Recent Posts

Cybersecurity Information Overload: Is There a Solution?

Sign Up for the Cybersecurity Magazine 
For at least the past two years, I've been fascinated by the highly fractured nature of information in the cybersecurity world, which is in a state of overwhelming onslaught of constant developments, studies, reports, meetings, breaking news, standards developments and government activity.  I've spent my entire career creating information products, conferences and advisory services focused on technology-related industries and corresponding complex policy topics (albeit in the comparatively easy-to-grasp media, communications, consumer electronics and, more recently, energy sectors).

But nothing beats cybersecurity as a tough topic, an issue that few people feel, deep down inside, they adequately grasp.  This vague sense of not-knowing is true for both the technology professionals responsible for implementing cybersecurity within their organizations and, most emphatically, the non-technologists who run organizations, government agencies and corporations and who are increasingly held responsible for the cyber breaches that occur on their watches.  Part of the problem is that there is just too much stuff  bombarding all of us and the information overload is accelerating.

Hundreds of good (and not so good) journalists crank out important cybersecurity news pieces every day across at least several dozen, if not hundreds, of bona fide publications (My slightly outdated must-read list is here).  Hundreds of consulting, engineering and law firms release reports, updates, advisories and white papers.  Endless meetings with thousands of participants are held across government and affiliated working groups, centers and labs of all stripes and sizes and all industry sectors. A day doesn't go by without at least a dozen important webinars, conferences or hearings on some important cybersecurity topic.

Trying to keep track of the day's developments is alone a herculean challenge.  A while back, I launched a Twitter feed and a corresponding nifty online Flipboard magazine (best seen on tablets and smartphones) that seeks to sift through the day's endless streams of information for only the most important, most interesting and most useful information.  Unlike some people who have brilliantly developed scripts to sift useful information from the repetitive, derivative and not-so-valuable gunk, I manually go through news feeds, emails, LinkedIn group reports and other sources and pick what to put in these curated resources. This process can consume many hours of my day if I don't watch it.

A few years back I interviewed over a dozen utility cybersecurity executives about the problems they faced. Information overload was consistently ranked among the top impediments to getting their jobs done. Typical of the responses I received was one top cybersecurity technologist. “A lot of stuff comes into our email inbox," he said. "There is a huge quantity of information out there saying 'we know what’s best.' Quite honestly, for me it’s fairly overwhelming to see that much information come in,”

And the situation has only deteriorated in the three years since I conducted that project. So, what's the solution? Is there a solution or is cybersecurity just too vast, just too endemic to everything in the world now that it's impossible to develop a comprehensive resource that hits the high-points and pulls it all together as best as possible in a reasonable time-frame?

These are the questions in the back of my mind as I work on a plan that proposes to do precisely that. Pull it all together and produce ongoing reports, data and analysis in a way that makes sense and reflects expertise and high-caliber thinking.

But if any of you have any answers to the question about information overload - is there a solution and what is it? -- or if there is a key piece of data or aggregated information that you wish you could see, drop me a line and share your thoughts.

Tanium Pushes 2014 Cybersecurity Venture Funding to $329M, Five Times 2013 Level


San Francisco-based cybersecurity-focused start-up Tanium announced yesterday a $90 mil. venture cash infusion from Andreessen Horowitz, a Silicon Valley powerhouse known for backing a long list of Internet and technology winners. The $90 mil. investment is the venture funding titan's second largest investment ever and continues a string of the firm's investments in cybersecurity companies, including Bluebox Security, Ciphercloud and Bromium.

Tanium, which describes itself as an "enterprise-scale real-time security and systems management company," has developed an approach to security management that it says collects and processes billions of metrics -- hardware configuration, software inventory, network usage, patch and update status and more -- across an organization's endpoints in real-time, providing instant visibility into operational issues to ward off security attacks.

Andreessen's big investment is the latest in a string of high-profile investment rounds across the growing ranks of cybersecurity technology start-ups.  According to our tally, thus far in 2014, cybersecurity firms have snagged $392 mil. in venture capital, over five times the level of the estimated $70 mil. in cybersecurity related venture deals in 2013.  (See table below).

