Recent Posts

Tanium Pushes 2014 Cybersecurity Venture Funding to $329M, Five Times 2013 Level


San Francisco-based cybersecurity-focused start-up Tanium announced yesterday a $90 mil. venture cash infusion from Andreessen Horowitz, a Silicon Valley powerhouse known for backing a long list of Internet and technology winners. The $90 mil. investment is the venture funding titan's second largest investment ever and continues a string of the firm's investments in cybersecurity companies, including Bluebox Security, Ciphercloud and Bromium.

Tanium, which describes itself as an "enterprise-scale real-time security and systems management company," has developed an approach to security management that it says collects and processes billions of metrics -- hardware configuration, software inventory, network usage, patch and update status and more -- across an organization's endpoints in real-time, providing instant visibility into operational issues to ward off security attacks.

Andreessen's big investment is the latest in a string of high-profile investment rounds across the growing ranks of cybersecurity technology start-ups.  According to our tally, thus far in 2014, cybersecurity firms have snagged $392 mil. in venture capital, over five times the level of the estimated $70 mil. in cybersecurity related venture deals in 2013.  (See table below).

At this point, total recent venture funding for cybersecurity tech providers is coming close to the $1 bil. mark. As the table below shows, since April 2012, venture funding for cybersecurity start-ups has totaled at least $818 mil.  At this rate, and with five months left in the year, that $1 bil. mark seems to be easily within reach.

Rep. Mike Rogers Raps FCC's Stance on Cybersecurity, Challenges Funding Request


Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, yesterday issued a red flag against last week's move by Federal Communications Commission Chairman (FCC) Tom Wheeler to broaden the agency's involvement in communications companies' cybersecurity practices.  In a letter signed by fellow Republican panel member Mike Pompeo (R-KS), Rogers expressed concern that Wheeler's approach, while relying primarily on the market to manage cybersecurity issues, verges too close to increased regulation.

The letter states that a speech Wheeler gave last week, in which he outlined a "new paradigm" for cybersecurity, as well as statements by Commission staff, "lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web service providers."  In his speech, Wheeler said that if the new paradigm doesn't work, "we must be ready" with "alternatives if it doesn't."

The letter also raised objections to little-noticed cybersecurity-related budget additions in the FCC's FY 2015 budget.  "We also question why the FCC's Fiscal 2015 budget requested a substantial funding increase for cybersecurity activities, including funding for 'Big Data Cybersecurity Analytics and a Cybersecurity Metrics' program. While we support efforts to ensure that the Commission's internal systems are secure from cyber-attack, these initiatives appear to be outward, or industry, facing."

The FCC's FY 2015 budget asks for $700,000 for a big data cybersecurity analytics program.  In the budget the Commission states that "Big Data Cybersecurity Analytics will be a disruptive technology in the 
Cybersecurity arena, as traditional analysis and forensics techniques will be superseded by 
automation conveniences that reduce the burden of work on the analyst." The $700,000 is aimed at helping the FCC conduct root cause analysis, such as reverse engineering of malware on computer networks.

The FY 2015 budget also asks for $575,000 for the metrics program referenced in the letter.  The budget states that "FCC has initiated planning efforts to collect and analyze monthly metrics related to the cybersecurity threats addressed using data obtained from commercial sources," with the metrics to be provided to the Commission's newly formed Cybersecurity and Communications Reliability Division for analysis and baseline tracking.

Once that's done, the metrics program will be used to create a "Cybersecurity Dashboard" to "help the FCC track the ongoing progress of cybersecurity initiatives."

The appearance of the letter from Rogers and Pompeo indicates some level of concern among certain affected communications providers over Wheeler's new paradigm.  Following last week's speech by Wheeler, some telco industry representatives expressed unhappiness over some statements in the speech, presumably those that indicated the FCC would need to see "demonstrably effective" results and metrics under the new paradigm, perceived to be code for quasi-official monitoring and a possible precursor to regulatory action.

However, cable companies seemed warmer to the idea of the new cybersecurity paradigm.  Comcast issued a statement supporting Wheeler's new approach.  "Comcast will continue working with the Chairman, his fellow Commissioners, and the dedicated staff at the FCC to help achieve these important goals," Myrna Soto, senior VP and chief information and infrastructure security officer, for Comcast Cable, said.

FCC Chairman Unveils New Paradigm for Cybersecurity; Must Be "Demonstrably Effective"


(Washington, DC)  The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today unveiled a new program for communications cybersecurity that relies on industry-driven initiatives for "proactive, accountable cyber risk management for the communications sector" in lieu of a "prescriptive, regulatory approach."  Nonetheless, the "new paradigm," as he called it, needs to be more "demonstrably effective than blindly trusting the market" to provide adequate cybersecurity risk management.

