ASSOCIATED PRESS 2005b. Microsoft Censors Chinese Blogs. (June 21). Available at http://www.wired.com/news/culture/0,1284,67842,00.html .

Microsoft cooperated with the Chinese government to censor the blog spaces provided by MSN on a newly launched Web portal. The censorships forbid certain terms such as "democracy", "human rights", and "Taiwan Independence". The Chinese government recently demanded that Web site owners register with authorities or face a fine. The government also scours the Internet bulletin boards and blogs for sensitive material and blocks access to violators. Sites that let the public post comments are told to censor themselves or face penalties.

BHAGOWATI, G. 2004. India Responds to Growing Concerns over Data Security. Outsourcing Journal (Dec.).

The article reports on a survey of 115 information technology companies in the United States and India, conducted jointly by the Indian trade association NASSCOM and the US trade association ITAA. The survey found that companies are more concerned about security than they have been ever in the past, and 75% of the companies indicated that information security is a key differentiator in services offered. The article gives background information about a recent security case involving Geometric Software Solutions; problems with viruses, spam, and industrial espionage in India; India's IT Act 2000, which does not address many of the most important privacy and security issues; and attempts to change this law to bring it into line with the European Union's Data Protection Directive and the Safe Harbor privacy principles of the United States.

BILLO, C. AND CHANG, W. 2004. Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States. Institute for Security Studies, Dartmouth College (Nov.).

Working under a grant provided by the Department of Homeland Security, the authors of this study attempted to "assess potential foreign computer threats to information technology networks in the United States" as well as focus on overseas cyber threat capabilities, and dispel popular myths and anecdotal understanding about the nature and degree of the cyber threat by taking into account public and private digital network vulnerabilities. The goal of the report is "to examine the open source evidence to develop a rigorous and dispassionate assessment of both cyber 'offense' by selected nation states and the likely impact of an attack through the wires on the United States."

BLUM, D. 2004. Weigh Risks of Offshore Outsourcing. Network World (Aug. 3) 35, (Available at http://www.nwfusion.com).

The author is the research director of the consulting firm, Barton Group. This brief article concerns security risks to clients from workers of the vendor to whom they are outsourcing work. Dangers of VPN access to vendors are noted. Possible security solutions such as user authentication, firewalls, intrusion-detection systems, background checks, and code audits are discussed and problems with these solutions are identified.

CARAFANO, J.J. AND ROSENZWEIG, P. 2004. Protecting Privacy and Providing Security: A Case of Sensible Outsourcing. Backgrounder, No. 1810, The Heritage Foundation Washington, DC. (N0v.) (Available at http://www.heritage.org/ homelanddefense/bg1810.cfm).

This article by two senior researchers at the Heritage Foundation argues against a position that they claim is widely held, namely that offshoring threatens defending the nation against terrorists, protecting constitutional liberties, and promoting economic growth. The authors argue that by adopting sensible offshoring practices, the United States can protect the privacy of individual citizens, promote better security practices, and contribute to economic prosperity; that market forces can enhance economic growth and security; and that the federal government and Department of Homeland Security should change rules and practices so as to award contracts to the companies that provide the best security for value paid, regardless of location of the vendor. The article describes some of the principles that should be followed in contracting for offshoring in order to protect the security of data and services. It describes some of the actions taken in India, at least by the larger vendors who can afford these actions, to protect network, physical, and personnel security as well as business continuity in the face of disaster. There is also discussion of Indian legislation over the past five years to address security and privacy concerns from the United States and the European Union.

COMPUTERWORLD STAFF 2005. Indian Call Center Workers Charged With Citibank Fraud. Computerworld (April 7).

Police arrested 12 people, including three employees of Mphasis BPO, a call center in Pune, India, for defrauding four Citibank account holders of an estimated 300,000 US dollars. The three Mphass employees carried with them the details of four accounts (including the accounts PIN's) and used a number of subterfuges, including false e-mail accounts and account details, to transfer funds into accounts in Pune.

DELOITTE AND TOUCHE 2005. Calling a Change in the Outsourcing Market. Internal Report (April).

