Recent Posts

Some Violent Entertainment Causes No Harm. Guns on the Other Hand...

In the wake of the NRA's bizarre press conference today, the news media will no doubt look into the gun group's accusations that entertainment media, with its propensity to violence, causes gun violence, if for no other reason than to debunk the NRA's bitter-toned deflection of blame.  So I'm hesitant to even address the issue lest I give credence to that misdirection.

But there can be no question that the causal link between entertainment violence (whether in the form of video games or TV programming or even web content) and gun violence (or any other violent act for that matter) is complex and subtle, while the existence of guns and gun violence are 100% causally linked. It is a tautological truism that guns cause gun violence.  And often lost in the debate over entertainment violence is research that clearly concludes that some kinds of entertainment violence are not harmful.

According to the bona fide top researchers in the field of video violence and its effects on viewers, particularly children,  the context or way in which violence is depicted dictates whether the violence might lead to pro-social benefits or anti-social risks.  In short, when it comes to entertainment violence, the kinds of messages portrayed by the violence determine its impact.

For example, "violence that is undeserved or purely malicious decreases the risk of imitation or learning of aggression" while "portrayals of punished violence can  decrease the chances that viewers will learn aggression."  Perhaps most importantly in documenting the non-harmful effects of entertainment violence, studies indicate that "showing the serious harm and pain  that occurs from violence can discourage viewers from imitating or learning aggression."

Still, no one in the academic community seriously doubts that there is too much violence in entertainment or that depicted violence can cause fear and aggression.  Many of those same researchers cited above spearheaded the largest television violence study conducted to date, which examined over 10,000 hours of television over a three-year period involving 300 people across four universities. (Full disclosure:  I was involved in the launch and first year of this study on behalf of the cable industry).

Although the goal of that study was not to assess the impact of video entertainment violence, but rather to look at the frequency and types of violence shown, among other goals, it nonetheless started with the foundation that television violence contributes to harmful effects on viewers.  So there's no question that society should continue to monitor and even limit the violent messages we embrace.

It's murky territory when it comes to tying violent entertainment to violent behavior.  It's not at all murky that the sole purpose of guns is to cause violence or at least the threat of violent, bodily harm.  The two things, violent entertainment and the existence of so many guns, should not therefore be conflated.

Are You a Key Energy or Telecom Cybersecurity Professional? Let Us Know

DCT Associates will soon publish its first public product, an Energy and Telecom Cybersecurity databook, which we hope will serve as a useful reference tool for technical, operational and policy professionals working in the energy and telecom cybersecurity arenas.  It's a big task, but our goal is to help everyone navigate the complex cybersecurity arena by focusing first on the two most important critical infrastructure sectors, energy and telecom.

The book will feature concise snapshots of the technical, policy and organizational challenges and opportunities in the hideously complex cybersecurity world.  We'll start off providing an overview of who does what, where and why, (which may be a fool's errand when it comes to the arcane and complex world of cybersecurity, but that makes the work all the more fun).

As part of the project we've developed a directory of nearly 400 individuals that we've loosely categorized as key technical, legal, policy, government and operational experts on cybersecurity in the energy and telecom realms - but we don't want to overlook anyone.    We're including all kinds of organizations in our list, including technology supply, academic, trade, government, consulting and industry organizations, along with key contacts at energy and telecom companies.  If you believe you or a colleague should be featured as a key contact, please fill out a form we've set up to collect the relevant pieces of information we seek.

Although we encourage as many suggestions as possible, we're not making any commitments to including all submissions in the directory; we reserve editorial judgment to make the list as useful and targeted as possible.  Drop me an email at if you have any questions or comments.

Image Courtesy of Photoxpress.

Mike Rogers: We've Still Got Two Weeks to Pass a Cybersecurity Bill

In the probable wishful thinking category, Rep. Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence, said today that despite the political high drama surrounding the so-called fiscal cliff and defense sequestration issues crippling the Congress, there is still time to pass a critical infrastructure cybersecurity bill before Congress recesses later this month.  "I haven’t given up yet – we still have a couple of weeks," he said during an event hosted by the George Washington University Cybersecurity Initiative.

However, most of the high-powered panelists believe that with or without legislation, the Obama White House will still make good on its vow to pass an executive order on cybersecurity because the stakes are too high. "We are probably going to get an executive order out of the White House," Howard Schmidt,  former White House cybersecurity coordinator said.

When the new Congress arrives in January, it will work in a bi-partisan way to revisit any outstanding cybersecurity issues, Rep. Michael McCaul (R-TX), incoming House Homeland Security Committee Chairman predicted.  "I think this is an area where we'll have bipartisanship and do it in a bicameral way," he said.

Business lobbyists are putting the nation's security at risk by continually derailing any meaningful cybersecurity legislation, Mort Zuckerman, co-chair of the Bipartisan Policy Center’s (BPC) Cyber Security Task Force, said.  "The conclusions are so unbelievably obvious.  You reel back in shock that you can’t get something so obvious like this through Congress."

The long-time newsman advocated mounting a grassroots public information campaign that bypasses powerful business groups, such as the U.S. Chamber of Commerce, which has lobbied hard against all but the weakest cybersecurity measures.  We need to "have some series of national programs that just indicate what would happen and find some way to get this on television networks or in newspapers" so that citizens will pressure Congress into taking action over the objections of industry interests,  Zuckerman said.  "The country is at risk on levels that we have never experienced." 

