Recent Posts

Four Key Take-Aways from the Sixth NIST Cybersecurity Framework Workshop


Last week, the National Institute of Standards and Technology (NIST) held in Tampa, FL its sixth workshop on the landmark critical infrastructure cybersecurity framework mandated by President Obama in February 2013 and issued by NIST in February 2014. As was true of the five previous workshops NIST held prior to the framework's release, hundreds of cybersecurity specialists gathered for two days to listen to government and industry experts and to hash out the framework's details across multiple, specialized working sessions.

While the event covered a lot of ground, tackling a range of technical and detailed topics from relatively specialized matters such as authentication issues in industrial control security to broader overviews of how various sectors are dealing with the framework, a few themes emerged from the sessions and conversations with the attendees. Here are the top four take-aways from the latest workshop:

1. Everyone Likes the Framework: Almost everyone said the framework is a good thing, although, as noted below, there are some issues that specialists still have with the framework's ongoing development. Not surprisingly, representatives from industry, UK and EU governments invited to speak on the plenary session panels offered almost uniformly positive views of the framework. "We began using the framework essentially the day it came out," Tim Casey, a senior information risk analyst at Intel said. "It gave us purpose and direction that we didn't have previously," Jefferson England, an executive at small telco Silverstar Communications, said.

Conversations with attendees yielded more of the same. "This is a good force multiplier. It's a common unified framework for managing security risks," Robert Brown, Manager of Assurance at PWC, said. "People have seemed to really embrace it," according to Phil Agcaoili, VP and Chief CISO at Evalon. "There are all sorts of ways this could have gone wrong and it didn't," Chris Blask, ‎Chair at Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), said.

Much of the good vibes flowed from the sense of collegial community that has cropped up over the course of the multiple workshops among the many hundreds of cybersecurity specialists. (Frequent jokes were made about the T-shirts given to people who had attended every workshop). The framework process has really "put trust across the sectors," Jack Whitsitt, Senior Analyst of cybersecurity consortium EnergySec, said, highlighting the fact that cyber specialists in different industries now share information outside their sectors because of the relationships forged during the NIST framework process.

2. The Framework's Primary Value To Date Seems to Be as a Communications Tool:  The jury's out in terms of whether the framework has actually achieved its intended goal of reducing cybersecurity risks, but it's clear that the subject matter experts who were at the workshop think it's a good device for trying to communicate the arcane subject of cybersecurity to managers, regulators, vendors, partners and other audiences. "One of the largest benefits of the framework is that it provided a framework of discussion, as much as anything else," Silverstar's England said.

"We're using it as an engagement tool for our regulators," Karl Schimmeck of the Securities Industry and Financial Markets Association, said. "We're hoping that it becomes the common language when you're talking to suppliers, vendors, joint ventures," a senior oil and gas industry representative said. "I'm using it to inform my board and executives," Evalon's  Agcaoili said.

3. Otherwise the Framework Is Still Kind of Difficult to Use:  Despite being built on the notion of simplicity, the NIST framework is a 41-page document that features core sets of activities, multiple tiers and intricate mapping to hundreds of detailed cybersecurity standards developed by a welter of standards-setting bodies. Most of the practitioners in attendance at the workshop said that the framework, despite its communication value, can at times be quite a challenge to use. "These frameworks are alphabet soup," PWC's Brown said.

"The mapping process is nuts," Dorian Cougia, Compliance Scientist at Unified Compliance said. Part of the problem is that the intricate standards that are mapped to the framework can run dozens and even hundreds of pages long and it's not always clear which parts of the standards apply to what. "There were times when we did not exactly understand what the framework meant," one top energy cybersecurity specialist said.

"The content of the framework really doesn't matter," EnergySec's Whitsitt said. "Organizations that don’t know how to do security already will have a hard time with it."

The difficulty in using the framework can be greater for smaller and mid-sized organizations that don't have cybersecurity experts on staff, a topic much discussed during the framework's development. "The big guys do this already," one communications industry representative said. "They wouldn't be in business if they weren't protecting their networks for financial reasons." The smaller guys, however, are struggling to come up to speed with what the framework demands, she noted, because they may have at most only one IT person on staff assigned to implement security measures.

The right way to view the challenge of using the framework isn't big versus small, according to Adam Sedgewick, who spearheads the project for NIST, clarifying that it's more about how serious the company is about cybersecurity, regardless of size. "I think it's a mistake to think that small and medium companies do not have good cybersecurity practice as a rule.  I think it's more appropriate to say companies that do not have robust cybersecurity programs" face greater challenges.

4. There Won't Be a Framework 2.0 Any Time Soon:  Two mantras emerged from the government and NIST speakers at the workshop.  The first is that "it's still early days" for the framework and too soon to gauge its effectiveness.  The second, related concept is that no basic changes to the framework are in the offing anytime soon.

"We want to make sure that people understand we don't expect changes to the framework in the future," Ari Schwartz of the National Security Council said. "We are in no rush to make changes without knowing or understanding what effect those changes might have," Matt Scholl, Deputy Division Chief at NIST said.

Cybersecurity is already shaped by endless organizations, government agencies, schemas, frameworks and evolving standards, NIST's Sedgewick said. "We have to be careful when we think about the next phase of this effort to reduce that complexity and not increase it."

That view was embraced by most of the workshop attendees. However, some of the industry specialists who are implementing the framework think changes are needed sooner rather than later. "It is useful but it still needs more work," one big electric utility representative said. "If something is missing, they don't know something is missing.  They should not wait too long to update the core."

Cybersecurity Should Scale Faster than the Information Revolution, DARPA Head Says

Mary Jordan, Arati Prabhakar

(Washington, DC) In the face of cybersecurity threats that seem to breed like bacteria, a conceptual fix is to speed up cybersecurity development to outpace the rapid-fire evolution in technology, the head of the Defense Advanced Research Projects Agency (DARPA) said today. Speaking at a cybersecurity summit hosted by the Washington Post, Arati Prabhakar, Director of DARPA, said "we are trying to wrangle this problem while the information revolution is exploding. The moonshot for cybersecurity in my view is to find techniques that scale faster than this revolution."

One key problem is that the Internet was developed--under DARPA's auspices-- at a time when the current kinds of security threats were unimaginable. If DARPA had a clean slate to rebuild the Internet to make it more secure, one concept would be to apply a biological model to network security, she said. "Under the hood there is a lot of diversity among individuals [s]o one attack cannot wipe out the human race," drawing parallels between the efforts DARPA spearheads to help the public health community outpace infectious diseases and its simultaneous efforts to develop automated cyberdefense systems.

The scariest cybersecurity threat is a potential take-down of the power grid. But that's an unlikely prospect for the typical IT hacker, Andy Bochman, Senior Cyber and Energy Security Strategist at Idaho National Laboratory, said. "The communication protocols and the types of processors and the amount of memory is often wholly different" for the energy sector's industrial control systems. "For the standard hacker, it would be a strange place."