Description from Web site. While outsourcing has become a dominant trend in the marketplace, there are few in-depth studies available to help senior executives recognize its inherent complexities and common pitfalls. This study fills that gap. Deloitte Consulting LLP is pleased to announce the release of a new study based on personal interviews with 25 of the largest organizations across eight industry sectors. This study uncovers what few studies report: outsourcing is not delivering its expected value to large organizations. The study reveals that seventy percent of participants have had significant negative experiences with outsourcing projects and are now exercising greater caution in approaching outsourcing; one in four participants have brought functions back in-house after realizing they could be addressed more successfully and/or at a lower cost internally; forty-four percent of participants did not see cost savings materialize as a result of outsourcing.

ELECTRONIC ENTERTAINMENT POLICY INITIATIVE 2005. The Camel Fully Enters the Tent. (June) (Available at http://www.eepi.org/archives/eepi discuss/msg00109.html).

An exploit for the Sony PSP is discussed, which allows the execution of unsigned and unofficial programs. The author believes that, "Such a simple, practical execution exploit will open the homebrew development floodgates (full-featured Web browsers, Linux, etc.), and likely the piracy floodgates as well."

ENGARDIO, P., PULIYENTHURUTHEL, J., AND KRIPALANI, M. 2004. Outsourcing: Fortress India. Business Week Online (Aug. 16) (Available at http://www.businessweekasia.com/magazine/content/04_33/ b3896073.htm).

From the article: After rushing to shift telemarketing and back-office work to India in recent years to tap low wages, U.S. and European companies are under growing pressure from regulators and legislators to guarantee the privacy of their customers' financial and health-care data… Some call centers like Mphasis make sure that computer terminals lack hard drives, e-mail, CD-ROM drives, or other ways to store, copy, or forward data. Indian accountants only view data from U.S. servers for specific tasks. Video cameras watch over the sea of cubicles. Every phone conversation is recorded and can be monitored on a system installed by Melville (N.Y.)-based Verint Systems Inc. And since data theft is often committed by disgruntled former employees, Mphasis can lock a staffer out and cut access to PCs and phones three minutes after a resignation.

FORD, R.A. 2005. Preemption of State Spam Laws by the Federal CAN-SPAM Act. University of Chicago Law Review 72, 355, 200

Abstract. Unsolicited bulk commercial email is an increasing problem, and though many states have passed laws aimed at curbing its use and abuse, for several years the federal government took no action. In 2003 that changed when Congress passed the CAN-SPAM Act. Though the law contains many different restrictions on spam messages, including some restriction of nearly every type that states had adopted, the Act was widely criticized as weak. Many of the CAN-SPAM Act's provisions are weaker than corresponding provisions of state law, and the Act preempts most state spam laws that would go farther, including two state laws that would have banned all spam. Despite these weaknesses, this comment argues that, when properly interpreted, the CAN-SPAM Act leaves key state law provisions in force and accordingly is stronger than many spam opponents first thought. First, the law explicitly preserves state laws to the extent that they prohibit falsity or deception in any portion of a commercial electronic mail message or information attached thereto. Though Congress was primarily concerned with saving state consumer protection laws, this language can be applied much more broadly. Second, the law is silent on the question of state law enforcement methods. State enforcement can be, and frequently is, substantially stronger than federal enforcement, which is largely limited to actions by the federal government, internet service providers, and state agencies. The comment concludes by arguing that this narrow interpretation of its preemption clause is most consistent with the CAN-SPAM Act's twin policy goals. By limiting the substantive provisions states may adopt, the Act prevents states from enacting inconsistent laws and enforces a uniform national spam policy. At the same time, narrowly interpreting the preemption clause permits states to experiment within the limits of that policy, in hopes of finding the most effective set of spam regulations.

GANSLER, J. AND BINNENDIJK, H. 2004. Information Assurance: Trends in Vulnerabilities, Threats, and Technologies. NDU Press. Working Paper.