At this point, total recent venture funding for cybersecurity tech providers is coming close to the $1 bil. mark. As the table below shows, since April 2012, venture funding for cybersecurity start-ups has totaled at least $818 mil.  At this rate, and with five months left in the year, that $1 bil. mark seems to be easily within reach.

Rep. Mike Rogers Raps FCC's Stance on Cybersecurity, Challenges Funding Request


Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, yesterday issued a red flag against last week's move by Federal Communications Commission Chairman (FCC) Tom Wheeler to broaden the agency's involvement in communications companies' cybersecurity practices.  In a letter signed by fellow Republican panel member Mike Pompeo (R-KS), Rogers expressed concern that Wheeler's approach, while relying primarily on the market to manage cybersecurity issues, verges too close to increased regulation.

The letter states that a speech Wheeler gave last week, in which he outlined a "new paradigm" for cybersecurity, as well as statements by Commission staff, "lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web service providers."  In his speech, Wheeler said that if the new paradigm doesn't work, "we must be ready" with "alternatives if it doesn't."

The letter also raised objections to little-noticed cybersecurity-related budget additions in the FCC's FY 2015 budget.  "We also question why the FCC's Fiscal 2015 budget requested a substantial funding increase for cybersecurity activities, including funding for 'Big Data Cybersecurity Analytics and a Cybersecurity Metrics' program. While we support efforts to ensure that the Commission's internal systems are secure from cyber-attack, these initiatives appear to be outward, or industry, facing."

The FCC's FY 2015 budget asks for $700,000 for a big data cybersecurity analytics program.  In the budget the Commission states that "Big Data Cybersecurity Analytics will be a disruptive technology in the 
Cybersecurity arena, as traditional analysis and forensics techniques will be superseded by 
automation conveniences that reduce the burden of work on the analyst." The $700,000 is aimed at helping the FCC conduct root cause analysis, such as reverse engineering of malware on computer networks.

The FY 2015 budget also asks for $575,000 for the metrics program referenced in the letter.  The budget states that "FCC has initiated planning efforts to collect and analyze monthly metrics related to the cybersecurity threats addressed using data obtained from commercial sources," with the metrics to be provided to the Commission's newly formed Cybersecurity and Communications Reliability Division for analysis and baseline tracking.

Once that's done, the metrics program will be used to create a "Cybersecurity Dashboard" to "help the FCC track the ongoing progress of cybersecurity initiatives."

The appearance of the letter from Rogers and Pompeo indicates some level of concern among certain affected communications providers over Wheeler's new paradigm.  Following last week's speech by Wheeler, some telco industry representatives expressed unhappiness over some statements in the speech, presumably those that indicated the FCC would need to see "demonstrably effective" results and metrics under the new paradigm, perceived to be code for quasi-official monitoring and a possible precursor to regulatory action.

However, cable companies seemed warmer to the idea of the new cybersecurity paradigm.  Comcast issued a statement supporting Wheeler's new approach.  "Comcast will continue working with the Chairman, his fellow Commissioners, and the dedicated staff at the FCC to help achieve these important goals," Myrna Soto, senior VP and chief information and infrastructure security officer, for Comcast Cable, said.

FCC Chairman Unveils New Paradigm for Cybersecurity; Must Be "Demonstrably Effective"


(Washington, DC)  The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today unveiled a new program for communications cybersecurity that relies on industry-driven initiatives for "proactive, accountable cyber risk management for the communications sector" in lieu of a "prescriptive, regulatory approach."  Nonetheless, the "new paradigm," as he called it, needs to be more "demonstrably effective than blindly trusting the market" to provide adequate cybersecurity risk management.