Still, to the extent that power companies are putting into place new technology, there is a "tremendous opportunity" to minimize risk. "The more that electric utilities and stakeholders include security requirements into their RFPs, [t]hat gives signals to the manufacturers that what wasn't important before is suddenly something they should pay attention to," Bochman said.

It's unlikely that Congress will step in with its own solution during the upcoming lame duck session, Rep. Mike Rogers (R-MI), retiring Chairman of the House Intelligence Committee, indicated. "We have a very small window to get this done [pass a cybersecurity bill]," he said. "The political challenges in the Senate make the odds pretty high," with Rogers blaming the failure to pass a bill on "political tantrums."

Only 15% of networks are owned by the U.S. government and thus benefit from the cybersecurity protection of the military and various federal agencies. "By doing nothing in Congress, we are telling these 85% of private networks 'you are on your own,'" mainly due to the difficulties in sharing information between public and private groups, a knowledge gap that most cybersecurity bills aimed to minimize.

Meanwhile, the federal government is doing what it can to help raise the level of cybersecurity practices around the globe. Federal agencies are increasingly coming together to work with other nations in securing the necessary infrastructure against the "less deterrable" threat actors, such as Iran and Korea as well as terrorist organizations. "The good thing is that more and more countries are taking this seriously," Christopher Painter, Coordinator, Cyber Issues at the State Department, said.

Around 60 countries are looking to build cyber command operations, Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security for the Defense Department, said. The U.S. government is helping some of those countries, particularly in Europe and Asia, build that capacity. "There are a small group of countries that we are advising. [W]e only do it with our very closest partners, mostly because we want to make sure it's being done right."

NIST Cybersecurity Framework is Good and Bad, Experts Say

Source:  AWWA.
Six months after its release, the cybersecurity framework issued by the National Institute of Standards and Technology (NIST) received mixed reviews from a group of cybersecurity specialists who've now had time to give the landmark system a closer look. Speaking at a webinar hosted yesterday by both the Industrial Control System Information Sharing and Analysis Center (ISC ISAC) and my own firm DCT Associates, the early assessment of the framework ranged from "pleased" to "failed," with a general sense that the framework doesn't replace the hard work of implementing adequate cybersecurity controls.

"I'm relatively pleased," Chris Blask, Chair of the ICS ISAC said. "What we want to achieve from all these sorts of things, rather than force people to comply with specific activities, is encourage all the relevant players to take steps that result in a more secure infrastructure."

"From an operator perspective, a document like this [the framework itself] is quite intimidating," Kevin Morley, Security and Preparedness Program Manager, American Water Works Association (AWWA), said. "This is a little bit abstract and we felt we needed a different approach," which is why the AWWA developed it's own security guidance for the water sector. Nevertheless, AWWA mapped its separate guidance to the NIST framework and found that the two are 100% aligned, Morley said.

"You can look at the NIST CSF as a success and you could say it’s not a bad outcome.  I believe you could only say that if you have very low expectations," Perry Pederson, Co-Founder and Managing Principal at The Langner Group said. "Compliance with the NIST CSF only requires adopting the terminology.  If you speak in those terms and talk in those terms you can be compliant with the framework without changing anything you have to do. It’s really a business-friendly framework because it allows the business to decide based on its needs and resources to simply cherry pick what it wants."

Japp Schekkerman, Director of Global Cyber Security at CGI Group, agreed with Pederson. The framework is "addressing all kinds of questions [b]ut it doesn’t tell you how to do it," he said. "If you’re not familiar with the standards [referenced in the framework], you don’t know what to do."

The framework wasn't intended to provide a technical blueprint telling cybersecurity specialists what to do, Greg Witte, Program Manager, Security Standards Team, G2, countered. "It really is about communication and awareness," he said. "We should not be directing people and making it mandatory."

"The framework is a way to have a discussion about managing risk," Adam Sedgewick, who spearheads the framework initiative for NIST, said during an interview earlier in the week. Still, NIST welcomes criticism and hopes to solicit a wide range of opinions on the framework's effectiveness through a request for information issued today in preparation for a framework workshop NIST will host in October. "We really do want a healthy debate, we welcome criticism."

NIST's Cybersecurity Framework at the Six-Month Mark: Are We More Secure?


On February 12th the National Institute of Standards and Technology (NIST) released its comprehensive cybersecurity framework, the culmination of an intense 12-month drafting process ordered by President Obama in an effort to ward off what former Defense Secretary Leon Panetta feared would be an imminent "cyber Pearl Harbor." This framework of frameworks was intended to lay down some ground rules to improve the security and resilience of all industries, but particularly the critical ones upon which stable society depends, such as energy, communications, transportation and food and agriculture.

So, what's happened since the framework's release? Find out tomorrow when I will be moderating a webinar for the Industrial Control Information System Sharing and Analysis Center (ICS ISAC), one of the key groups assigned the all-important information-sharing task among industrial system control operators to ensure that cyber threats are identified and managed in a timely fashion.

Join ICS ISAC Chair Chris Blask and me to find out what top security specialists think about the framework six-months in and the benefits and challenges they've experienced in putting the framework into place. Among the experts we've lined up are:
  • Kevin Morley, Security and Preparedness Program Manager, American Water Works Association
  • Perry Pederson, Co-Founder and Managing Principal at The Langner Group, LLC
  • Greg Witte, Program Manager, Security Standards Team, G2, Inc.
Based on my conversations with some of the speakers, this webinar promises to be a lively one, complete with frank assessments of both the good and not-so-good aspects of the framework. I'll check back in here later with a write-up of the key points, but register for the webinar today so you can hear first-hand what they have to say and ask your own questions.

Cybersecurity Information Overload: Is There a Solution?

Sign Up for the Cybersecurity Magazine 
For at least the past two years, I've been fascinated by the highly fractured nature of information in the cybersecurity world, which is in a state of overwhelming onslaught of constant developments, studies, reports, meetings, breaking news, standards developments and government activity.  I've spent my entire career creating information products, conferences and advisory services focused on technology-related industries and corresponding complex policy topics (albeit in the comparatively easy-to-grasp media, communications, consumer electronics and, more recently, energy sectors).

But nothing beats cybersecurity as a tough topic, an issue that few people feel, deep down inside, they adequately grasp.  This vague sense of not-knowing is true for both the technology professionals responsible for implementing cybersecurity within their organizations and, most emphatically, the non-technologists who run organizations, government agencies and corporations and who are increasingly held responsible for the cyber breaches that occur on their watches.  Part of the problem is that there is just too much stuff  bombarding all of us and the information overload is accelerating.

Hundreds of good (and not so good) journalists crank out important cybersecurity news pieces every day across at least several dozen, if not hundreds, of bona fide publications (My slightly outdated must-read list is here).  Hundreds of consulting, engineering and law firms release reports, updates, advisories and white papers.  Endless meetings with thousands of participants are held across government and affiliated working groups, centers and labs of all stripes and sizes and all industry sectors. A day doesn't go by without at least a dozen important webinars, conferences or hearings on some important cybersecurity topic.