From the paper's introduction. One of the missions of the Center for Technology and National Security Policy (CTNSP) at the National Defense University (NDU) is to maximize the infusion of technology from commercial sources into military systems while addressing security and acquisition reform. To better understand the problems of incorporating IT into the battlefield, CTNSP, in concert with The Center for Public Policy and Private Enterprise (CPPPE) of the University of Maryland School of Public Affairs, brought together leaders in the field of military and commercial policy and technology. The purpose of the meeting was to discuss information assurance issues as they relate to network-centric warfare. The workshop objective was to gain insight into transformation risks in the following areas: trends in the new digitized battlefield, impact of degraded information systems on battlefield operations, and trends in information assurance technologies and system design. This volume presents the proceedings of that workshop.

HARVEY, O. 2005. Your life for Sale. The Sun, London, U.K. (Available at http://www.thesun.co.uk/article/0,,2-2005280724,,00.html).

Summary from paper. In a shocking investigation, [our reporter] bought 1,000 Brits' names, banking details and passwords...all obtained from crooks in Indian call centres.

THE HINDU 2005. U.K. Police Probing Call Centre "Scam'' in India. The Hindu (June 24) (Available at http:// www.hindu.com/2005/06/24/stories/2005062404241300.htm).

From the article. The police investigated allegations that a worker at a call centre in India sold confidential details of British bank account-holders to an undercover journalist…The details were said to include passwords, passport data and addresses making the affected account holders vulnerable to identity theft. These were shown to security experts who confirmed that the details were genuine. The informant, believed to be a middleman, reportedly offered to provide details of up to 2,000,000 bank accounts handled by more than one call centre.

HULTEN, G., GOODMAN, J., AND ROUNTHWAITE, R. 2004. Filtering Spam E-mail on a Global Scale. In Proceedings of the 13th International World Wide Web Conference (May) New York,NY.

Abstract. In this paper, we analyze a very large junk e-mail corpus which was generated by a hundred thousand volunteer users of the Hotmail e-mail service. We describe how the corpus is being collected, and analyze the geographic origins of the e-mail; who the e-mail is targeting; and what the e-mail is selling.

INSTITUTE FOR SECURITY STUDIES 2003. Examining the Cyber Capabilities of Islamic Terrorist Groups, Technical Analysis Group, Institute for Security Studies, Dartmouth College (Nov.).

From the report. The Technical Analysis Group at the Institute for Security Technology Studies at Dartmouth College has prepared a report detailing how cyber technologies are exploited by Islamic terrorist groups. There is clear, factual evidence that Islamic terrorist groups are using information technologies to facilitate propaganda, recruitment and training, fundraising, communications, and targeting operations.

JUSTER, K. I. 2004. Cybersecurity: A Key to U.S.-India Trade. Press Release United States Embassy, New Delhi, India (Oct. 15).

Juster is US Under-Secretary of Commerce. This release is an excerpt of his keynote address at the India-US Information Security Summit. Security is increasingly important in order to fully realize the trade opportunities between the United States and India. In November 2001, President Bush and then-Prime Minister Vajpayee agreed to establish the US-India Cyberterrorism Initiative. In April 2002, they held a meeting in New Delhi of the US-India Cybersecurity Forum with the aim of developing appropriate security standards and strengthening national laws and enforcement mechanisms based in part on the Council of Europe's Convention on Cybercrime. They also hope to develop joint 24/7 watch capabilities.

KARAMOUZIS, F. AND HALLAWELL, A. 2005. Fraud Case Focuses Unwelcome Attention on Indian Outsourcing. Gartner Research (April).

This brief paper analyzes the news of a significant fraud case in an Indian offshoring firm. 10 people, including former and current employees of the Indian firm MphasiS, were arrested for misappropriating more than $350,000 from customers of a large US financial institution. The article argues that, although this incident was highly publicized, it is unlikely to have a long-term negative effect on the Indian business process outsourcing industry. However, it calls for NASSCOM, local law enforcement, and the Indian government to take swift and decisive action. Five specific recommendations are given to companies that are sending BPO work offshore to help them minimize risks of this sort.

KRISHNAN, T. 2005. Wake-Up Call in Order. The Hindu Businessline, the Web-based business section of The Hindu (April 18). (Available at http://www.thehindubusinessline.com/bline/ew/2005/04/18/stories/2005041800200300.html).

