FCC Chairman: Implement NIST Cybersecurity Framework So That We Don't Have To


(Los Angeles, CA) The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today urged the cable industry to get moving on the implementation of the cybersecurity framework released by the National Institute of Standards and Technology (NIST) earlier this year.  Speaking at the National Cable and Telecommunications Association (NCTA) annual conference here, Wheeler said that broadband networks are at a critical cybersecurity juncture and that the "more we learn about the challenges of cybersecurity and the costs of failure, the more apparent the importance of addressing it with best efforts, including yours."

Pointing to the work of the Communications, Security, Reliability and Interoperability Council (CSRIC) of the FCC, Wheeler said that the outcome of the industry-led CISRIC should be done "in such a way that those charged with oversight across the regulatory tapestry, recognize and understand the accepted cyber risk."

CISRIC is leveraging the NIST framework for its work and "over the course of the year we will need to see this translate into actual implementation," he said.  "We’re intending this to be a new regulatory paradigm, and we’re giving you the opportunity to write it. I urge you to step up, so we don’t have to."

Although both the telecom and cable industries have embraced the NIST framework, many communications sector representatives have expressed fear that the voluntary nature of the framework could become mandatory at the Commission over time.  The FCC offered no further information on Wheeler's speech to the cable attendees, instead pointing to archived video of the last CISRIC meeting for more context.

The big news out of Wheeler's speech was his further clarification on where he is headed with the FCC's upcoming net neutrality rulemaking.  Leaked outlines of the controversial regulatory action have stirred public interest advocates and Silicon Valley companies to decry what they perceive to be forthcoming FCC-sanctioned creation of pay-for-play "fast lanes" on the Internet, whereby broadband providers (with cable companies serving as the "principal" broadband providers in the U.S.) can charge content and application providers more for quicker delivery to end Internet users.

In impassioned tones, Wheeler rejected the idea that the FCC would effectively kill net neutrality by sanctioning the creation of Internet fast lanes.  "Any new rule will assure an open pathway that is sufficiently robust to enable consumers to access the content, services and applications they demand and innovators and edge providers the ability to offer new products and services," he said.

Wheeler, who headed the NCTA himself thirty years ago, rebutted charges that as a former cable lobbyist he is predisposed to do the industry a favor in the net neutrality debate.  "Now, as Chairman of the FCC, I do not intend to allow innovation to be strangled by the manipulation of the most important network of our time, the Internet."

Cybersecurity Venture Funding Heats Up; Tally Tops At Least $630 Mil.


With the NSA, retail payment system breaches, Heartbleed vulnerabilities and other kinds of damaging digital security developments creating a vortex of never-ending headlines, it's little surprise that venture capitalists seem to be pouring money into cybersecurity start-ups at an accelerating pace.  In the past two days, Synack, a crowd-source vulnerability testing start-up founded by two former NSA analysts, and automated malware detection start-up Sentinel Labs announced they snagged a combined $18 mil. in capital from blue-chip Silicon Valley funders.

Synack got $7.5 mil. from Google Ventures and Kleiner Perkins, while Sentinel Labs got $12 mil. from a groupd of investors that includes Accel Partners and Granite Hill Capital Partners.  They join an impressive list of cybersecurity tech start-ups that have been catching the attention of tech's biggest money men since the beginning of 2012.

According to my list, which reflects only the funding announcements that have come across my radar screen, total cybersecurity-related tech start-up funding since over the past two years tops at least $630 mil.  This year alone, around $143 mil. in venture capital has flowed to cybersecurity companies and the pace seems to be picking up.

The tally below doesn't include the venture capital flowing into adjacent sectors, such as big data players, where a good deal of cybersecurity tech development occurs.  In all probability, the amount of venture capital flowing to new cybersecurity tech creation probably over the past two years probably nears the $1 bil. mark, if not higher.


