Recent Posts

NIST Privacy Workshop Aims at 'Wherever Privacy Risks Arise'

(Gaithersburg, MD)  The National Institute of Standards and Technology (NIST) hosted the first of a two-day privacy engineering workshop here today as a follow-on to the February release of its Framework for Improving Critical Infrastructure Cybersecurity.  Based on the first day's general sessions, the scope of NIST's privacy focus appears to be far broader than, and perhaps only slightly connected to, its origins in cybersecurity.

Although the penultimate version of the cybersecurity framework included an extensive privacy methodology appendix, the final version featured a more stripped-down privacy approach in response to the objections of critical infrastructure owners who perceived the original appendix as overly prescriptive. The privacy workshop is intended to help fill in the resulting privacy gaps in the framework, aiming to flesh out what NIST says is the paucity of identifiable "technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties." 

Despite its origins in the development of a cybersecurity framework, the workshop addresses a wide range of privacy issues, with the discussions encompassing privacy protections across a number of disciplines and industries. Specifically, the focus of the workshop is "privacy engineering," namely to "develop reusable tools and practices to facilitate the creation and maintenance of systems with strong privacy postures," Naomi Lefkovitz, Senior Privacy Policy Advisor, Information Technology Lab at NIST said.

When asked during Q and A whether NIST's approach extends beyond the privacy issues surrounding the cybersecurity framework, Lefkowitz said "we hope this is useful in many disciplines, wherever privacy risks arise".  During the development of the framework, she said "we lacked this whole foundational tool and vocabulary for privacy," NIST "need to step back a do a little more foundational work first."

Although most of the privacy-oriented attendees (few of the attendees had attended the earlier NIST cybersecurity workshops, based on a show of hands) seemed pleased by the workshop's discussion topics, a few critical infrastructure privacy representatives again expressed concern about the wide-ranging technical scope of NIST's latest privacy effort, fearing that it might produce far more granular privacy recommendations than they've seen in other, more policy-oriented venues.  Following the workshop, NIST plans to produce a report that is the basis for a NIST Interagency or Internal Report (NISTIR), solicit comments on that document and host a further workshop to refine the draft NISTIR.  

Cybersecurity Stocks Slip in March; Still Beat the Nasdaq for the Month, Market for the Year

Cybersecurity-related stocks slipped at the end of March, after reaching a yearly high during the first week of the month, according to my cybersecurity stock index.  As of the close on March 28, the index dipped to 106.21, down 3% from the close of 109.01 on February 28.

The companies in the stock index (see the table below) still managed to beat the Nasdaq (COMP), which dropped 4% from February 28 to March 28.  (Eight of the thirteen companies in the index trade on the Nasdaq.)  But they were outperformed by the Dow Jones Industrial Average (DJIA) and the S&P 500 (SPX), both of which remained almost exactly flat for the month.

The top performers for the month were AVG Technologies NV(NYSE:AVG), which jumped 23% during the month, and KEYW Holding Corp. (NASDAQ: KEYW) and Palo Alto Networks Inc. (NYSE: PANW), both of which advanced by 21%.  At the bottom were Barracuda Networks Inc. (NYSE: CUDA), which declined by 13% after a major climb in February, and Symantec Corp. (NASDAQ: SYMC), which dropped 14%.

Overall, though, cybersecurity stocks are still well ahead of the markets for the year, posting an index gain of 6%, compared to a 1% decline in the DJIA and a 1% uptick in both the SPX and COMP.

CrowdStrike CRO: NIST Framework, Vulnerability Mitigation Do Not Create Adequate Cybersecurity

On a day jam-packed with high-profile cybersecurity hearings and events in Washington, one expert witness strayed from the usual endorsements of government and corporate party lines to suggest that the cybersecurity strategies embraced by most organizations might actually harm security. Speaking at a hearing held today by the Senate Homeland Security and Government Affairs Committee, CrowdStrike Chief Risk Officer Steven Chabinsky (appearing in a personal capacity) said that the recent cybersecurity framework produced by the National Institute of Standards and Technology (NIST), while improving cybersecurity, "will not result in adequate security of our infrastructure and for our country."

Although praising the framework as a true public-private partnership, Chabinsky said that "improving our security posture requires that we reconsider our efforts rather than simply redouble them." Advocating that U.S. organizations align their cybersecurity efforts more with the strategies used in the physical world, Chabinsky said "we must ensure that our cybersecurity strategies focus on not preventing more intrusions but on more quickly detecting them and mitigating harm."

Specifically Chabinsky, previously a long-time FBI cyber intelligence leader, advocated a shift away from a "vulnerability mitigation" mindset, which he likened to protecting a building by constructing a twenty-foot brick wall around it (only to have the intruder buy a 30-foot ladder as a consequence), to one that focuses on instant detection, attribution, threat response, and recovery while in parallel locating and penalizing bad actors.  "We take reasonable precautions to lock our doors and windows, but we do not spend an endless amount of resources in hopes of becoming impervious to crime."

The growing focus on vulnerability mitigation can lead to decreasing economic returns, or worse, negative returns.  For example, using the analogy of the brick wall, stepped-up vulnerability mitigation might cause the intruder to use powerful explosives instead of buying a ladder. "Our current cyber strategy has had the unintended consequence of proliferating a greater quantity and quality of attack methods thereby escalating the problem and placing more of our infrastructure at greater risk," Chabinsky said.