In the United States, protests of job loss due to outsourcing have slowly died down only to be replaced with concerns for privacy and security issues. "The recent media spotlight over alleged theft by former employees of MphasiS' BPO arm, MsourcE, has rocked the BPO industry…. India does not have a comprehensive data protection law in place. No wonder, for the last few years, data security and privacy has been one of the key concerns of US-based financial services and telecom service companies offshoring voice-based customer care and support to India… If the BPO industry has to emerge unscathed from this, the industry, Nasscom, and the Government will have to swing into action on multiple fronts to make some fundamental changes to the way the industry operates." The four areas in which focus is imperative include law on data protection, legal enforceability of agreements, authentication technology, and screening candidates.

LIPOVAN, B. 2004. Outsourcing: Don't Be a Victim. The Receivables Report (Feb.).

Lipovan is the marketing director at a collection agency in North Carolina. This article appears in the monthly newsletter for financial managers in America's health care system. Much of the article tells the story of the medical transcription subcontractor in Pakistan who threatened to release private medical information about US citizens who had used UCSF facilities if a payment was not made by her contractor. The article also discusses the new legislation proposed by California Senator Liz Figueroa to ban doctors, HMOs, and hospitals from sending abroad confidential medical notes and records unless they are bound by the 1999 Confidentiality of Medical Information Act. The article also briefly describes how HIPAA relates to outsourcing.

MARKOFF, J. 2003. Uneasiness About Security As Government Buys Software. The New York Times (July 7).

The article focuses on an employee of Platinum Software who claims to have been fired for whistle-blowing about security risks that US federal agencies would have if they buy the company's software because Platinum had not taken adequate measures to insulate its US government customers from Platinum's operations in China. The company claimed the employee had been fired for not meeting sales quotas. The article raised two security risks 1) confidential information about US government agencies being shared with foreigners, and 2) viruses being added to software sold to US companies by the employees in the company's foreign operations.

MCCUE, A. 2005. Indian Call Center Staff in $350,000 Citibank Theft. TBR News (April 11). (Available at http://www.tbrnews.org/Archives/a1528.htm).

Three staff employees at Mphasis were arrested for allegedly stealing $350,000 from Citibank's US accounts. Nine other gang members were also arrested. "The former Mphasis staff used their positions dealing with Citibank's customers to trick four of them into giving out the PIN numbers to their accounts, allowing the staff to transfer funds into the bank accounts of other gang members."

NATIONAL ASSOCIATION OF SOFTWARE AND SERVICE COMPANIES AND EVALUESERVE 2004. Information Security in India. (Available at http://www.evalueserve.com/).

Abstract from the report. The objective of the report is to evaluate the information security environment (regulatory environment and security practices) in India vis-a-vis that in the US and the UK. The US and the UK have well-defined comprehensive laws on data security and privacy, while India lacks specific laws on privacy and data protection. However, there are some proxy data protection laws. To secure global companies that outsource their business processes to India, the Government of India, along with the National Association of Software and Service Companies (NASSCOM), is proactively strengthening the legal system to provide appropriate cover for issues relating to Data Protection. The report compares Indian IT and ITES companies with their counterparts in the US and the UK with regard to the practices followed to ensure data security and confidentiality. It highlights data security and privacy laws in the US, the UK and India, especially those relevant to the offshoring sector.

PACELLE, M. AND SIDEL, R. 2005. Security is Breached at Card Processor. Wall Street Journal (June 20) A2.

Summary from the newspaper: A computer-security breach at a company that processes credit card transactions exposed more than 40 million cards of all brands to possible fraud, laying bare the vulnerability of obscure nooks of the nation's sprawling electronic-payments system. MasterCard said that about 13.9 million MasterCard branded cards were victimized, Visa said 22 million cards had been compromised, while American Express and Discover didn't disclose how many accounts had been affected.

PERALTE, P.C. AND FERRIS, S. 2003. Mexico Claims ChoicePoint Stepped Across the Line. The Atlanta Journal-Constitution (April 27).

