Recent Posts

DigitalCrazyTown Stopped Publishing Years Ago - Please Visit or

Years ago, when I was gearing up to change careers, I launched DigitalCrazyTown as a place to keep my expertise and skills visible while I was exploring what to do. People I know in the communications and tech sector loved the name Digital Crazy Town, and in particular loved my email address, which ended (and still does) in So my email address is the one I've been using for years and the one most people use.

Since this blog was active, however, I launched a news destination for the cybersecurity industry,, and a new company, DCT Associates. I also write for CSO Online and other publications and do paid-speaking and consulting engagements.

So, if you happen to get an email from my email address, just know that even though the publication is now defunct,

Broadcasting as a Cyber Threat Vector: Ten Steps Broadcasters Need to Take Now

Cyber threats to financial institutions, electric utilities, broadband providers, government agencies, Hollywood studios and even emerging Web-connected household appliances get a lot of ink. But one major potential threat vector, television and radio broadcasting, doesn't conjure up the kind of concerns that these other avenues of cyber intrusion do.

That's changing, though, in the wake of a major cyber attack that took place last April when French broadcaster TV5Monde was hijacked, with eleven of its channels going dark and its social media outlets commandeered to display pro-ISIS messages. Although a group called the CyberCaliphate claimed credit for the damaging breach, the French government has lately cast some blame on Russian hackers who, the government suggests, was using the CyberCaliphate as a false flag.

Whatever the case may be, the TV5Monde attack was a wake-up call to the broadcasting sector that it too is vulnerable to the kinds of disruptive cyber intrusions and attacks that affect other critical aspects of society. That's why top broadcasting publication TVNewsCheck and I have joined hands to offer the first of its kind webinar, "Cybersecurity for Broadcasters: Ten Steps You Need to Take Right Now," aimed at helping broadcasters come up to speed on how to protect their assets from unwanted and potentially damaging cyber intrusions and how to become more resilient in the face of what will undoubtedly be more future cyber attacks.

Slated for July 22 from 2 pm to 3:30, the webinar features a top line-up of experts (with more to come) including:
  • Rear Admiral (ret) David Simpson, Bureau Chief, FCC Public Safety and Homeland Security
  • Kelly Williams, Engineering & Technology Policy, Senior Director, National Association of Broadcasters
  • Ed Czarnecki, Strategy & Global Government Affairs, Senior Director, Monroe Electronics
For more background on the array of cybersecurity concerns that broadcasters face, check out the piece I wrote for TVNewsCheck that I hope lays it all out fairly well and stayed tuned for more information as we update the speaker line-up. If you have any thoughts or questions, drop me an email. (As a personal aside, it's been nice to bring my two areas of professional experience, communications media and cybersecurity, together in an interesting project, something I hope to continue to explore).

And don't forget to check out, a continuously updated source of cybersecurity intelligence and news aimed at solving the info-overload that increasingly bedevils most infosec professionals.

Top Cybersecurity Writers, By the Numbers

Last week I posted an analysis of how often various publications appeared during the first six weeks or so of active tracking on Metacurity, our new continuously updated resource on cybersecurity news and information. (For more on Metacurity and how we're selecting which articles and blog posts make the cut, see this post).

Now we turn to the actual journalists, bloggers, pundits and others who actually write the posts.  As the table below shows, 128 writers appeared more than once in approximately 1,220 posts from March 29 through mid-day on May 6 (links are to the writers' Twitter profiles, where they could be found).

Topping the list is Darren Pauli from The Register, not a surprise given that The Register also topped our list of publications, focused as it is on the nitty-gritty of IT technology. In fact, the vast majority of writers who top the list below are focused almost exclusively on matters related to information security -- again no surprise.

A word of caution though:  quantity does not necessarily equal quality. Many of the top writers working in the field appear lower down on the list presumably because they are not pressured to fill the hole each day and are given some latitude to spend time on bigger pieces or on related beats, such as privacy and national security.

In addition, some excellent writers are working for publications that put content behind paywalls and are not reflected here (Politico is the exception because some Politico pieces are available without paid subscriptions).

I was surprised at the amount of feedback I received on the first post detailing the publications by the numbers and welcome again feedback on this list.  As Metacurity evolves we will be adding additional publications, bloggers and sources and new features that make the site a more dynamic resource for cybersecurity news and information. Give us your feedback on the sources we rely upon and what additional information we should be incorporating into our system.

