity should become second nature, just like brushing our teeth," Watson says. "Industry projections note that by year's end, Internet users will have been confronted by an estimated 100,000 forms of malicious code. About 91 percent of PCs today are infected with spyware programs that send information from your PC to an unauthorized third party."
The US House of Representatives passed the Spy Act and the I-Spy Act to combat spyware. The Spy Act requires companies that distribute software capable of electronic monitoring to obtain explicit permission from users to install the software and gather data. It establishes civil penalties for those who don't. The bill permits federal intelligence agencies to use spyware with a court order. The Spy Act goes into effect one year after it's signed into law and expires in 2009. The I-Spy Act increases jail sentences by up to five years for people who use spyware to steal credit-card numbers or commit other crimes. I-Spy also authorizes US$10 million to help the Justice Department enforce the act.
European Union interior ministers have approved regulations that would make fingerprint biometrics mandatory for European passports. This overturns an earlier policy that made only facial images mandatory with fingerprints as a secondary option. The move aims to address the biometric requirements set by the International Civil Aviation Organization and the US. The United Kingdom appears to be supporting a German proposal to add iris scans as a third, optional form of ID. The ministers considered requiring that individual nations hold biometric data in central databases and establish a European Register accessible to law enforcement agencies, but opted to store biometric data on the actual passport.
US Election Assistance Commission officials have announced that five electronic voting machine vendors have agreed to submit their software to the National Software Reference Library. EAC chair DeForest Soaries requested that the largest voting companies—representing 90 percent of voting-machine software—submit code to the library so that election officials could verify the software on their machines. California has already faced such verification issues: the registrar of voters in San Bernardino County couldn't confirm that software on county voting machines was the same as state-certified software. California also discovered that Diebold Election Systems installed uncertified software on 17 machines without informing the state. Soaries acknowledges that the library alone cannot protect elections, but must be joined with other measures, such as voting-machine standards, patch procedures, and election best practices. EAC is also planning a clearinghouse for reports of problems that states encounter with voting machines.
The US Chief Information Officers Council has released the Federal Enterprise Architecture Security and Privacy Profile, guidelines that help federal decision-makers protect sensitive data when sharing it with other agencies. The council developed the guidelines with input from the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and several industry groups. Federal managers should consider data security and privacy from the beginning and at the highest levels when developing new information systems. Information assurance specialists can no longer protect data on their own. Security concerns must affect all development and operation processes. The guidelines address all layers of the Federal Enterprise Architecture: business, service components, performance, technical, and data reference models.
The Electronic Frontier Foundation, the Australian Computers Association, and the New South Wales Council for Civil Liberties (NSWCCL), have submitted affidavits to a court in Sydney, Australia, to sit as "friends of the court" during the proceedings of a recording industry suit against Sharman Networks, maker of the Kazaa peer-to-peer file-sharing software. Cameron Murphy, president of the NSWCCL, argues that the groups can help the court evaluate matters of public interest that otherwise might not be presented at the hearings. Murphy concedes that P2P software can be used to illegally download content, but public interests overrule banning such software. For example, a number of nonprofit organizations, such as Amnesty International and the Free East Timor Association, distribute content over P2P networks.
The US First Circuit Court of Appeals in Boston has agreed to hear an appeal of a federal ruling that would let Internet service providers store and copy customers' emails. The First Circuit Court had ruled that bookseller Bradford Councilman did not violate the Wiretap Act when he read messages customers sent to other booksellers through his email service. The Wiretap Act only prohibits intercepting messages in transit, while Councilman read messages in storage on his mail server. In its ruling, the court acknowledged that the Wiretap Act might be out-of-date for the Internet. The Justice Department appealed the decision, arguing that it overturned years of guidance on wiretap prosecutions. The Electronic Frontier Foundation has filed a brief arguing that Councilman's actions are clearly prohibited by the Electronic Communications Privacy Act's amendments to the Wiretap Act. The court will hear the appeal beginning in early December.