ChoicePoint collected dossiers on millions of citizens in 10 Latin American countries for the US government. ChoicePoint found itself the target of growing criticism abroad and investigations were initiated in Nicaragua, Costa Rica, and Mexico over whether privacy laws were violated. ChoicePoint purchased the voter registration data of 65 million Mexican voters and 6 million Mexico City licensed drivers in 2001. It also bought databases containing the names, ages, and, in some cases, the physical descriptions of citizens of Brazil, Colombia, Argentina, Honduras, Guatemala, El Salvador, Venezuela, Nicaragua, and Costa Rica. ChoicePoint contends that the data was public and legally obtained.

PETERSON, A. 2002. EU Report Reveals Holes in US Safe Harbor Agreement. Privacy Laws & Business, International Newsletter (Jan.). (Available at http://www.privacyexchange.org/tbdi/EU PDR/pedersenarticle.html ).

Description from the Web site. A European Commission progress report for 2001 has revealed a number of flaws in the US Safe Harbor Agreement, a scheme which aims to provide protection for the transfer of individuals' personal data from EU member states to organizations in the US. The Staff Working Paper, submitted to the European Parliament last week, highlights the fact that few organizations (154 to date) have signed on to the scheme. Of those that have, over 50 percent are failing to comply with all of the required principles for ensuring adequate data protection. The Commission has also identified that some organizations lack transparency in their privacy statements, leaving customers with little or no information as to what is done with their data. Further doubt has also been cast over the effectiveness of enforcement procedures with the suggestion that organizations failing to comply with their obligations are unlikely to be prosecuted.

PIERRA, R. E. 2001. Botched Name Purge Denied Some the Right to Vote. Washington Post (May 31) A01.

From the article. The Tampa residents were among hundreds, perhaps thousands, of non-felons in Florida who civil rights lawyers contend were wrongly prevented from voting in the Nov. 7 election after state election officials and a private contractor bungled an attempt to cleanse felons from voter rolls. The effort was so riddled with errors that a more precise tally will probably never be possible. But it is clear that at least 2,000 felons whose voting rights had been automatically restored in other states were kept off the rolls and, in many cases, denied the right to vote.

PULIYENTHURUTHEL, J. AND ROCKS, D. 2005. The Soft Underbelly of Offshoring. Business Week (April 25).

This brief article describes the arrest of several employees of the Indian offshoring company MphasiS who used their position working for a call center supporting US customers of Citibank to bilk funds from the accounts of four of these customers. The article talks about the risk that this creates to the Indian offshore industry and to their American clients and the customers of these clients. The problem of heavy turnover in call center workers is thought to be contributing to the problems of screening, training, and security.

RAMER, R. 2001. The Security Challenges of Offshore Development. SANS Institute.

This article gives a good overview of issues related to the security of information systems and data when a client offshores work. The coverage is abstract. It does not discuss specific cases or indicate their frequency of occurrence. Risks include:

• loss of control of conditions under which software is developed, network complexity increasing to a point where configuration management is a challenge,
• client and vendor having security policies and procedures that clash,
• making trade secrets, customer data, and financial information available to a foreign company whose employees are not subject to US laws, threatening the client company's intellectual property,
• non-existent or unenforceable protection of data laws in much of the world.

RHODES, H., DENNIS, J.C., AND ROACH, M.C. 2004. Overseas Outsourcing: the Risk of Doing Business. Journal of AHIMA 75, 4 (April) 26-31. This article from the American Health Management Association discusses privacy considerations in medical transcription work outsourced overseas. It discusses key provisions in the various laws that apply to these privacy considerations: HIPAA, Gramm-Leach-Bliley Act, California State Bill 1386, the European Union Data Protection Directive, and India 's (proposed) Information Technology Act. Medical transcription has increased dramatically over the past few years as a result of electronic health records. Demand has outstripped supply and offshoring began in 1994. Contrary to many US company expectations, Indian transcription is not significantly less expensive than doing the work in the United States because of the costs of telephone and Internet connections, technology investment, staff training, management staff, travel, and proofreading costs. It is rather because of the shortage of qualified transcribers in the United States that offshoring is attractive. US companies do not want to hire only trained transcribers and do not like the six months to a year required to do on-the-job training, and many of the graduates of medical transcription programs are not fully ready for the job upon graduation. The article also discusses ways that US firms contracting out these services can protect themselves through data protection audits, indemnification language in vendor contracts, indemnity bonds, escrowed funds, insurance that covers purposeful as well as inadvertent misuse of health information by the vendor, and contract provisions that allow the client to obtain an injunction to stop an existing or threatened improper use or disclosure of health information.