Metacurity Posts by Writer, 3/29/2015 to 5/6/2015
Writer# PostsPrimary Publication
Darren Pauli32 The Register
Waqas31 Hack Read
Eduard Kovacs27 Security Week
John Leyden24 The Register
Maria Korolov21 CSO Online
Dan Goodin20 Ars Technica
Michael Mimoso19 Threat Post
AFP17 Security Week
BrianPrince17 Security Week
Mike Lennon16 Security Week
Zack Whittaker16 ZDNet
Lorenzo Franceschi-Bicchierai15 Motherboard
Adam Greenberg15 SC Magazine
Brian Krebs15 Krebs on Security
Ashley Carman12 SC Magazine
Lucian Constantin12 CSO Online
Dennis Fisher12 Threat Post
Aliya Sternstein12 NextGov
Thomas Fox-Brewster11 Forbes
Andy Greenberg11 Wired
Kelly Jackson Higgins11 Dark Reading
Charlie Osborne11 ZDNet
Sara Peters11 Dark Reading
Cory Bennett10 The Hill
Graham Cluley10 Graham Cluley
Richard Chirgwin9 The Register
Jeremy Kirk9 CSO Online
Steven Ragan9 CSO Online
Iain Thomson9 The Register
Danielle Walker9 SC Magazine
Kim Zetter9 Wired
Dustin Volz8 National Journal via Next Gov
Robert Abel7 SC Magazine
Kyle Ellison7 We Live Security
Julian Hattem7 The Hill
Alexander Martin7 The Register
Stewart Baker6 Lawfare
Cyrus Farivar6 Ars Technica
Grant Gross6 Computer World
Shaun Nichols6 The Register
Mohana Ravindranath6 Next Gov
Bruce Schneier6 Lawfare
Sara Sorcher6 Passcode
Leon Spencer6 ZDNet
Taylor Armerding5 CSO Online
Chris Brook5 Threat Post
Joseph Cox5 Motherboard
Brian Donohue5 Threat Post
Sean Gallagher5 Ars Technica
Frank Konkel5 NextGov
Dave Lewis5 Forbes
Mario Trujillo5 The Hill
DAN FROOMKIN4 The Intercept
Hallie Golden4 NextGov
Robert Graham4 Errata Security
Swati Khandelwal4 The Hacker News
Rachel King4 ZDNet
Glyn Moody4 Ars Technica
Jordan Pearson4 Motherboard
Nicole Perlroth4 New York Times
Elise Viebeck4 The Hill
Wang Wei4 Hacker News
Paul Farrell3 The Guardian
Samuel Gibbs3 The Guardian
Roger Grimes3 Info World
Shane Harris3 The Daily Beast
Michael Heller3 TechTarget
Ben Kepes3 Forbes
Jason Koebler3 Motherboard
David Kravets3 Ars Technica
Mohit Kumar3 The Hacker News
Tony Morbin3 SC Magazine
Paolo Passeri3 Hackmageddon
Steve Ranger3 ZDNet
Teri Robinson3 SC Magazine
Jack Schofield3 ZDNet
Evan Selinger3 Passcode
Darlene Storm3 Computer World
Lee Suster3 SC Magazine
Kevin Tofel3 ZDNet
Joe Uchill3 Passcode
David Auerbach2 Slate
Violet Blue2 ZDNet
Tony Bradley2 CSO Online
Steve Cobb2 We Live Security
Kenneth Corbin2 CSO Online
Chris Duckett2 ZDNet
Kristen Eichensehr2 Just Security
Lee Fang2 The Intercept
Kelly Fiveash2 The Register
John Fontana2 ZDNet
Natalie Gagliordi2 ZDNet
Megan Geuss2 Ars Technica
Alexandra Gheorghe2 Hot for Security
Stephen Glasskeys2 Computer World
Jack Goldsmith2 Lawfare
Matthew Goldstein2 New York Times
Tim Greene2 Computer World
Wendy Grossman2 ZDNet
Robert Hackett2 Fortune
Kat Hall2 The Register
David Harley2 WeLiveSecurity
Alex Hern2 The Guardian
Michael Horowitz2 ComputerWorld
Patrick Howell O'Neill2 Daily Dot
Gregg Keizer2 Computer World
Herb Lin2 Lawfare
Rafal Los2 Security Week
Alan Martin2 We Live Security
Tony Martin-Vegue2 CSO Online
Joseph Menn2 Reuters
Jack Moore2 Next Gov
Joe Mullin2 Ars Technica
Ellen Nakashima2 Washington Post
David Perera2 Politico
Jason Polancich2 Security Week
Fahmida Rashid2 Security Week
Paul Roberts2 Passcode
Paul Rosenzweig2 Lawfare
Simon Sharwood2 The Register
Marc Solomon2 Security Week
Patrick Tucker2 Defense One
Camille Tuutti2 NextGov
Bob Violino2 CSO Online
Martyn Williams2 Computer World
Eileen Yu2 ZDNet