Trying to keep track of the day's developments is alone a herculean challenge.  A while back, I launched a Twitter feed and a corresponding nifty online Flipboard magazine (best seen on tablets and smartphones) that seeks to sift through the day's endless streams of information for only the most important, most interesting and most useful information.  Unlike some people who have brilliantly developed scripts to sift useful information from the repetitive, derivative and not-so-valuable gunk, I manually go through news feeds, emails, LinkedIn group reports and other sources and pick what to put in these curated resources. This process can consume many hours of my day if I don't watch it.

A few years back I interviewed over a dozen utility cybersecurity executives about the problems they faced. Information overload was consistently ranked among the top impediments to getting their jobs done. Typical of the responses I received was one top cybersecurity technologist. “A lot of stuff comes into our email inbox," he said. "There is a huge quantity of information out there saying 'we know what’s best.' Quite honestly, for me it’s fairly overwhelming to see that much information come in,”

And the situation has only deteriorated in the three years since I conducted that project. So, what's the solution? Is there a solution or is cybersecurity just too vast, just too endemic to everything in the world now that it's impossible to develop a comprehensive resource that hits the high-points and pulls it all together as best as possible in a reasonable time-frame?

These are the questions in the back of my mind as I work on a plan that proposes to do precisely that. Pull it all together and produce ongoing reports, data and analysis in a way that makes sense and reflects expertise and high-caliber thinking.

But if any of you have any answers to the question about information overload - is there a solution and what is it? -- or if there is a key piece of data or aggregated information that you wish you could see, drop me a line and share your thoughts.

Tanium Pushes 2014 Cybersecurity Venture Funding to $329M, Five Times 2013 Level


San Francisco-based cybersecurity-focused start-up Tanium announced yesterday a $90 mil. venture cash infusion from Andreessen Horowitz, a Silicon Valley powerhouse known for backing a long list of Internet and technology winners. The $90 mil. investment is the venture funding titan's second largest investment ever and continues a string of the firm's investments in cybersecurity companies, including Bluebox Security, Ciphercloud and Bromium.

Tanium, which describes itself as an "enterprise-scale real-time security and systems management company," has developed an approach to security management that it says collects and processes billions of metrics -- hardware configuration, software inventory, network usage, patch and update status and more -- across an organization's endpoints in real-time, providing instant visibility into operational issues to ward off security attacks.

Andreessen's big investment is the latest in a string of high-profile investment rounds across the growing ranks of cybersecurity technology start-ups.  According to our tally, thus far in 2014, cybersecurity firms have snagged $392 mil. in venture capital, over five times the level of the estimated $70 mil. in cybersecurity related venture deals in 2013.  (See table below).

At this point, total recent venture funding for cybersecurity tech providers is coming close to the $1 bil. mark. As the table below shows, since April 2012, venture funding for cybersecurity start-ups has totaled at least $818 mil.  At this rate, and with five months left in the year, that $1 bil. mark seems to be easily within reach.

Rep. Mike Rogers Raps FCC's Stance on Cybersecurity, Challenges Funding Request


Rep. Mike Rogers (R-MI), Chairman of the House Intelligence Committee, yesterday issued a red flag against last week's move by Federal Communications Commission Chairman (FCC) Tom Wheeler to broaden the agency's involvement in communications companies' cybersecurity practices.  In a letter signed by fellow Republican panel member Mike Pompeo (R-KS), Rogers expressed concern that Wheeler's approach, while relying primarily on the market to manage cybersecurity issues, verges too close to increased regulation.

The letter states that a speech Wheeler gave last week, in which he outlined a "new paradigm" for cybersecurity, as well as statements by Commission staff, "lead us to be concerned that the Commission may be preparing to implement a new regulatory scheme that would significantly impact Internet service providers and other web service providers."  In his speech, Wheeler said that if the new paradigm doesn't work, "we must be ready" with "alternatives if it doesn't."

The letter also raised objections to little-noticed cybersecurity-related budget additions in the FCC's FY 2015 budget.  "We also question why the FCC's Fiscal 2015 budget requested a substantial funding increase for cybersecurity activities, including funding for 'Big Data Cybersecurity Analytics and a Cybersecurity Metrics' program. While we support efforts to ensure that the Commission's internal systems are secure from cyber-attack, these initiatives appear to be outward, or industry, facing."

The FCC's FY 2015 budget asks for $700,000 for a big data cybersecurity analytics program.  In the budget the Commission states that "Big Data Cybersecurity Analytics will be a disruptive technology in the 
Cybersecurity arena, as traditional analysis and forensics techniques will be superseded by 
automation conveniences that reduce the burden of work on the analyst." The $700,000 is aimed at helping the FCC conduct root cause analysis, such as reverse engineering of malware on computer networks.

The FY 2015 budget also asks for $575,000 for the metrics program referenced in the letter.  The budget states that "FCC has initiated planning efforts to collect and analyze monthly metrics related to the cybersecurity threats addressed using data obtained from commercial sources," with the metrics to be provided to the Commission's newly formed Cybersecurity and Communications Reliability Division for analysis and baseline tracking.

Once that's done, the metrics program will be used to create a "Cybersecurity Dashboard" to "help the FCC track the ongoing progress of cybersecurity initiatives."

The appearance of the letter from Rogers and Pompeo indicates some level of concern among certain affected communications providers over Wheeler's new paradigm.  Following last week's speech by Wheeler, some telco industry representatives expressed unhappiness over some statements in the speech, presumably those that indicated the FCC would need to see "demonstrably effective" results and metrics under the new paradigm, perceived to be code for quasi-official monitoring and a possible precursor to regulatory action.

However, cable companies seemed warmer to the idea of the new cybersecurity paradigm.  Comcast issued a statement supporting Wheeler's new approach.  "Comcast will continue working with the Chairman, his fellow Commissioners, and the dedicated staff at the FCC to help achieve these important goals," Myrna Soto, senior VP and chief information and infrastructure security officer, for Comcast Cable, said.

FCC Chairman Unveils New Paradigm for Cybersecurity; Must Be "Demonstrably Effective"


(Washington, DC)  The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today unveiled a new program for communications cybersecurity that relies on industry-driven initiatives for "proactive, accountable cyber risk management for the communications sector" in lieu of a "prescriptive, regulatory approach."  Nonetheless, the "new paradigm," as he called it, needs to be more "demonstrably effective than blindly trusting the market" to provide adequate cybersecurity risk management.

The goal is to spur greater cybersecurity activity by communications companies while stopping short of implementing official FCC rules or policies. Many communications companies have feared regulatory action by the FCC as a means of mandating the voluntary cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February or in the wake of a high-profile cyber incident 

Speaking at an event hosted here by the American Enterprise Institute, Wheeler laid out some central pillars of the approach. The first pillar is for the FCC and communications companies to promote greater "privacy-protective" information sharing of cyber threats and attacks, along the lines of the best-in-class information sharing that the financial sector has demonstrated in its ISAC (Information Sharing and Analysis Center). The communications sector already has its own ISAC in the National Coordinating Center for Telecommunications (NCC) under the Department of Homeland Security.

