Recent Posts

Cybersecurity Should Scale Faster than the Information Revolution, DARPA Head Says

Mary Jordan, Arati Prabhakar

(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."

One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.

The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."

Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.

It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."

Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.

Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.

Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."

NIST Cybersecurity Framework is Good and Bad, Experts Say

Source:  AWWA.
Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome.  I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology.  If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."

NIST's Cybersecurity Framework at the Six-Month Mark: Are We More Secure?


On February 12th the National Institute of Standards and Technology (NIST) released its comprehensive cybersecurity framework, the culmination of an intense 12-month drafting process ordered by President Obama in an effort to ward off what former Defense Secretary Leon Panetta feared would be an imminent "cyber Pearl Harbor." This framework of frameworks was intended to lay down some ground rules to improve the security and resilience of all industries, but particularly the critical ones upon which stable society depends, such as energy, communications, transportation and food and agriculture.

So, what's happened since the framework's release? Find out tomorrow when I will be moderating a webinar for the Industrial Control Information System Sharing and Analysis Center (ICS ISAC), one of the key groups assigned the all-important information-sharing task among industrial system control operators to ensure that cyber threats are identified and managed in a timely fashion.

Join ICS ISAC Chair Chris Blask and me to find out what top security specialists think about the framework six-months in and the benefits and challenges they've experienced in putting the framework into place. Among the experts we've lined up are:
  • Kevin Morley, Security and Preparedness Program Manager, American Water Works Association
  • Perry Pederson, Co-Founder and Managing Principal at The Langner Group, LLC
  • Greg Witte, Program Manager, Security Standards Team, G2, Inc.
Based on my conversations with some of the speakers, this webinar promises to be a lively one, complete with frank assessments of both the good and not-so-good aspects of the framework. I'll check back in here later with a write-up of the key points, but register for the webinar today so you can hear first-hand what they have to say and ask your own questions.

Cybersecurity Information Overload: Is There a Solution?

Sign Up for the Cybersecurity Magazine 
For at least the past two years, I've been fascinated by the highly fractured nature of information in the cybersecurity world, which is in a state of overwhelming onslaught of constant developments, studies, reports, meetings, breaking news, standards developments and government activity.  I've spent my entire career creating information products, conferences and advisory services focused on technology-related industries and corresponding complex policy topics (albeit in the comparatively easy-to-grasp media, communications, consumer electronics and, more recently, energy sectors).

But nothing beats cybersecurity as a tough topic, an issue that few people feel, deep down inside, they adequately grasp.  This vague sense of not-knowing is true for both the technology professionals responsible for implementing cybersecurity within their organizations and, most emphatically, the non-technologists who run organizations, government agencies and corporations and who are increasingly held responsible for the cyber breaches that occur on their watches.  Part of the problem is that there is just too much stuff  bombarding all of us and the information overload is accelerating.

Hundreds of good (and not so good) journalists crank out important cybersecurity news pieces every day across at least several dozen, if not hundreds, of bona fide publications (My slightly outdated must-read list is here).  Hundreds of consulting, engineering and law firms release reports, updates, advisories and white papers.  Endless meetings with thousands of participants are held across government and affiliated working groups, centers and labs of all stripes and sizes and all industry sectors. A day doesn't go by without at least a dozen important webinars, conferences or hearings on some important cybersecurity topic.

Trying to keep track of the day's developments is alone a herculean challenge.  A while back, I launched a Twitter feed and a corresponding nifty online Flipboard magazine (best seen on tablets and smartphones) that seeks to sift through the day's endless streams of information for only the most important, most interesting and most useful information.  Unlike some people who have brilliantly developed scripts to sift useful information from the repetitive, derivative and not-so-valuable gunk, I manually go through news feeds, emails, LinkedIn group reports and other sources and pick what to put in these curated resources. This process can consume many hours of my day if I don't watch it.