RIBEIRO, J. 2004. Source Code Stolen from U.S. Software Company in India. InfoWorld (Aug. 5). Jolly Technologies, a maker of labeling and card software for the printing industry, reported that a software engineer at its three-month-old research and development facility in Mumbai had stolen proprietary source code by downloading it to a personal account on Yahoo!. The company suspended work in India and was working with Indian police to resolve the problem. It is uncertain whether the issue can be resolved through the Indian legal system.

RIGBY, B. AND KOLKER, T. 2005. LexusNexus Uncovers More Security Breaches. Reuters, Amsterdam (April 12).(Available at http://www.tbrnews.org/Archives/ a1528.htm ).

From the Web site. An investigation by LexisNexis, owned by Anglo-Dutch publisher Reed Elsevier, determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers. LexisNexis, which said in March that 32,000 people had been potentially affected by the breaches, will notify an additional 278,000 individuals whose data may have been stolen. Of the initial group contacted, only 2 percent asked the company to conduct an investigation of their credit records. LexisNexis has found no cases of identity theft such as using a stolen Social Security number to apply for a fraudulent credit card.

SCHNEIER, B. 2005. Accuracy of Commercial Data Brokers. Schneier on Security. (June). (Available at http://www.schneier.com/blog/archives/2005/06/accuracy_of_com.html).

PrivacyActivism has released a study of ChoicePoint and Acxiom, two of the US's largest data brokers. The study looks at the accuracy of information and responsiveness to requests for reports. The study found that 100% of the 11 participants discovered errors in their data, even in the most basic biographical information.

SIM, S. 2002. Adobe Says It's Committed to China Despite Piracy. ITworld.com (Jan. 15). (Available at http://www.itworld.com/Tech/2418/IDG020115adobe/ Accessed Aug.). Lead from the article. A spokeswoman for Adobe Systems Inc. said Monday that the company remains committed to developing Chinese-language versions of its products, despite comments reportedly made by its chief executive officer last week that Adobe could abandon the market because of software piracy in the region.

SOLOVE, D. AND HOOFNAGEL, C. 2005. A Model Regime of Privacy Protection. George Washington University Law School, Research paper #132 (March). From the abstract. Privacy protection in the United States has often been criticized but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves. In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

STANNARD, J. U.S. Ill-Prepared to Handle Bioterrorist Attack, Experts Warn Flu Vaccine Crisis Called Symptom Of Far Wider Problem. San Francisco Chronicle (Nov. 1).

Abstract from the Website of the Center for State Homeland Security. The manufacturing failure that has thrown the nation's flu vaccination program into chaos this season is more than a potential crisis for the millions of Americans who need protection from the virus. It is a wake-up call for a health system that is dangerously vulnerable to other epidemics, both natural and man-made, say medical experts.

STELLA, M. V. Impact of Offshore Outsourcing of Information Technology (IT) on Enterprise and Homeland Defense. Private document. This is a position paper concerning the risks to national security through the offshoring of software development. Short-term concerns include unauthorized access to data and code, difficulty protecting proprietary/confidential information, difficulty in detecting or preventing compromises to software, and problems recognizing ongoing attacks (especially by non-government organizations such as terrorist groups). Long-term threats include a disgruntled workforce because of job loss due to outsourcing with hacking tools readily available if they wish to retaliate against their employer, and loss of research capability due to loss of foreign students through tightening immigration policies. The author calls for a national IT policy that includes training, job creation, international agreements, tariffs, tax reform, research funding, data protection, and critical infrastructure protection.

SWIRE, P.S. AND STEINFELD, L. To appear. Security and Privacy After September 11: The Health Care Example. Minnesota Law Review.