Top Cybersecurity News and Information Sources, By The Numbers - UPDATE

(Update:  Astute reader and topic maps (semantic integration) maven Patrick Durusau pointed out to me that I had the New York Times listed twice in an earlier version of this list, once as The New York Times and once as simply New York Times. The new list corrects this glitch.  Not only that but he also pointed out that National Journal and NextGov are different publications, which they indeed are.  But because NextGov publishes so many National Journal pieces, I'm not 100% certain from the data alone which came from which, so I merged the two.  He also kindly went out of his way to put hyperlinks to the relevant publications in my table!)

Starting on March 29, I began to systematically sift through voluminous news articles, blog posts and other sources to pick the most relevant, timely and knowledgeable items on cybersecurity matters to post on (See previous post for an introduction to Metacurity and an explanation of the criteria used for selection.) From that date through mid-day on May 6, Metacurity featured 1,220 posts from across well over 100 different publications, mostly traditional consumer interest and trade publications, as well as specialized blogs.

In an effort to better improve the selection and publication process, we’re currently analyzing the data to develop better filters and formulas.  One slice of interesting information is the frequency with which various publications appear across the still-nascent data set – obviously over time the data will change as the database gets bigger, more sources are added and newsworthy developments shift.

Articles Posted in Metacurity, 3/29/2015 to 5/6/2015
Source# Posts% Total
The Register1008.2%
SC Magazine594.8%
Ars Technica483.9%
NextGov and National Journal413.4%
Hack Read322.6%
The Hill322.6%
The Guardian191.6%
New York Times171.4%
Krebs on Security151.2%
The Hackers News110.9%
Hot for Security100.8%
Lawfare Blog100.8%
The Intercept90.7%
Wall Street Journal90.7%
IT World70.6%
Just Security50.4%
Schneier on Security50.4%
BBC News40.3%
Errata Security40.3%
Network World40.3%
The Daily Beast40.3%
The Diplomat40.3%
Washington Post40.3%
Business Insider30.2%
Google Security**30.2%
International Business Times30.2%
USA Today30.2%
Financial Times20.2%
Freedom to Tinker20.2%
Harvard Business Review20.2%
Info World20.2%
MIT Technology Review20.2%
The Security Ledger20.2%
Associated Press20.2%
*Technically a corporate blog by Kaspersky but features many newsworthy, journalistic-type posts.
**Technically a corporate blog by Google but important because of the nature of the posts.
***Recent resource added.

Of the sources published, 57 or 58 publications (I merged National Journal and NextGov)  received two or more posts, excluding posts from vendor blogs. Of these 57 or 58  sources, The Register grabbed more of the screen time than any other publication, no surprise given its focus on the nitty-gritty reality of IT technology. Likewise, all but one of the other top ten resources have as their main focus information security, IT technology or other specialized subjects where cybersecurity is a main concern.

The appearance of inside-politics publications such as the National Journal (which cross-publishes with NextGov) and The Hill is likewise no surprise given the ascendancy of cybersecurity in Washington and the pendency of cybersecurity legislation. A good deal of excellent coverage of Washington-related cybersecurity matters appears in paid-access-only publications such as Politico, which launched last year its own cybersecurity publication and makes some articles available outside its paywall. Paid-access publications don’t appear on Metacurity because, well, that would be too frustrating for casual visitors.  This may change over time.

For now, this list is interesting but definitely subject to change as time moves on, as more publications beef up their cybersecurity beats and as we refine our methods for pinpointing the best sources and items of information.

Stay tuned and please talk to us. Tell us what resources we're missing that you rely on and what additional types of information you'd like to see in the mix.

Introducing Metacurity – An Answer to Cybersecurity Information Overload

It’s been a long time since I blogged here – about a half a year actually.  In that time I’ve been working on various projects that pushed blogging to the back seat.  One of those projects was to redesign this blog into a more professional look and integrate the blog into a redesigned corporate website, with a common look-and-feel.