Threat deterrence would improve if we blame the offenders rather than the victims for not having adequate vulnerability protection.  "It is my hope for the future that the blame for, and the costs of, cybercrime will fall more squarely on the offenders than on the victims, that in doing so we will achieve greater threat deterrence, and that businesses and consumers will benefit from improved, sustained cybersecurity at lower costs," he concluded in his written testimony.

ACLU Technologist: Algorithm to Protect Phone Calls Has Long Been Broken

(Washington, DC)  The algorithm used to protect phone calls is broken and government officials refuse to acknowledge this vulnerability because law enforcement exploits it for their own purposes, ACLU’s Principal Technologist Christopher Soghoian said yesterday.  Speaking at a Carnegie Mellon University forum held here, Soghoian said “it’s been known that the algorithm used to protect our phone calls has been broken. We’re still using that algorithm today.”

“Everyone’s communication is going over the wire in unencrypted form or very weak encrypted form,” which makes anyone who purchases certain equipment –including foreign governments--capable of listening to private calls, Soghoian said. What makes the problem more urgent now is that the easily-purchased equipment needed to eavesdrop on phone calls has plummeted in price over recent years from over $100,000 ten years ago to as low as $1,200 today.

This vulnerability in the phone system has not been acknowledged by either phone companies or the federal government because law enforcement relies on this security hole to eavesdrop on targets. “We haven’t seen any government officials warn the public,” Soghoian said. “The reason for this is that law enforcement is actively exploiting this system.”

This situation is a classic example of where “the offense and defense conflict” in cybersecurity practices and policies in the U.S. according to Soghoian. “You cannot have a system that is easy to spy on that is secure.”

Cybercrime has become the single most pressing cybersecurity problem because of the difficulties in identifying and prosecuting cyber criminals across the globe, Jody Westby, CEO of Global Cyber Risk said. “Cybercrime today has become the perfect crime” because criminals are seldom caught, arrested or jailed due to the lack of harmonized cybercrime laws around the world. “We have a situation where cybercrime has no borders but law enforcement does.”

Internet Security Alliance CEO Larry Clinton agreed.  “The attack team is getting better and better all the time.”

The rapid technological change that has moved the U.S. from a service economy to an information economy has fostered cyber insecurity for the time being, Matt Scholl, Deputy Chief of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST) said. “We have not caught up with the consequences of this change in technology.”

The cybersecurity framework released by NIST last month could change the cybersecurity calculus, Earl Crane, Senior Principal of the Promontory Financial Group, said.  “We’re already seeing the impact of the framework where organizations are already adopting the framework and using it.”

A shortage of cybersecurity experts exist, David Brumley, engineering professor at Carnegie Mellon, said, but even with more experts, the U.S. will be outnumbered by countries such as China.  “We need more cyber experts but more security experts are not enough.[W]e’re going to be outnumbered. What are you going to do when there are more of them than there are of you?”

Cybersecurity Stocks Climbed 9% During First Two Months of 2014

With the glaring spotlight placed on cybersecurity breaches during the second half of 2013, I started tracking cybersecurity-related stocks traded on the big exchanges with the assumption that the companies I chose to follow would have a very robust 2014.  So far my assumption has proven to be true.

Of the 13 (mostly pure-play) publicly traded cybersecurity companies I've followed (see table below), only three experienced declines during the first two months of the year, with most gaining double digit boosts between the close on January 3 and the close on February 28.  I created a cybersecurity stock index to see just how well this group of companies performed on the whole in comparison to the broader market.

Based on this index, the cybersecurity companies advanced 9% during the first two months of 2014, more than twice the growth in the Nasdaq Index, four times the performance of S&P Index and almost ten times the rise in the Dow Jones Industrial Average.

And if this week is any indication, cybersecurity-related companies are poised for even bigger gains - two of the newest cybersecurity players on Wall Street soared today - next-gen threat protection company Fireye (NASDAQ: FEYE) soared 8.44% today to close at 95.63 while firewall provider Barracuda Networks jumped 9.29% to close at 38.48.

Stay tuned as I periodically update the trends.

Former Vice Admiral, NSA Director McConnell: 100% Certainty Cyber Attacks Will Occur

(Washington, DC)  Former Navy Vice Admiral, NSA Director and US Director of National Intelligence Mike McConnell said today that the probability of a destructive cyber attack is 100% and that without good information sharing between government and industry the loss of lives and damage to property could be high. "In my mind, there is 100% certainty that cyber attacks will occur," McConnell said at the EnergyBiz Forum on Securing Power here.

Repeating the growing mantra of current and former top government officials that Congress needs to pass a cybersecurity bill, McConnell said "we are a nation with a strategic vulnerability and we have the information to deal with the vulnerability and we must share information between the government and private sector.  [I]f we don't share [information] and share it frequently, we are going to have a major loss of life and damage of property.

"We need legislation that forces the government to provide classified information to the private sector," he stressed.  However, "it should be sanitized to make information of value available to you."

In terms of the most vulnerable critical infrastructure likely to experience a cyber attack, "I would probably choose banking or power and I would choose the hottest part of the summer or the coldest part of the winter," McConnell said. "Just imagine being in New York City in the middle of the summer with no power."

BPC Report: New Electric Sector Cybersecurity Organization Needed

The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

  • The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
  • The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
  • The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
  • DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
  • The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

Twitter Delicious Facebook Digg Stumbleupon Favorites More