The second pillar is for the FCC to measure best cybersecurity practices already developed under the Commission's auspices and to tailor risk management processes to NIST's framework. The FCC's industry-led Communications Security, Reliability and Interoperability Council (CSRIC) has already formed a working group for this task, "working group 4," which met last week to begin tailoring the NIST framework. CISRIC will host its fourth meeting on June 18, while the working group 4 is expected to meet again in late-July.

Wheeler has asked the Commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry, an effort that forms the third pillar.

It's crucial that communications companies conduct some internal reviews of their cyber risk exposure, assess how they are managing their risks and develop better metrics, Wheeler said. "Companies must have the capacity to assure themselves, their shareholders and boards – and their nation – of the sufficiency of their own cyber risk management practices."

Some companies could take time adjusting to the "demonstrably effective" aspect of the new paradigm, Wheeler noted, because it "will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas – it has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."

Another potential issue is the level of commitment to the FCC's program, one key communications company representative said.  "There needs to be true commitment to this new paradigm.  When we actively hit bumps in the road, there has to be commitment," he said, adding that the commitment has to be on the part of not only the communications companies, but also the FCC itself.  "Providing there is a true will to make it work, it will work."

Communications companies aren't completely out of the regulatory woods yet. "We are not Pollyannas" Wheeler said. "We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."

NIST Framework Could Become a Useful Tool for Regulators (and Litigators), Cyber Lawyers Say


(Washington, DC)  The voluntary comprehensive cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February is already proving helpful to companies and could become a tool used by regulators. But it could also become a de facto requirement for organizations once it starts being cited by plaintiffs attorneys, a group of top cybersecurity law specialists said yesterday.

Speaking at a cybersecurity event hosted here by Bloomberg Government, Stewart Baker of Steptoe & Johnson said that the NIST framework could come into play with the impending wave of lawsuits surrounding cyber breaches.  "It’s a no-brainer for plaintiffs lawyers to say 'what do you mean you didn't even follow the government’s cybersecurity framework?'"

As expected (and feared by some industries) regulators could more heavily rely on the framework as a benchmark for good cybersecurity practices. "The other place we’re going to see the NIST framework used is as regulators [u]se the framework as a way of asking questions about what kind of security you have," Baker said, adding that it could become a kind of test as regulators implement various policies and rules.

"The thought of the SEC [Securities and Exchange Commission] becoming a regulator [in cybersecurity] is quite chilling," Donald Fagan of Covington & Burling said. It's probably more accurate to label it as a "precursor to a test," he said. "The framework can be used to determine whether we are acting reasonably," Ben Powell of WilmerHale said.

Right now few signals are coming out of government agencies that the NIST framework might morph from voluntary to mandatory. "The White House announced that they're happy with where the voluntary process is going…which surprised us a little bit," Jeff Greene, Senior Policy Counsel for Symantec said. "The framework at least for the foreseeable future will stay pretty much as voluntary as it can."

Symantec has already adopted the framework, albeit in a tailored fashion, Greene said. "We're actually using the NIST framework. We have found it useful internally."

Small businesses, though, have a difficult time adapting to the framework, according to Greene. "At the small business end [t]hey don’t have the in-house IT staff.  We have found that we have to talk to them in a one-pager document. We’re trying to distill it down in a way that we can talk to them about it."

Top Experts: C-Suite Execs Have 'Caught Religion' in Wake of Target Breach


(Washington, DC)  Given the high-profile ouster of Target's CEO in the wake of the retailer's massive data breach, cybersecurity has been--and should be--elevated to executive suites across corporate America, a string of top security experts said yesterday. Speaking at a day-long cybersecurity conference hosted by Bloomberg Government here, current and former top government and industry cyber specialists issued a wake-up call to business and critical infrastructure leaders that cybersecurity can no longer be relegated to the purely technical realm.

"Cybersecurity is foundational," Admiral Mike Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency said. "You must own this problem. This is just not your IT and computer people. You have to own this problem as a leader."

"This is becoming a CEO issue," Lou Von Thaer, President of the National Security Sector of Leidos, said. "We are being asked by directors all the time to be briefed," Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike said. "I hear all the time from the board members…they actually think the IT people are purposively speaking in gibberish so they cannot be subjected to oversight."

Although litigation and liabilities are the primary outcome of Target-like breaches, the challenge of handling a huge, complex crisis might be the bigger reason that executives are suddenly paying attention. "In some respects the greatest liability risk is not a legal one but a crisis management one," Donald Fagan of Covington and Burling said. "It is the Target issue…that has caught the attention of many businesses out there. They’ve caught religion"

Target may be the poster child for the massive damage that can ensue from a cybersecurity breach, but the company did most things right when it came to cybersecurity. Target would have received a high grade in terms of how well it followed the cybersecurity framework issued by the National Institute of Standards and Technology earlier this year, Stewart Baker of Steptoe & Johnson said.  "They just didn't respond to the overwhelming number of alerts they got."

"People have to understand how good a company Target is when it comes to cybersecurity," Michael Leiter, Senior Counselor to the CEO of Palantir Technologies said. "That means there really is no company that doesn't face this as a business risk."

Rep. Mike Rogers: Chinese Indictments Are 'Glitz and Glamour' But Legislation More Important


(Washington, DC)  House Intelligence Committee Chairman Mike Rogers (R-MI) said yesterday that the Justice Department's high-profile indictment of Chinese military officials for cyber theft of U.S. business secrets is "great for glitz and glamour" but it's more important that Congress act on cyber legislation by August if the government wants to ensure true cybersecurity. Speaking at an event hosted by the George Washington University Cybersecurity Initiative, Rogers said "I agree with the indictments and I agree with certain visa restrictions [b]ut it can't be done in isolation."

The Obama administration's largely symbolic move is "great for glitz and glamour but nothing followed," Rogers said. "It's the right idea but the wrong execution.  If only we could get the second piece of this, which allows the private sector to defend itself," Rogers said, referring to the Cyber Intelligence Sharing and Protection Act, which would facilitate the sharing of cybersecurity information between the private sector and the government.

Although the House has passed the bill, it's stalled in the Senate, a situation that Rogers thinks is improving and believes has to be resolved by August or else prospects for near-term cybersecurity legislation will die. "I think we've made tremendous progress in the last few months. I hate to say it but if we don't get something moving in August, it will get lost in the haze."

Rogers is cautiously optimistic that a bill could move in the next thirty days, with the contentious issues narrowed down to a "few short issues," particularly the question of how a portal for sharing information with the government gets structured. "We've narrowed down the issues on the portal," Rogers said.

Speaking at the same event, Toomas Hendrik Ilves, President of Estonia, a country widely considered to be home to the first true cyber warfare attack, said that new intellectual concepts are needed to successfully battle cyber threats given the radically novel dangers posed by the modern connected era. "We have major intellectual tasks ahead of us," he said. We are facing the modern equivalent of Thomas Hobbes' "war of all against all"  and "we need our Jeffersons, our Voltaires in this area."