A few years back I interviewed over a dozen utility cybersecurity executives about the problems they faced. Information overload was consistently ranked among the top impediments to getting their jobs done. Typical of the responses I received was one top cybersecurity technologist. “A lot of stuff comes into our email inbox," he said. "There is a huge quantity of information out there saying 'we know what’s best.' Quite honestly, for me it’s fairly overwhelming to see that much information come in,”

And the situation has only deteriorated in the three years since I conducted that project. So, what's the solution? Is there a solution or is cybersecurity just too vast, just too endemic to everything in the world now that it's impossible to develop a comprehensive resource that hits the high-points and pulls it all together as best as possible in a reasonable time-frame?

These are the questions in the back of my mind as I work on a plan that proposes to do precisely that. Pull it all together and produce ongoing reports, data and analysis in a way that makes sense and reflects expertise and high-caliber thinking.

But if any of you have any answers to the question about information overload - is there a solution and what is it? -- or if there is a key piece of data or aggregated information that you wish you could see, drop me a line and share your thoughts.

Tanium Pushes 2014 Cybersecurity Venture Funding to $329M, Five Times 2013 Level


San Francisco-based cybersecurity-focused start-up Tanium announced yesterday a $90 mil. venture cash infusion from Andreessen Horowitz, a Silicon Valley powerhouse known for backing a long list of Internet and technology winners. The $90 mil. investment is the venture funding titan's second largest investment ever and continues a string of the firm's investments in cybersecurity companies, including Bluebox Security, Ciphercloud and Bromium.

Tanium, which describes itself as an "enterprise-scale real-time security and systems management company," has developed an approach to security management that it says collects and processes billions of metrics -- hardware configuration, software inventory, network usage, patch and update status and more -- across an organization's endpoints in real-time, providing instant visibility into operational issues to ward off security attacks.

Andreessen's big investment is the latest in a string of high-profile investment rounds across the growing ranks of cybersecurity technology start-ups.  According to our tally, thus far in 2014, cybersecurity firms have snagged $392 mil. in venture capital, over five times the level of the estimated $70 mil. in cybersecurity related venture deals in 2013.  (See table below).

At this point, total recent venture funding for cybersecurity tech providers is coming close to the $1 bil. mark. As the table below shows, since April 2012, venture funding for cybersecurity start-ups has totaled at least $818 mil.  At this rate, and with five months left in the year, that $1 bil. mark seems to be easily within reach.

Rep. Mike Rogers Raps FCC's Stance on Cybersecurity, Challenges Funding Request


Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, yesterday issued a red flag against last week's move by Federal Communications Commission Chairman (FCC) Tom Wheeler to broaden the agency's involvement in communications companies' cybersecurity practices.  In a letter signed by fellow Republican panel member Mike Pompeo (R-KS), Rogers expressed concern that Wheeler's approach, while relying primarily on the market to manage cybersecurity issues, verges too close to increased regulation.

The letter states that a speech Wheeler gave last week, in which he outlined a "new paradigm" for cybersecurity, as well as statements by Commission staff, "lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web service providers."  In his speech, Wheeler said that if the new paradigm doesn't work, "we must be ready" with "alternatives if it doesn't."

The letter also raised objections to little-noticed cybersecurity-related budget additions in the FCC's FY 2015 budget.  "We also question why the FCC's Fiscal 2015 budget requested a substantial funding increase for cybersecurity activities, including funding for 'Big Data Cybersecurity Analytics and a Cybersecurity Metrics' program. While we support efforts to ensure that the Commission's internal systems are secure from cyber-attack, these initiatives appear to be outward, or industry, facing."

The FCC's FY 2015 budget asks for $700,000 for a big data cybersecurity analytics program.  In the budget the Commission states that "Big Data Cybersecurity Analytics will be a disruptive technology in the 
Cybersecurity arena, as traditional analysis and forensics techniques will be superseded by 
automation conveniences that reduce the burden of work on the analyst." The $700,000 is aimed at helping the FCC conduct root cause analysis, such as reverse engineering of malware on computer networks.