The goal is to spur greater cybersecurity activity by communications companies while stopping short of implementing official FCC rules or policies. Many communications companies have feared regulatory action by the FCC as a means of mandating the voluntary cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February or in the wake of a high-profile cyber incident 

Speaking at an event hosted here by the American Enterprise Institute, Wheeler laid out some central pillars of the approach. The first pillar is for the FCC and communications companies to promote greater "privacy-protective" information sharing of cyber threats and attacks, along the lines of the best-in-class information sharing that the financial sector has demonstrated in its ISAC (Information Sharing and Analysis Center). The communications sector already has its own ISAC in the National Coordinating Center for Telecommunications (NCC) under the Department of Homeland Security.

The second pillar is for the FCC to measure best cybersecurity practices already developed under the Commission's auspices and to tailor risk management processes to NIST's framework. The FCC's industry-led Communications Security, Reliability and Interoperability Council (CSRIC) has already formed a working group for this task, "working group 4," which met last week to begin tailoring the NIST framework. CISRIC will host its fourth meeting on June 18, while the working group 4 is expected to meet again in late-July.

Wheeler has asked the Commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry, an effort that forms the third pillar.

It's crucial that communications companies conduct some internal reviews of their cyber risk exposure, assess how they are managing their risks and develop better metrics, Wheeler said. "Companies must have the capacity to assure themselves, their shareholders and boards – and their nation – of the sufficiency of their own cyber risk management practices."

Some companies could take time adjusting to the "demonstrably effective" aspect of the new paradigm, Wheeler noted, because it "will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas – it has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."

Another potential issue is the level of commitment to the FCC's program, one key communications company representative said.  "There needs to be true commitment to this new paradigm.  When we actively hit bumps in the road, there has to be commitment," he said, adding that the commitment has to be on the part of not only the communications companies, but also the FCC itself.  "Providing there is a true will to make it work, it will work."

Communications companies aren't completely out of the regulatory woods yet. "We are not Pollyannas" Wheeler said. "We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."

NIST Framework Could Become a Useful Tool for Regulators (and Litigators), Cyber Lawyers Say


(Washington, DC)  The voluntary comprehensive cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February is already proving helpful to companies and could become a tool used by regulators. But it could also become a de facto requirement for organizations once it starts being cited by plaintiffs attorneys, a group of top cybersecurity law specialists said yesterday.

Speaking at a cybersecurity event hosted here by Bloomberg Government, Stewart Baker of Steptoe & Johnson said that the NIST framework could come into play with the impending wave of lawsuits surrounding cyber breaches.  "It’s a no-brainer for plaintiffs lawyers to say 'what do you mean you didn't even follow the government’s cybersecurity framework?'"

As expected (and feared by some industries) regulators could more heavily rely on the framework as a benchmark for good cybersecurity practices. "The other place we’re going to see the NIST framework used is as regulators [u]se the framework as a way of asking questions about what kind of security you have," Baker said, adding that it could become a kind of test as regulators implement various policies and rules.

"The thought of the SEC [Securities and Exchange Commission] becoming a regulator [in cybersecurity] is quite chilling," Donald Fagan of Covington & Burling said. It's probably more accurate to label it as a "precursor to a test," he said. "The framework can be used to determine whether we are acting reasonably," Ben Powell of WilmerHale said.

Right now few signals are coming out of government agencies that the NIST framework might morph from voluntary to mandatory. "The White House announced that they're happy with where the voluntary process is going…which surprised us a little bit," Jeff Greene, Senior Policy Counsel for Symantec said. "The framework at least for the foreseeable future will stay pretty much as voluntary as it can."

Symantec has already adopted the framework, albeit in a tailored fashion, Greene said. "We're actually using the NIST framework. We have found it useful internally."

Small businesses, though, have a difficult time adapting to the framework, according to Greene. "At the small business end [t]hey don’t have the in-house IT staff.  We have found that we have to talk to them in a one-pager document. We’re trying to distill it down in a way that we can talk to them about it."