The goal is to spur greater cybersecurity activity by communications companies while stopping short of implementing official FCC rules or policies. Many communications companies have feared regulatory action by the FCC as a means of mandating the voluntary cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February or in the wake of a high-profile cyber incident 

Speaking at an event hosted here by the American Enterprise Institute, Wheeler laid out some central pillars of the approach. The first pillar is for the FCC and communications companies to promote greater "privacy-protective" information sharing of cyber threats and attacks, along the lines of the best-in-class information sharing that the financial sector has demonstrated in its ISAC (Information Sharing and Analysis Center). The communications sector already has its own ISAC in the National Coordinating Center for Telecommunications (NCC) under the Department of Homeland Security.

The second pillar is for the FCC to measure best cybersecurity practices already developed under the Commission's auspices and to tailor risk management processes to NIST's framework. The FCC's industry-led Communications Security, Reliability and Interoperability Council (CSRIC) has already formed a working group for this task, "working group 4," which met last week to begin tailoring the NIST framework. CISRIC will host its fourth meeting on June 18, while the working group 4 is expected to meet again in late-July.

Wheeler has asked the Commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry, an effort that forms the third pillar.

It's crucial that communications companies conduct some internal reviews of their cyber risk exposure, assess how they are managing their risks and develop better metrics, Wheeler said. "Companies must have the capacity to assure themselves, their shareholders and boards – and their nation – of the sufficiency of their own cyber risk management practices."

Some companies could take time adjusting to the "demonstrably effective" aspect of the new paradigm, Wheeler noted, because it "will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas – it has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."

Another potential issue is the level of commitment to the FCC's program, one key communications company representative said.  "There needs to be true commitment to this new paradigm.  When we actively hit bumps in the road, there has to be commitment," he said, adding that the commitment has to be on the part of not only the communications companies, but also the FCC itself.  "Providing there is a true will to make it work, it will work."

Communications companies aren't completely out of the regulatory woods yet. "We are not Pollyannas" Wheeler said. "We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."

NIST Framework Could Become a Useful Tool for Regulators (and Litigators), Cyber Lawyers Say


(Washington, DC)  The voluntary comprehensive cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February is already proving helpful to companies and could become a tool used by regulators. But it could also become a de facto requirement for organizations once it starts being cited by plaintiffs attorneys, a group of top cybersecurity law specialists said yesterday.

Speaking at a cybersecurity event hosted here by Bloomberg Government, Stewart Baker of Steptoe & Johnson said that the NIST framework could come into play with the impending wave of lawsuits surrounding cyber breaches.  "It’s a no-brainer for plaintiffs lawyers to say 'what do you mean you didn't even follow the government’s cybersecurity framework?'"

As expected (and feared by some industries) regulators could more heavily rely on the framework as a benchmark for good cybersecurity practices. "The other place we’re going to see the NIST framework used is as regulators [u]se the framework as a way of asking questions about what kind of security you have," Baker said, adding that it could become a kind of test as regulators implement various policies and rules.

"The thought of the SEC [Securities and Exchange Commission] becoming a regulator [in cybersecurity] is quite chilling," Donald Fagan of Covington & Burling said. It's probably more accurate to label it as a "precursor to a test," he said. "The framework can be used to determine whether we are acting reasonably," Ben Powell of WilmerHale said.

Right now few signals are coming out of government agencies that the NIST framework might morph from voluntary to mandatory. "The White House announced that they're happy with where the voluntary process is going…which surprised us a little bit," Jeff Greene, Senior Policy Counsel for Symantec said. "The framework at least for the foreseeable future will stay pretty much as voluntary as it can."

Symantec has already adopted the framework, albeit in a tailored fashion, Greene said. "We're actually using the NIST framework. We have found it useful internally."

Small businesses, though, have a difficult time adapting to the framework, according to Greene. "At the small business end [t]hey don’t have the in-house IT staff.  We have found that we have to talk to them in a one-pager document. We’re trying to distill it down in a way that we can talk to them about it."

Top Experts: C-Suite Execs Have 'Caught Religion' in Wake of Target Breach


(Washington, DC)  Given the high-profile ouster of Target's CEO in the wake of the retailer's massive data breach, cybersecurity has been--and should be--elevated to executive suites across corporate America, a string of top security experts said yesterday. Speaking at a day-long cybersecurity conference hosted by Bloomberg Government here, current and former top government and industry cyber specialists issued a wake-up call to business and critical infrastructure leaders that cybersecurity can no longer be relegated to the purely technical realm.

"Cybersecurity is foundational," Admiral Mike Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency said. "You must own this problem. This is just not your IT and computer people. You have to own this problem as a leader."

"This is becoming a CEO issue," Lou Von Thaer, President of the National Security Sector of Leidos, said. "We are being asked by directors all the time to be briefed," Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike said. "I hear all the time from the board members…they actually think the IT people are purposively speaking in gibberish so they cannot be subjected to oversight."

Although litigation and liabilities are the primary outcome of Target-like breaches, the challenge of handling a huge, complex crisis might be the bigger reason that executives are suddenly paying attention. "In some respects the greatest liability risk is not a legal one but a crisis management one," Donald Fagan of Covington and Burling said. "It is the Target issue…that has caught the attention of many businesses out there. They’ve caught religion"

Target may be the poster child for the massive damage that can ensue from a cybersecurity breach, but the company did most things right when it came to cybersecurity. Target would have received a high grade in terms of how well it followed the cybersecurity framework issued by the National Institute of Standards and Technology earlier this year, Stewart Baker of Steptoe & Johnson said.  "They just didn't respond to the overwhelming number of alerts they got."