Along the way, I decided to incorporate into the new integrated sites a “news feed” that addresses a problem plaguing the digital and network security sector:  information overload. Fairly soon, that redesign project took a back seat to figuring out how to sift through the escalating number of news stories, journal articles and other sources of cybersecurity information and present it in a way that is the most helpful to overworked cybersecurity practitioners and other professionals interested in the subject.

For at least the past five months I’ve increasingly focused on that challenge to the point that it’s almost become a more than full-time job. The result of that work is a stand-alone website, Metacurity. Relying on over fifty (and growing) standard sources of cybersecurity news, plus dozens of other sources, Metacurity is an evolving site that presents sifted, breaking and other news in a clean, easy-to-scan format.
I’ve worked out a system for selecting the most timely, useful and relevant articles, blog posts, and other sources and publishing them in summary form, with links directly back to the sources themselves. Although still wholly subjective and imperfect, I use a rough set of criteria for what gets published. These criteria generally are:
  1. Timeliness: Although articles that break news aren’t necessarily always the most informative or best, being first does matter, if for no other reason than it shapes the conversation.
  2. Level of Skill: Well-written articles and posts that do justice to the subject catch more attention. Articles that are nothing more than a couple of paragraphs, gloss over or fail to point out important distinctions or are extremely late to the game don’t appear that frequently.
  3. Originality: A related criteria is originality. Items that are typically rewrites of press releases or rewrites of major news stories with very little additional reporting or analyses are low on the priority list.
  4. Pure-Play: The topic of cybersecurity overlaps with so many other topics – privacy, cloud computing, national security, criminal justice, diplomacy and other major concerns. It’s difficult to parse out articles, reports, blog posts and studies that are solely focused on how to maintain secure reliable networks. But, those articles that do deal mostly or exclusively with cybersecurity get higher priority.
  5. Impact:  Some “scoops” have major impact on discussions surrounding cybersecurity. Some headline-breaking articles in the cybersecurity arena do not necessarily hold up under further analysis but nonetheless create a stir. Although rare, these kinds of reports are higher on the priority list.
In the middle of the site, or further down the screen on mobile devices, appear blog posts produced by cybersecurity vendors labeled as “Corporate Posts.” These items are useful and often news-making posts produced by the dozens of vendors in the IT and information security arena.  (Although the Corporate Posts are selected based on editorial judgment, we are offering vendors the opportunity to spotlight their posts at the top of this section via sponsorships. We are also offering companies the ability to promote their employment opportunities and conference organizers to promote their events via highlighted entries in our events section.)

Metacurity also features a table that encapsulates cybersecurity events around the globe and a handy box for employers to promote their cybersecurity openings to the tiny available pool of available and qualified cybersecurity professionals.

Ultimately Metacurity will become much more efficient at picking out what’s important based on data analysis.  As Metacurity evolves, we’ll add more and different types of information. I want feedback on how to make the site better and more informative. Please contact us and share your thoughts.  Happy reading!

And yeah…I’m finally getting around to the redesign of this blog.  Stay tuned.

Four Key Take-Aways from the Sixth NIST Cybersecurity Framework Workshop

Last week, the National Institute of Standards and Technology (NIST) held in Tampa, FL its sixth workshop on the landmark critical infrastructure cybersecurity framework mandated by President Obama in February 2013 and issued by NIST in February 2014. As was true of the five previous workshops NIST held prior to the framework's release, hundreds of cybersecurity specialists gathered for two days to listen to government and industry experts and to hash out the framework's details across multiple, specialized working sessions.

While the event covered a lot of ground, tackling a range of technical and detailed topics from relatively specialized matters such as authentication issues in industrial control security to broader overviews of how various sectors are dealing with the framework, a few themes emerged from the sessions and conversations with the attendees. Here are the top four take-aways from the latest workshop:

1. Everyone Likes the Framework: Almost everyone said the framework is a good thing, although, as noted below, there are some issues that specialists still have with the framework's ongoing development. Not surprisingly, representatives from industry, UK and EU governments invited to speak on the plenary session panels offered almost uniformly positive views of the framework. "We began using the framework essentially the day it came out," Tim Casey, a senior information risk analyst at Intel said. "It gave us purpose and direction that we didn't have previously," Jefferson England, an executive at small telco Silverstar Communications, said.