The FY 2015 budget also asks for $575,000 for the metrics program referenced in the letter.  The budget states that "FCC has initiated planning efforts to collect and analyze monthly metrics related to the cybersecurity threats addressed using data obtained from commercial sources," with the metrics to be provided to the Commission's newly formed Cybersecurity and Communications Reliability Division for analysis and baseline tracking.

Once that's done, the metrics program will be used to create a "Cybersecurity Dashboard" to "help the FCC track the ongoing progress of cybersecurity initiatives."

The appearance of the letter from Rogers and Pompeo indicates some level of concern among certain affected communications providers over Wheeler's new paradigm.  Following last week's speech by Wheeler, some telco industry representatives expressed unhappiness over some statements in the speech, presumably those that indicated the FCC would need to see "demonstrably effective" results and metrics under the new paradigm, perceived to be code for quasi-official monitoring and a possible precursor to regulatory action.

However, cable companies seemed warmer to the idea of the new cybersecurity paradigm.  Comcast issued a statement supporting Wheeler's new approach.  "Comcast will continue working with the Chairman, his fellow Commissioners, and the dedicated staff at the FCC to help achieve these important goals," Myrna Soto, senior VP and chief information and infrastructure security officer, for Comcast Cable, said.

FCC Chairman Unveils New Paradigm for Cybersecurity; Must Be "Demonstrably Effective"


(Washington, DC)  The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today unveiled a new program for communications cybersecurity that relies on industry-driven initiatives for "proactive, accountable cyber risk management for the communications sector" in lieu of a "prescriptive, regulatory approach."  Nonetheless, the "new paradigm," as he called it, needs to be more "demonstrably effective than blindly trusting the market" to provide adequate cybersecurity risk management.

The goal is to spur greater cybersecurity activity by communications companies while stopping short of implementing official FCC rules or policies. Many communications companies have feared regulatory action by the FCC as a means of mandating the voluntary cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February or in the wake of a high-profile cyber incident 

Speaking at an event hosted here by the American Enterprise Institute, Wheeler laid out some central pillars of the approach. The first pillar is for the FCC and communications companies to promote greater "privacy-protective" information sharing of cyber threats and attacks, along the lines of the best-in-class information sharing that the financial sector has demonstrated in its ISAC (Information Sharing and Analysis Center). The communications sector already has its own ISAC in the National Coordinating Center for Telecommunications (NCC) under the Department of Homeland Security.

The second pillar is for the FCC to measure best cybersecurity practices already developed under the Commission's auspices and to tailor risk management processes to NIST's framework. The FCC's industry-led Communications Security, Reliability and Interoperability Council (CSRIC) has already formed a working group for this task, "working group 4," which met last week to begin tailoring the NIST framework. CISRIC will host its fourth meeting on June 18, while the working group 4 is expected to meet again in late-July.

Wheeler has asked the Commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry, an effort that forms the third pillar.

It's crucial that communications companies conduct some internal reviews of their cyber risk exposure, assess how they are managing their risks and develop better metrics, Wheeler said. "Companies must have the capacity to assure themselves, their shareholders and boards – and their nation – of the sufficiency of their own cyber risk management practices."

Some companies could take time adjusting to the "demonstrably effective" aspect of the new paradigm, Wheeler noted, because it "will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas – it has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."

Another potential issue is the level of commitment to the FCC's program, one key communications company representative said.  "There needs to be true commitment to this new paradigm.  When we actively hit bumps in the road, there has to be commitment," he said, adding that the commitment has to be on the part of not only the communications companies, but also the FCC itself.  "Providing there is a true will to make it work, it will work."

Communications companies aren't completely out of the regulatory woods yet. "We are not Pollyannas" Wheeler said. "We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."

Twitter Delicious Facebook Digg Stumbleupon Favorites More