Estonia is at the forefront of protecting individual online identities as a key strategy for ensuring security, with everyone using two-factor public key infrastructure using RSA 2048 encryption. "We have come to the conclusion that you cannot have any genuine security without a secure online identity," Hendrik said.  "That is the dilemma of all Internet relations.  You don't know who's who."

Government Cybersec Leaders: Just Patch Your System, Do Strong Passwords


(Washington, DC)  Despite vulnerabilities such as Heartbleed grabbing headlines, the best methods for ensuring adequate system security are often the most basic forms of cyber hygiene, such as patching systems and ensuring strong passwords, a group of government cybersecurity experts agreed today. Speaking at the GovSec conference here, Ron Layton, Deputy Chief Information Officer, U.S. Secret Service said "what's the best investment for our resource dollar?  Patch your system.  The vast majority of successful breaches use very low-level techniques."

"We are still at the precipice of one of the most disruptive forces in our society [b]ut just do a strong password and you're good," he added.

"You don't necessarily need to worry about the most recent APT [advanced persistent threat] if you have 20% of your computers that are unpatched that can be had by a hacker with no skill whatsoever," Patrick Morrissey, Former Director of Investigations and Protective Operations, Blackberry, and Former CISO, U.S. Secret Service, said. "That is where the bad guys are going to come in. The sophisticated hacker is not going to waste his technique on you.  Don't worry so much about being exploited by the latest and greatest.  Just stay up to date on your patches."

The best method for ensuring adequate cybersecurity within the federal government is information sharing and collaboration, something that is bolstered by trust but hampered when no crisis is pressing on the nation. "Trust and relationships is what it’s all about," Dave Pekoske, Chairman of the FBI-private sector partnership InfraGard National, said.

However, "the agencies are not going to be giving up the keys to the kingdom" to other agencies, Morrissey said, particularly if a truly collaborative relationship is absent. "People are going to be reluctant to share information with those agencies if they don't believe the agencies are going to protect them as they should."

Information sharing among government agencies is problematic for a number of reasons, not the least of which are the varying definitions of  security clearance and "need to know" statuses across agencies.  But agencies do collaborate better in the midst of a crisis.  "The government does work well in crises but the farther we get away from 9/11 it becomes a problem," Morrissey said.

Another perennial problem that hampers work across agencies is the lack of qualified cybersecurity personnel, who tend to steer clear of the government or bolt for the higher paid private sector after relatively short stints.  "It's a huge challenge for us right now," Eric Strom, Unit Chief, Cyber Initiative and Resource Fusion, NCFTA, FBI, said. "It's hard to take an investigator and teach them cyber skills."

GE Acquires Wurldtech as Cybersecurity Acquisition Deals Hum Along


GE announced today a deal to buy privately-held Vancouver-based cybersecurity firm Wurldtech, underscoring the increasingly hot market for cybersecurity tech firm acquisitions.  Wurldtech specializes in cybersecurity technologies for critical infrastructure industries and big industrial concerns including power plants, oil refineries and other key providers.

This deal follows FireEye's $70 mil. announced acuqisition of nPulse technologies earlier this week and caps a string of at least 26 cybersecurity acquisition deals over the past year.  (See table below.)  Clearly it's a good time to be a cybersecurity tech start-up or well-respected small solutions supplier.


FTC to Snapchat: If You Promise Security, You'd Better Deliver It


(Washington, DC)  In a move that could have wide-ranging effects on how Internet and mobile application providers approach both privacy and data security, the Federal Trade Commission (FTC) today entered into a consent order with mobile messaging app provider Snapchat, subjecting the company to a series of requirements aimed at ensuring that Snapchat maintains and protects the privacy, security and confidentiality of any consumer information.  The action, which officials labeled as a "significant" move by the agency, follows a complaint issued by the FTC that despite Snapchat's claims, images and videos transmitted via the application did not completely self-destruct and that adequate security of the service was not in place.

In announcing the consent order here at a Media Institute luncheon, FTC Chairwoman Edith Ramirez stressed not only the deceptive claims regarding content self-destruction (recipients could use tools outside of the application to save both photo and video messages), but also the need to maintain strict security practices, particularly when those practices are promoted as part of a product's appeal.  "The Snapchat case vividly illustrates that there is no data privacy without data security," she said.

Pointing to the high-profile data breaches over the past year, Ramirez said "despite the threats posed by data breaches, I am concerned that many companies continue to underinvest in data security and make fundamental mistakes when it comes to protecting sensitive consumer information."  Hinting at increased action by the FTC when promoted security fails to materialize, Ramirez noted that "the FTC’s enforcement work in this area has shown that some companies fail to take even the most basic security precautions, such  as failing to update antivirus software or to require network administrators to use strong passwords."

In making its original complaint against Snapchat, the FTC alleged that despite its claims of implementing adequate security measures, SnapChat "did not employ reasonable security measures to protect personal information from misuse and unauthorized disclosure." It alleged that Snapchat failed to implement proper identity verification upon sign-up, allowing users to send personal images to complete strangers who had registered with false phone numbers.  Moreover, the complaint alleges, Snapchat failed to secure its "Find Friends" feature, which resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

In discussing the order with reporters following its release, Chris Olsen, Assistant Director, Division of Privacy and Identity Protection at the FTC said the case is a "new statement in our body of cases" because it tackles "a major player on many platforms with many users" and because Snapchat made "unequivocal express claims about the privacy of its service."

Although the FTC has brought a number of cases against individual apps for deceptive privacy practices and last year sued HTC America for negligently injecting security vulnerabilities in its devices that put sensitive consumer information at risk, the Snapchat case appears to reflect a new direction by the agency in holding companies responsible for failing to meet promised security protections.  "If you are making promises about security, privacy or anonymity, you have to keep those promises," Olsen said.

In its complaint, the FTC pointed to specific security promises that it contends Snapchat did not uphold, including "boilerplate" statements in its privacy policy.  For example, in its policy Snapchat said "[Parent company] Toyopa Group, LLC is dedicated to securing customer data and, to that end, employs the best security practices to keep your data protected" and "We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction."

Under the order, which will be put out for 30 days for public comment before it becomes final, Snapchat will have to cease any misrepresentation, establish, implement and maintain a comprehensive privacy program and conduct initial and biennial assessments of and reports on that program from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.  Those assessments and reports will continue for twenty years. Any violation of the order will cost Snapchat $16,000 per day per new violation or $16,000 per day for a continuing violation.

FCC Chairman: Implement NIST Cybersecurity Framework So That We Don't Have To


(Los Angeles, CA) The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today urged the cable industry to get moving on the implementation of the cybersecurity framework released by the National Institute of Standards and Technology (NIST) earlier this year.  Speaking at the National Cable and Telecommunications Association (NCTA) annual conference here, Wheeler said that broadband networks are at a critical cybersecurity juncture and that the "more we learn about the challenges of cybersecurity and the costs of failure, the more apparent the importance of addressing it with best efforts, including yours."