The article explores the relationship between privacy and security. The article also re-examines privacy initiatives put in place before September 11 due to shifting public opinions on privacy and security since the attacks. The major initiative that is examined is the HIPPA (Health Insurance Portability and Accountability Act) of 1996. "In the wake of the September 11 attacks, for instance, we might wonder how well the HIPAA privacy rule allows for reporting to law enforcement officials about terrorist or other security threats. In the wake of the anthrax incidents from the fall of 2001, we might similarly wonder how well the public health reporting rules would work during a period of heightened security concern… This inspection of the medical privacy rule is distinctly heartening, as is the conclusion in this article that implementing security can provide a useful opportunity to implement privacy. The statutory call for privacy protection in HIPAA was a result of an understanding in Congress that the shift to electronic medical records required that security and privacy be built in at the same time, as part of a unified upgrading of medical information systems. To an extent not often enough realized to date, this upgrading of systems means that we more often face a situation of security and privacy, working together, than we might otherwise have suspected."

SYMANTEC INTERNET SECURITY THREAT REPORT 2004. Threats for Jan. 2004 to June 2004. 3. (Available at http://enterprisesecurity.symantec.com/ contnet.cfm?articleid=1539 ).

Description from the Web site. The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. Over the last six months of 2004, phishing developed into a serious security risk. Attackers also increasingly targeted Web applications. Symantec documented 1,403 new vulnerabilities, an increase of 13% over the first six months of 2004. Organizations received an average of 13.6 attacks per day, up from 10.6 in the previous six months. 97% of vulnerabilities disclosed were rated as moderately or highly severe. In the near future, Symantec expects more damaging malicious code to be developed for mobile devices.

TIMMONS, H. 2005. Security Breach at Lexus/Nexus Now Appears Larger. New York Times (April 12).(Available at http://www.tbrnews.org/Archives/a1528.htm).

From the Web site. Reed Elsevier, owner of the LexisNexis databases, said Tuesday that Social Security numbers, driver's license information and the addresses of 310,000 people may have been stolen, 10 times more than it originally reported last month…LexisNexis found that the thieves were using the log-in names assigned to former employees of Seisint customers or were correctly guessing uncomplicated ID and password combinations or accessing customers' systems through a virus.

U.S. GENERAL ACCOUNTING OFFICE 2004. Defense Acquisitions: Knowledge of Software Suppliers Needed to Manage Risks. Government Accountability Office GAO-04-678, (May).

Because the DOD is heavily reliant on software for its weapon systems and other systems (pay, supply, etc.), and because more of DOD's prime contractors are subcontracting work - sometimes overseas - there is a concern about vulnerabilities being exploited in defense software. The study finds that current acquisition and software security policies do not adequately handle this issue. Most policies focus on external hacking and unauthorized access rather than risks from subcontractors who are essentially insiders to the DOD information systems. The majority of groups within DOD that were studied did not make risk from foreign software content an explicit part of their risk identification and mitigation procedures. Moreover, risk mitigation is often delegated by DOD to its vendors, and they are typically more concerned about software functionality and quality assurance than development risks associated with foreign suppliers. It is impractical to check every line of code or conduct security clearances for all subcontractors or monitor software development facilities around the world. The GAO recommends that the responsibility for watching for this risk be placed in the hands of the program manager. DOD balked at this recommendation and wanted the program managers to have support from external sources to determine threat information on suppliers. DOD also wanted oversight of these security risks to be the collaborative responsibility of several offices within DOD.

VINNOVA 2005. Knowledge for Safeguard Security. VINNOVA Policy VP 2005:3, Stockholm, Sweden.

From the Web site. Vision for a national strategy. Up to the year 2010, Swedish research and industry will make a substantial contribution to enhancing security in Sweden and the surrounding world and at the same time contribute to sustainable growth. Swedish research and industry take part in international networks and in some areas are world leaders. In order to realize this vision, the working group proposes a strategy with four main areas of proposals:

1. allocate responsibility for co-ordination of security research;
2. establish national R&D program prior to PASR/ESRP;
3. facilitate participation in the American security research program;
4. create innovative approaches to security.