Top Experts: C-Suite Execs Have 'Caught Religion' in Wake of Target Breach


(Washington, DC)  Given the high-profile ouster of Target's CEO in the wake of the retailer's massive data breach, cybersecurity has been--and should be--elevated to executive suites across corporate America, a string of top security experts said yesterday. Speaking at a day-long cybersecurity conference hosted by Bloomberg Government here, current and former top government and industry cyber specialists issued a wake-up call to business and critical infrastructure leaders that cybersecurity can no longer be relegated to the purely technical realm.

"Cybersecurity is foundational," Admiral Mike Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency said. "You must own this problem. This is just not your IT and computer people. You have to own this problem as a leader."

"This is becoming a CEO issue," Lou Von Thaer, President of the National Security Sector of Leidos, said. "We are being asked by directors all the time to be briefed," Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike said. "I hear all the time from the board members…they actually think the IT people are purposively speaking in gibberish so they cannot be subjected to oversight."

Although litigation and liabilities are the primary outcome of Target-like breaches, the challenge of handling a huge, complex crisis might be the bigger reason that executives are suddenly paying attention. "In some respects the greatest liability risk is not a legal one but a crisis management one," Donald Fagan of Covington and Burling said. "It is the Target issue…that has caught the attention of many businesses out there. They’ve caught religion"

Target may be the poster child for the massive damage that can ensue from a cybersecurity breach, but the company did most things right when it came to cybersecurity. Target would have received a high grade in terms of how well it followed the cybersecurity framework issued by the National Institute of Standards and Technology earlier this year, Stewart Baker of Steptoe & Johnson said.  "They just didn't respond to the overwhelming number of alerts they got."

"People have to understand how good a company Target is when it comes to cybersecurity," Michael Leiter, Senior Counselor to the CEO of Palantir Technologies said. "That means there really is no company that doesn't face this as a business risk."

Rep. Mike Rogers: Chinese Indictments Are 'Glitz and Glamour' But Legislation More Important


(Washington, DC)  House Intelligence Committee Chairman Mike Rogers (R-MI) said yesterday that the Justice Department's high-profile indictment of Chinese military officials for cyber theft of U.S. business secrets is "great for glitz and glamour" but it's more important that Congress act on cyber legislation by August if the government wants to ensure true cybersecurity. Speaking at an event hosted by the George Washington University Cybersecurity Initiative, Rogers said "I agree with the indictments and I agree with certain visa restrictions [b]ut it can't be done in isolation."

The Obama administration's largely symbolic move is "great for glitz and glamour but nothing followed," Rogers said. "It's the right idea but the wrong execution.  If only we could get the second piece of this, which allows the private sector to defend itself," Rogers said, referring to the Cyber Intelligence Sharing and Protection Act, which would facilitate the sharing of cybersecurity information between the private sector and the government.

Although the House has passed the bill, it's stalled in the Senate, a situation that Rogers thinks is improving and believes has to be resolved by August or else prospects for near-term cybersecurity legislation will die. "I think we've made tremendous progress in the last few months. I hate to say it but if we don't get something moving in August, it will get lost in the haze."

Rogers is cautiously optimistic that a bill could move in the next thirty days, with the contentious issues narrowed down to a "few short issues," particularly the question of how a portal for sharing information with the government gets structured. "We've narrowed down the issues on the portal," Rogers said.

Speaking at the same event, Toomas Hendrik Ilves, President of Estonia, a country widely considered to be home to the first true cyber warfare attack, said that new intellectual concepts are needed to successfully battle cyber threats given the radically novel dangers posed by the modern connected era. "We have major intellectual tasks ahead of us," he said. We are facing the modern equivalent of Thomas Hobbes' "war of all against all"  and "we need our Jeffersons, our Voltaires in this area."

Estonia is at the forefront of protecting individual online identities as a key strategy for ensuring security, with everyone using two-factor public key infrastructure using RSA 2048 encryption. "We have come to the conclusion that you cannot have any genuine security without a secure online identity," Hendrik said.  "That is the dilemma of all Internet relations.  You don't know who's who."

Twitter Delicious Facebook Digg Stumbleupon Favorites More