Pointing to the work of the Communications, Security, Reliability and Interoperability Council (CSRIC) of the FCC, Wheeler said that the outcome of the industry-led CISRIC should be done "in such a way that those charged with oversight across the regulatory tapestry, recognize and understand the accepted cyber risk."

CISRIC is leveraging the NIST framework for its work and "over the course of the year we will need to see this translate into actual implementation," he said.  "We’re intending this to be a new regulatory paradigm, and we’re giving you the opportunity to write it. I urge you to step up, so we don’t have to."

Although both the telecom and cable industries have embraced the NIST framework, many communications sector representatives have expressed fear that the voluntary nature of the framework could become mandatory at the Commission over time.  The FCC offered no further information on Wheeler's speech to the cable attendees, instead pointing to archived video of the last CISRIC meeting for more context.

The big news out of Wheeler's speech was his further clarification on where he is headed with the FCC's upcoming net neutrality rulemaking.  Leaked outlines of the controversial regulatory action have stirred public interest advocates and Silicon Valley companies to decry what they perceive to be forthcoming FCC-sanctioned creation of pay-for-play "fast lanes" on the Internet, whereby broadband providers (with cable companies serving as the "principal" broadband providers in the U.S.) can charge content and application providers more for quicker delivery to end Internet users.

In impassioned tones, Wheeler rejected the idea that the FCC would effectively kill net neutrality by sanctioning the creation of Internet fast lanes.  "Any new rule will assure an open pathway that is sufficiently robust to enable consumers to access the content, services and applications they demand and innovators and edge providers the ability to offer new products and services," he said.

Wheeler, who headed the NCTA himself thirty years ago, rebutted charges that as a former cable lobbyist he is predisposed to do the industry a favor in the net neutrality debate.  "Now, as Chairman of the FCC, I do not intend to allow innovation to be strangled by the manipulation of the most important network of our time, the Internet."

Cybersecurity Venture Funding Heats Up; Tally Tops At Least $630 Mil.


With the NSA, retail payment system breaches, Heartbleed vulnerabilities and other kinds of damaging digital security developments creating a vortex of never-ending headlines, it's little surprise that venture capitalists seem to be pouring money into cybersecurity start-ups at an accelerating pace.  In the past two days, Synack, a crowd-source vulnerability testing start-up founded by two former NSA analysts, and automated malware detection start-up Sentinel Labs announced they snagged a combined $18 mil. in capital from blue-chip Silicon Valley funders.

Synack got $7.5 mil. from Google Ventures and Kleiner Perkins, while Sentinel Labs got $12 mil. from a groupd of investors that includes Accel Partners and Granite Hill Capital Partners.  They join an impressive list of cybersecurity tech start-ups that have been catching the attention of tech's biggest money men since the beginning of 2012.

According to my list, which reflects only the funding announcements that have come across my radar screen, total cybersecurity-related tech start-up funding since over the past two years tops at least $630 mil.  This year alone, around $143 mil. in venture capital has flowed to cybersecurity companies and the pace seems to be picking up.

The tally below doesn't include the venture capital flowing into adjacent sectors, such as big data players, where a good deal of cybersecurity tech development occurs.  In all probability, the amount of venture capital flowing to new cybersecurity tech creation probably over the past two years probably nears the $1 bil. mark, if not higher.


Verizon Data Breach Report: Nine Patterns Cover 92% of Cybersecurity Incidents


Verizon issued this morning its 2014 Data Breach Investigations Report (DBIR) that covers over 63,000 security incidents in 2013 from 50 global participating organizations spanning 95 countries. The top-line finding is that 92% of all security incidents in the past ten years fit into nine categories:  POS Intrusion, Web App Attack, Insider Misuse, Theft/Loss, Misc. Error, Crimeware, Payment Card Skimmer, Denial of Service, Cyber Espionage and Everything Else.  

Based on the 2013 data, public institutions dominate the list of breach or security incidents with nearly 47,500 security incidents, far dominating any other industry, mostly due to the nature of U.S. public agency reporting requirements (see table below, which I created and sorted in Excel).


But filtering out for only those incidents that involved confirmed data loss, the picture looks quite different (again, a sorted table I created in Excel).


Financial institutions rate number one in terms of incidents that feature data loss, with 465 such incidents, followed then by public institutions (175), retail (148), accommodation (137), unknown (126) and utilities (80).


The table above, straight from the report, lists the frequency of type of incidents per victim industry and shows what the graphic at the top of this post more succinctly illustrates - namely that the biggest threats vary from industry to industry.  For 2013, 69% of the threats faced by utilities came in the form of web app attacks or crimeware.  Over half of the attacks (54%) for manufacturing came from cyber-espionage or DOS. Nearly half of the security incidents for healthcare (46%) came from one category:  theft or loss.

In reviewing the past year, Verizon notes a shift in cyber incidents that occurred in 2013, with a well-publicized trend emerging toward attacks on payment systems and away from geopolitical incidents.  "2013 may be remembered as the 'year of the retailer breach,' but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems.'

SEC Issues NIST-Inspired Cybersecurity Blueprint But Apparently Should Follow One Itself


On April 15, the Securities and Exchange Commission issued an unprecedented blueprint for assessing cybersecurity preparedness in the securities industry, a document that the regulator will use for examining the cybersecurity status of more than 50 broker-dealers and investment advisors.  The SEC issued a detailed but high-level series of questions that will form the basis for the examinations, a document which follows in part the cybersecurity framework issued by the National Institute of Standards and Technology in February, .

The goal is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." While this effort is aimed at registered financial entities, the SEC has stepped up its interest in cybersecurity matters more broadly over the past few years, starting with guidance issued to publicly traded companies on how they should discuss cyber risks in their required financial filings.

Moreover, some experts who follow the SEC's interest in cybersecurity say that the agency's Division of Corporation Finance has been quietly stepping up its scrutiny of SEC filings to ensure that companies adequately disclose cyber risks, frequently requesting that companies supply additional information about existing or potential cyber risks.  And late last month the SEC held a cybersecurity round table during which several of the agency's Commissioners raised the prospect of  imposing minimum cybersecurity disclosure requirements beyond those contained in the existing guidance.

Aside from indicating increased interest in cybersecurity, the blueprint is notable because it represents one of the earliest efforts by a regulator to incorporate the NIST framework into a quasi-official action or endeavor. "It's one of the first endeavors that a regulatory body has made to actually begin leveraging the framework in an implementation," Patrick Miller, Partner and Managing Principal of cybersecurity consulting firm The Anfield Group, said.

Although the NIST framework is considered to be a voluntary scheme for improving cybersecurity across critical infrastructure industries, many of the participants in the framework's development, particularly Washington representatives of critical infrastructure asset owners, repeatedly asserted concerns about any language in the framework that might hint at possible regulatory requirements.

Most cybersecurity specialists, however, say that there is little to fear in the SEC's partial reliance on the NIST framework. "The SEC has done a good job of developing a broad set of guidelines for a certain set of companies," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec, said.  "I think you're looking at baseline cybersecurity stuff" that any decent-sized firm should be prepared to handle, he added.