Conversations with attendees yielded more of the same. "This is a good force multiplier. It's a common unified framework for managing security risks," Robert Brown, Manager of Assurance at PWC, said. "People have seemed to really embrace it," according to Phil Agcaoili, VP and Chief CISO at Evalon. "There are all sorts of ways this could have gone wrong and it didn't," Chris Blask, ‎Chair at Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), said.

Much of the good vibes flowed from the sense of collegial community that has cropped up over the course of the multiple workshops among the many hundreds of cybersecurity specialists. (Frequent jokes were made about the T-shirts given to people who had attended every workshop). The framework process has really "put trust across the sectors," Jack Whitsitt, Senior Analyst of cybersecurity consortium EnergySec, said, highlighting the fact that cyber specialists in different industries now share information outside their sectors because of the relationships forged during the NIST framework process.

2. The Framework's Primary Value To Date Seems to Be as a Communications Tool:  The jury's out in terms of whether the framework has actually achieved its intended goal of reducing cybersecurity risks, but it's clear that the subject matter experts who were at the workshop think it's a good device for trying to communicate the arcane subject of cybersecurity to managers, regulators, vendors, partners and other audiences. "One of the largest benefits of the framework is that it provided a framework of discussion, as much as anything else," Silverstar's England said.

"We're using it as an engagement tool for our regulators," Karl Schimmeck of the Securities Industry and Financial Markets Association, said. "We're hoping that it becomes the common language when you're talking to suppliers, vendors, joint ventures," a senior oil and gas industry representative said. "I'm using it to inform my board and executives," Evalon's  Agcaoili said.

3. Otherwise the Framework Is Still Kind of Difficult to Use:  Despite being built on the notion of simplicity, the NIST framework is a 41-page document that features core sets of activities, multiple tiers and intricate mapping to hundreds of detailed cybersecurity standards developed by a welter of standards-setting bodies. Most of the practitioners in attendance at the workshop said that the framework, despite its communication value, can at times be quite a challenge to use. "These frameworks are alphabet soup," PWC's Brown said.

"The mapping process is nuts," Dorian Cougia, Compliance Scientist at Unified Compliance said. Part of the problem is that the intricate standards that are mapped to the framework can run dozens and even hundreds of pages long and it's not always clear which parts of the standards apply to what. "There were times when we did not exactly understand what the framework meant," one top energy cybersecurity specialist said.

"The content of the framework really doesn't matter," EnergySec's Whitsitt said. "Organizations that don’t know how to do security already will have a hard time with it."

The difficulty in using the framework can be greater for smaller and mid-sized organizations that don't have cybersecurity experts on staff, a topic much discussed during the framework's development. "The big guys do this already," one communications industry representative said. "They wouldn't be in business if they weren't protecting their networks for financial reasons." The smaller guys, however, are struggling to come up to speed with what the framework demands, she noted, because they may have at most only one IT person on staff assigned to implement security measures.

The right way to view the challenge of using the framework isn't big versus small, according to Adam Sedgewick, who spearheads the project for NIST, clarifying that it's more about how serious the company is about cybersecurity, regardless of size. "I think it's a mistake to think that small and medium companies do not have good cybersecurity practice as a rule.  I think it's more appropriate to say companies that do not have robust cybersecurity programs" face greater challenges.

4. There Won't Be a Framework 2.0 Any Time Soon:  Two mantras emerged from the government and NIST speakers at the workshop.  The first is that "it's still early days" for the framework and too soon to gauge its effectiveness.  The second, related concept is that no basic changes to the framework are in the offing anytime soon.

"We want to make sure that people understand we don't expect changes to the framework in the future," Ari Schwartz of the National Security Council said. "We are in no rush to make changes without knowing or understanding what effect those changes might have," Matt Scholl, Deputy Division Chief at NIST said.

Cybersecurity is already shaped by endless organizations, government agencies, schemas, frameworks and evolving standards, NIST's Sedgewick said. "We have to be careful when we think about the next phase of this effort to reduce that complexity and not increase it."

That view was embraced by most of the workshop attendees. However, some of the industry specialists who are implementing the framework think changes are needed sooner rather than later. "It is useful but it still needs more work," one big electric utility representative said. "If something is missing, they don't know something is missing.  They should not wait too long to update the core."

Cybersecurity Should Scale Faster than the Information Revolution, DARPA Head Says

Mary Jordan, Arati Prabhakar

(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."

One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.

The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."

Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.

It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."

Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.

Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.

Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."

Twitter Delicious Facebook Digg Stumbleupon Favorites More