New Cybersecurity Executive Order is Business-Friendly, Far Less Regulatory

On Friday, the White House circulated a revised draft cybersecurity executive order to the press and various interested parties.  The new order, dated November 21, 2012, is a significant departure from the previous publicly available draft executive order, ostensibly dated September 28, 2012, because the latest version strips out the more stringent requirements on critical infrastructure owners, enhancing the voluntary nature of the order, and significantly weakens the regulatory roles of the sector-specific government agencies.  (I’ve pasted at the end of this post for easy reference an excel table with the new order in its entirety, with some of the more salient new sections and language highlighted in red).

In addition, the new draft order is far more business friendly, granting greater flexibility to critical infrastructure owners and relevant technology suppliers to 
  • inject industry expertise and input into how cyber threat information sharing occurs by having their experts more easily attain security clearances as well as gain temporary government employment for the purposes of aiding the cybersecurity program, 
  • explain how business policies may “align” with the new cybersecurity regime, 
  • avoid having their commercial information technology products identified by name,
  • opt-out of being classified as critical infrastructure,
  • provide feedback on any burdens that may flow from the new regime and 
  • receive cyberthreat information from the government rather than merely serve as sources that feed cyberthreat incident information to the federal authorities.
The White House thus apparently heeded the criticism of Congressional Republicans and business lobbying groups, who earlier this fall decried the Obama Administration’s lack of consultation with key interested parties while drafting the order.  In responding to press calls regarding the latest draft, a White House spokesperson issued the same statement to all inquiries:  "The National Security Staff has held over 30 meetings with industry, think tanks, and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people."

Quick and Dirty Comparison of the Two Orders

Although it’s difficult to produce a clean comparison between the two draft orders, it’s clear that in almost every major component, the latest order weakens the regulatory authority of the sector specific agencies, specifically as it relates to information sharing, while incorporating the expertise of critical infrastructure owners into the process.  Moreover, the latest order features a looser definition of what constitutes critical infrastructure and builds in a more market-based approach to the creation of the overarching framework that would be the cornerstone of the program

Weaker regulatory authority of sector specific agencies, particularly regarding information sharing

The November 21 draft order replaces the earlier draft’s detailed directives to the sector specific government agencies, which are currently responsible for some oversight or regulation of each of the 20 critical infrastructure sectors (energy, telecommunications, chemical, critical manufacturing and so forth).  Those earlier directives in the ostensible Septmber 28 draft order, which were largely originating from or coordinated through DHS, mandated that the agencies:
  • Develop reports detailing the legal authorities under which they can regulate the cybersecurity of critical infrastructure.
  • Follow a set of actions developed by DHS and OMB to mitigate cybersecurity risks.
  • Propose regulations of critical infrastructure owners to mitigate cybersecurity risks.
  • Receive reports from critical infrastructure owners of cybersecurity risks.
  • Follow implementation guidance from DHS to encourage a comprehensive and integrated cybersecurity approach across all sectors.
That earlier system, which does not appear in the new order in any form, is now replaced by a more voluntary approach:
  • The sector specific agencies will now engage in a consultative process with DHS, OMB and the National Security Staff to review a preliminary cybersecurity framework developed by NIST  to determine  if current cybersecurity regulatory requirements are sufficient given current and projected risks.
  • Within 90 days of publication of the preliminary NIST framework, the agencies will submit to the President a report that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, any additional authority required, and the extent to which existing requirements overlap, conflict, or could be harmonized.
  • If the agencies deem current regulatory requirements insufficient, they can propose actions within 60 days of the publication of the final NIST requirements.
  • Within two years after publication of the final NIST Framework, agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to duplicative, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
  • The DHS will now establish “procedures” that allow critical infrastructure owners to participate in the information sharing system on a voluntary basis.  (The earlier version specified that DHS shall request owners and operators of critical infrastructure to report promptly to the Secretary or other appropriate agency cybersecurity incidents and threats.)
  • DHS will expedite security clearances of critical infrastructure personnel, presumably to enable their greater participation in the whole program.
  • DHS will expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
Looser Definition of Critical Infrastructure

The earlier version of the draft cybersecurity order required that the Department of Homeland Security (DHS) would rely upon a prioritized critical infrastructure security list required under the Homeland Security Act.  This list resulted in the creation of a controversial database that identified hundreds of thousands critical infrastructure assets. 

The latest draft order relies instead on a looser consultative process as well as the expertise of the sector-specific agencies to identify critical infrastructure, using what it says is a risk-based approach.  The new order also prohibits identifying any commercial information technology products (presumably this means no specific vendor’s products can be named) and provides for the creation of a process under which identified critical infrastructure owners can be removed from the list.

More Market-Based Approach to the Baseline Cybersecurity Framework

Both the earlier and the latest orders direct the National Institute of Standards and Technology (NIST) to develop a framework to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.  The new draft order, however, gives NIST more time to develop the initial framework – 240 days as opposed to 180 days.

The new draft order also incorporates more business-friendly language.  For example, the new draft order states that “the Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

It also states that:
“the Framework will also identify potential gaps that should be addressed through collaboration with particular sectors and industry-led standards organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide cybersecurity guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.”
It further provides for business confidentiality protection by stating that “the Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality.”

Finally, while the earlier order said the the Framework shall “include metrics for measuring the performance of an entity in implementing the Cybersecurity Framework,” the new draft merely calls for “guidance” in measuring the performance of an entity.

I’ve pasted below a table that includes the new draft order in its entirety, with the key new sections and language highlighted in red.

Twitter Delicious Facebook Digg Stumbleupon Favorites More