Miller thinks this reliance on the framework by a government agency could help cybersecurity measures by signaling to regulators in other industries that the NIST framework is a previously absent but much-needed template to help cut through the clutter of conflicting cybersecurity schemes.  "The path will open up…now it will go from a dirt road to a paved road to a two-lane highway," he said, referring to the fact that the SEC's move may give other government agencies more freedom to start leveraging the framework.

The SEC itself might do well to follow its own blueprint.  Yesterday the General Accounting Office (GAO) issued a report that found key weaknesses in the security controls in the SEC's own network, servers, applications, and databases.  Specifically the GAO found weaknesses in the following areas:

  • Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets. 
  • Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
  • Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers. 
  • Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server. 
The primary cause of the SEC's failing grade was the agency's failure to adequately oversee the work of a contractor during the migration of a key financial system to a new location.



NIST Privacy Workshop Aims at 'Wherever Privacy Risks Arise'


(Gaithersburg, MD)  The National Institute of Standards and Technology (NIST) hosted the first of a two-day privacy engineering workshop here today as a follow-on to the February release of its Framework for Improving Critical Infrastructure Cybersecurity.  Based on the first day's general sessions, the scope of NIST's privacy focus appears to be far broader than, and perhaps only slightly connected to, its origins in cybersecurity.

Although the penultimate version of the cybersecurity framework included an extensive privacy methodology appendix, the final version featured a more stripped-down privacy approach in response to the objections of critical infrastructure owners who perceived the original appendix as overly prescriptive. The privacy workshop is intended to help fill in the resulting privacy gaps in the framework, aiming to flesh out what NIST says is the paucity of identifiable "technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties." 

Despite its origins in the development of a cybersecurity framework, the workshop addresses a wide range of privacy issues, with the discussions encompassing privacy protections across a number of disciplines and industries. Specifically, the focus of the workshop is "privacy engineering," namely to "develop reusable tools and practices to facilitate the creation and maintenance of systems with strong privacy postures," Naomi Lefkovitz, Senior Privacy Policy Advisor, Information Technology Lab at NIST said.

When asked during Q and A whether NIST's approach extends beyond the privacy issues surrounding the cybersecurity framework, Lefkowitz said "we hope this is useful in many disciplines, wherever privacy risks arise".  During the development of the framework, she said "we lacked this whole foundational tool and vocabulary for privacy," NIST "need to step back a do a little more foundational work first."

Although most of the privacy-oriented attendees (few of the attendees had attended the earlier NIST cybersecurity workshops, based on a show of hands) seemed pleased by the workshop's discussion topics, a few critical infrastructure privacy representatives again expressed concern about the wide-ranging technical scope of NIST's latest privacy effort, fearing that it might produce far more granular privacy recommendations than they've seen in other, more policy-oriented venues.  Following the workshop, NIST plans to produce a report that is the basis for a NIST Interagency or Internal Report (NISTIR), solicit comments on that document and host a further workshop to refine the draft NISTIR.  

Cybersecurity Stocks Slip in March; Still Beat the Nasdaq for the Month, Market for the Year


Cybersecurity-related stocks slipped at the end of March, after reaching a yearly high during the first week of the month, according to my cybersecurity stock index.  As of the close on March 28, the index dipped to 106.21, down 3% from the close of 109.01 on February 28.

The companies in the stock index (see the table below) still managed to beat the Nasdaq (COMP), which dropped 4% from February 28 to March 28.  (Eight of the thirteen companies in the index trade on the Nasdaq.)  But they were outperformed by the Dow Jones Industrial Average (DJIA) and the S&P 500 (SPX), both of which remained almost exactly flat for the month.

The top performers for the month were AVG Technologies NV(NYSE:AVG), which jumped 23% during the month, and KEYW Holding Corp. (NASDAQ: KEYW) and Palo Alto Networks Inc. (NYSE: PANW), both of which advanced by 21%.  At the bottom were Barracuda Networks Inc. (NYSE: CUDA), which declined by 13% after a major climb in February, and Symantec Corp. (NASDAQ: SYMC), which dropped 14%.

Overall, though, cybersecurity stocks are still well ahead of the markets for the year, posting an index gain of 6%, compared to a 1% decline in the DJIA and a 1% uptick in both the SPX and COMP.



CrowdStrike CRO: NIST Framework, Vulnerability Mitigation Do Not Create Adequate Cybersecurity


On a day jam-packed with high-profile cybersecurity hearings and events in Washington, one expert witness strayed from the usual endorsements of government and corporate party lines to suggest that the cybersecurity strategies embraced by most organizations might actually harm security. Speaking at a hearing held today by the Senate Homeland Security and Government Affairs Committee, CrowdStrike Chief Risk Officer Steven Chabinsky (appearing in a personal capacity) said that the recent cybersecurity framework produced by the National Institute of Standards and Technology (NIST), while improving cybersecurity, "will not result in adequate security of our infrastructure and for our country."

Although praising the framework as a true public-private partnership, Chabinsky said that "improving our security posture requires that we reconsider our efforts rather than simply redouble them." Advocating that U.S. organizations align their cybersecurity efforts more with the strategies used in the physical world, Chabinsky said "we must ensure that our cybersecurity strategies focus on not preventing more intrusions but on more quickly detecting them and mitigating harm."

Specifically Chabinsky, previously a long-time FBI cyber intelligence leader, advocated a shift away from a "vulnerability mitigation" mindset, which he likened to protecting a building by constructing a twenty-foot brick wall around it (only to have the intruder buy a 30-foot ladder as a consequence), to one that focuses on instant detection, attribution, threat response, and recovery while in parallel locating and penalizing bad actors.  "We take reasonable precautions to lock our doors and windows, but we do not spend an endless amount of resources in hopes of becoming impervious to crime."

The growing focus on vulnerability mitigation can lead to decreasing economic returns, or worse, negative returns.  For example, using the analogy of the brick wall, stepped-up vulnerability mitigation might cause the intruder to use powerful explosives instead of buying a ladder. "Our current cyber strategy has had the unintended consequence of proliferating a greater quantity and quality of attack methods thereby escalating the problem and placing more of our infrastructure at greater risk," Chabinsky said.

Threat deterrence would improve if we blame the offenders rather than the victims for not having adequate vulnerability protection.  "It is my hope for the future that the blame for, and the costs of, cybercrime will fall more squarely on the offenders than on the victims, that in doing so we will achieve greater threat deterrence, and that businesses and consumers will benefit from improved, sustained cybersecurity at lower costs," he concluded in his written testimony.

ACLU Technologist: Algorithm to Protect Phone Calls Has Long Been Broken


(Washington, DC)  The algorithm used to protect phone calls is broken and government officials refuse to acknowledge this vulnerability because law enforcement exploits it for their own purposes, ACLU’s Principal Technologist Christopher Soghoian said yesterday.  Speaking at a Carnegie Mellon University forum held here, Soghoian said “it’s been known that the algorithm used to protect our phone calls has been broken. We’re still using that algorithm today.”