"People have to understand how good a company Target is when it comes to cybersecurity," Michael Leiter, Senior Counselor to the CEO of Palantir Technologies said. "That means there really is no company that doesn't face this as a business risk."

Rep. Mike Rogers: Chinese Indictments Are 'Glitz and Glamour' But Legislation More Important


(Washington, DC)  House Intelligence Committee Chairman Mike Rogers (R-MI) said yesterday that the Justice Department's high-profile indictment of Chinese military officials for cyber theft of U.S. business secrets is "great for glitz and glamour" but it's more important that Congress act on cyber legislation by August if the government wants to ensure true cybersecurity. Speaking at an event hosted by the George Washington University Cybersecurity Initiative, Rogers said "I agree with the indictments and I agree with certain visa restrictions [b]ut it can't be done in isolation."

The Obama administration's largely symbolic move is "great for glitz and glamour but nothing followed," Rogers said. "It's the right idea but the wrong execution.  If only we could get the second piece of this, which allows the private sector to defend itself," Rogers said, referring to the Cyber Intelligence Sharing and Protection Act, which would facilitate the sharing of cybersecurity information between the private sector and the government.

Although the House has passed the bill, it's stalled in the Senate, a situation that Rogers thinks is improving and believes has to be resolved by August or else prospects for near-term cybersecurity legislation will die. "I think we've made tremendous progress in the last few months. I hate to say it but if we don't get something moving in August, it will get lost in the haze."

Rogers is cautiously optimistic that a bill could move in the next thirty days, with the contentious issues narrowed down to a "few short issues," particularly the question of how a portal for sharing information with the government gets structured. "We've narrowed down the issues on the portal," Rogers said.

Speaking at the same event, Toomas Hendrik Ilves, President of Estonia, a country widely considered to be home to the first true cyber warfare attack, said that new intellectual concepts are needed to successfully battle cyber threats given the radically novel dangers posed by the modern connected era. "We have major intellectual tasks ahead of us," he said. We are facing the modern equivalent of Thomas Hobbes' "war of all against all"  and "we need our Jeffersons, our Voltaires in this area."

Estonia is at the forefront of protecting individual online identities as a key strategy for ensuring security, with everyone using two-factor public key infrastructure using RSA 2048 encryption. "We have come to the conclusion that you cannot have any genuine security without a secure online identity," Hendrik said.  "That is the dilemma of all Internet relations.  You don't know who's who."

Government Cybersec Leaders: Just Patch Your System, Do Strong Passwords


(Washington, DC)  Despite vulnerabilities such as Heartbleed grabbing headlines, the best methods for ensuring adequate system security are often the most basic forms of cyber hygiene, such as patching systems and ensuring strong passwords, a group of government cybersecurity experts agreed today. Speaking at the GovSec conference here, Ron Layton, Deputy Chief Information Officer, U.S. Secret Service said "what's the best investment for our resource dollar?  Patch your system.  The vast majority of successful breaches use very low-level techniques."

"We are still at the precipice of one of the most disruptive forces in our society [b]ut just do a strong password and you're good," he added.

"You don't necessarily need to worry about the most recent APT [advanced persistent threat] if you have 20% of your computers that are unpatched that can be had by a hacker with no skill whatsoever," Patrick Morrissey, Former Director of Investigations and Protective Operations, Blackberry, and Former CISO, U.S. Secret Service, said. "That is where the bad guys are going to come in. The sophisticated hacker is not going to waste his technique on you.  Don't worry so much about being exploited by the latest and greatest.  Just stay up to date on your patches."

The best method for ensuring adequate cybersecurity within the federal government is information sharing and collaboration, something that is bolstered by trust but hampered when no crisis is pressing on the nation. "Trust and relationships is what it’s all about," Dave Pekoske, Chairman of the FBI-private sector partnership InfraGard National, said.

However, "the agencies are not going to be giving up the keys to the kingdom" to other agencies, Morrissey said, particularly if a truly collaborative relationship is absent. "People are going to be reluctant to share information with those agencies if they don't believe the agencies are going to protect them as they should."

Information sharing among government agencies is problematic for a number of reasons, not the least of which are the varying definitions of  security clearance and "need to know" statuses across agencies.  But agencies do collaborate better in the midst of a crisis.  "The government does work well in crises but the farther we get away from 9/11 it becomes a problem," Morrissey said.

Another perennial problem that hampers work across agencies is the lack of qualified cybersecurity personnel, who tend to steer clear of the government or bolt for the higher paid private sector after relatively short stints.  "It's a huge challenge for us right now," Eric Strom, Unit Chief, Cyber Initiative and Resource Fusion, NCFTA, FBI, said. "It's hard to take an investigator and teach them cyber skills."

Twitter Delicious Facebook Digg Stumbleupon Favorites More