“Everyone’s communication is going over the wire in unencrypted form or very weak encrypted form,” which makes anyone who purchases certain equipment –including foreign governments--capable of listening to private calls, Soghoian said. What makes the problem more urgent now is that the easily-purchased equipment needed to eavesdrop on phone calls has plummeted in price over recent years from over $100,000 ten years ago to as low as $1,200 today.

This vulnerability in the phone system has not been acknowledged by either phone companies or the federal government because law enforcement relies on this security hole to eavesdrop on targets. “We haven’t seen any government officials warn the public,” Soghoian said. “The reason for this is that law enforcement is actively exploiting this system.”

This situation is a classic example of where “the offense and defense conflict” in cybersecurity practices and policies in the U.S. according to Soghoian. “You cannot have a system that is easy to spy on that is secure.”

Cybercrime has become the single most pressing cybersecurity problem because of the difficulties in identifying and prosecuting cyber criminals across the globe, Jody Westby, CEO of Global Cyber Risk said. “Cybercrime today has become the perfect crime” because criminals are seldom caught, arrested or jailed due to the lack of harmonized cybercrime laws around the world. “We have a situation where cybercrime has no borders but law enforcement does.”

Internet Security Alliance CEO Larry Clinton agreed.  “The attack team is getting better and better all the time.”

The rapid technological change that has moved the U.S. from a service economy to an information economy has fostered cyber insecurity for the time being, Matt Scholl, Deputy Chief of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST) said. “We have not caught up with the consequences of this change in technology.”

The cybersecurity framework released by NIST last month could change the cybersecurity calculus, Earl Crane, Senior Principal of the Promontory Financial Group, said.  “We’re already seeing the impact of the framework where organizations are already adopting the framework and using it.”

A shortage of cybersecurity experts exist, David Brumley, engineering professor at Carnegie Mellon, said, but even with more experts, the U.S. will be outnumbered by countries such as China.  “We need more cyber experts but more security experts are not enough.[W]e’re going to be outnumbered. What are you going to do when there are more of them than there are of you?”

Cybersecurity Stocks Climbed 9% During First Two Months of 2014


With the glaring spotlight placed on cybersecurity breaches during the second half of 2013, I started tracking cybersecurity-related stocks traded on the big exchanges with the assumption that the companies I chose to follow would have a very robust 2014.  So far my assumption has proven to be true.

Of the 13 (mostly pure-play) publicly traded cybersecurity companies I've followed (see table below), only three experienced declines during the first two months of the year, with most gaining double digit boosts between the close on January 3 and the close on February 28.  I created a cybersecurity stock index to see just how well this group of companies performed on the whole in comparison to the broader market.

Based on this index, the cybersecurity companies advanced 9% during the first two months of 2014, more than twice the growth in the Nasdaq Index, four times the performance of S&P Index and almost ten times the rise in the Dow Jones Industrial Average.

And if this week is any indication, cybersecurity-related companies are poised for even bigger gains - two of the newest cybersecurity players on Wall Street soared today - next-gen threat protection company Fireye (NASDAQ: FEYE) soared 8.44% today to close at 95.63 while firewall provider Barracuda Networks jumped 9.29% to close at 38.48.

Stay tuned as I periodically update the trends.

Former Vice Admiral, NSA Director McConnell: 100% Certainty Cyber Attacks Will Occur



(Washington, DC)  Former Navy Vice Admiral, NSA Director and US Director of National Intelligence Mike McConnell said today that the probability of a destructive cyber attack is 100% and that without good information sharing between government and industry the loss of lives and damage to property could be high. "In my mind, there is 100% certainty that cyber attacks will occur," McConnell said at the EnergyBiz Forum on Securing Power here.

Repeating the growing mantra of current and former top government officials that Congress needs to pass a cybersecurity bill, McConnell said "we are a nation with a strategic vulnerability and we have the information to deal with the vulnerability and we must share information between the government and private sector.  [I]f we don't share [information] and share it frequently, we are going to have a major loss of life and damage of property.

"We need legislation that forces the government to provide classified information to the private sector," he stressed.  However, "it should be sanitized to make information of value available to you."

In terms of the most vulnerable critical infrastructure likely to experience a cyber attack, "I would probably choose banking or power and I would choose the hottest part of the summer or the coldest part of the winter," McConnell said. "Just imagine being in New York City in the middle of the summer with no power."

BPC Report: New Electric Sector Cybersecurity Organization Needed


The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

  • The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
  • The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
  • The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
  • DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
  • The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

NIST Official: B2B Use of Cybersecurity Framework is the ‘Moonshot’



The real benefit of the cybersecurity framework released last week by the National Institute of Standards and Technology (NIST) will come when businesses and organizations use it with their partners and suppliers, Adam Sedgewick, principal organizer of the framework effort at NIST said yesterday. Speaking at our webinar (replay available) on the NIST framework, held jointly with the  Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), Sedgewick said “ I think people have realized more and more that this is a pretty broad ecosystem.”

“What I hope we will see is that it will be used in business to business conversations.  That’s where this approach can really scale, where it is not tied to one or two government agencies.  That’s kind of the moonshot here and what we’re really hoping for.”

Even though the water sector has developed its own cybersecurity guidance, the NIST framework should prove to be a useful “anchor” on key cybersecurity issues, Kevin Morley, Security & Preparedness Program Manager, American Water Works Association said.  “We believe that it provides a very useful anchor on some principles” even if at “an applied level it may be a little abstract.”

The electric sector, which has its own mandatory cybersecurity standards in the form of NERC-CIP (National Electricity Reliability Corporation Critical Infrastructure Protection) requirements, was pleased to see that NIST made efforts to map the framework to those requirements during the development process, Laura Brown, Manager of CIP Policy and Coordination for NERC said.  “We’re happy…that the White House and NIST acknowledge that we have these standards.”

Involving top management in use of the framework is critical to its success, Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs, said.  “It’s not something you want to do with a bunch of techies off to the side.”

Getting a realistic grip on the level of the organization’s cybersecurity maturity is likewise crucial to the framework’s success.  “Honest evaluation is critical,” Landfield said.  “You need to be accurate with where you stand today.  If you’re a one [in terms of the framework’s implementation tiers], put it as a one.  If you are not using the tool correctly, you’re not getting the most out of it.”

The implementation tiers in the framework, which “rate” an organization on how highly evolved its cybersecurity protection schemes are, could prove to be a disincentive to smaller organizations, Morley said. “We have concerns a little bit with the tiering structure.  From our perspective this may be a disincentive for action” because people are afraid their organizations will look bad if they rate lower on the scale.

From an industrial control sector perspective, the framework “is good for a number of reasons because it furthers the motion of the machinery in the U.S. public sector,” Chris Blask, chair of the ICS-ISAC said.
“For our purposes it’s helping our membership and by extension the people they are in contact with.”

Twitter Delicious Facebook Digg Stumbleupon Favorites More