Verizon Data Breach Report: Nine Patterns Cover 92% of Cybersecurity Incidents


Verizon issued this morning its 2014 Data Breach Investigations Report (DBIR) that covers over 63,000 security incidents in 2013 from 50 global participating organizations spanning 95 countries. The top-line finding is that 92% of all security incidents in the past ten years fit into nine categories:  POS Intrusion, Web App Attack, Insider Misuse, Theft/Loss, Misc. Error, Crimeware, Payment Card Skimmer, Denial of Service, Cyber Espionage and Everything Else.  

Based on the 2013 data, public institutions dominate the list of breach or security incidents with nearly 47,500 security incidents, far dominating any other industry, mostly due to the nature of U.S. public agency reporting requirements (see table below, which I created and sorted in Excel).


But filtering out for only those incidents that involved confirmed data loss, the picture looks quite different (again, a sorted table I created in Excel).


Financial institutions rate number one in terms of incidents that feature data loss, with 465 such incidents, followed then by public institutions (175), retail (148), accommodation (137), unknown (126) and utilities (80).


The table above, straight from the report, lists the frequency of type of incidents per victim industry and shows what the graphic at the top of this post more succinctly illustrates - namely that the biggest threats vary from industry to industry.  For 2013, 69% of the threats faced by utilities came in the form of web app attacks or crimeware.  Over half of the attacks (54%) for manufacturing came from cyber-espionage or DOS. Nearly half of the security incidents for healthcare (46%) came from one category:  theft or loss.

In reviewing the past year, Verizon notes a shift in cyber incidents that occurred in 2013, with a well-publicized trend emerging toward attacks on payment systems and away from geopolitical incidents.  "2013 may be remembered as the 'year of the retailer breach,' but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems.'

SEC Issues NIST-Inspired Cybersecurity Blueprint But Apparently Should Follow One Itself


On April 15, the Securities and Exchange Commission issued an unprecedented blueprint for assessing cybersecurity preparedness in the securities industry, a document that the regulator will use for examining the cybersecurity status of more than 50 broker-dealers and investment advisors.  The SEC issued a detailed but high-level series of questions that will form the basis for the examinations, a document which follows in part the cybersecurity framework issued by the National Institute of Standards and Technology in February, .

The goal is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." While this effort is aimed at registered financial entities, the SEC has stepped up its interest in cybersecurity matters more broadly over the past few years, starting with guidance issued to publicly traded companies on how they should discuss cyber risks in their required financial filings.

Moreover, some experts who follow the SEC's interest in cybersecurity say that the agency's Division of Corporation Finance has been quietly stepping up its scrutiny of SEC filings to ensure that companies adequately disclose cyber risks, frequently requesting that companies supply additional information about existing or potential cyber risks.  And late last month the SEC held a cybersecurity round table during which several of the agency's Commissioners raised the prospect of  imposing minimum cybersecurity disclosure requirements beyond those contained in the existing guidance.

Aside from indicating increased interest in cybersecurity, the blueprint is notable because it represents one of the earliest efforts by a regulator to incorporate the NIST framework into a quasi-official action or endeavor. "It's one of the first endeavors that a regulatory body has made to actually begin leveraging the framework in an implementation," Patrick Miller, Partner and Managing Principal of cybersecurity consulting firm The Anfield Group, said.

Although the NIST framework is considered to be a voluntary scheme for improving cybersecurity across critical infrastructure industries, many of the participants in the framework's development, particularly Washington representatives of critical infrastructure asset owners, repeatedly asserted concerns about any language in the framework that might hint at possible regulatory requirements.

Most cybersecurity specialists, however, say that there is little to fear in the SEC's partial reliance on the NIST framework. "The SEC has done a good job of developing a broad set of guidelines for a certain set of companies," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec, said.  "I think you're looking at baseline cybersecurity stuff" that any decent-sized firm should be prepared to handle, he added.

Miller thinks this reliance on the framework by a government agency could help cybersecurity measures by signaling to regulators in other industries that the NIST framework is a previously absent but much-needed template to help cut through the clutter of conflicting cybersecurity schemes.  "The path will open up…now it will go from a dirt road to a paved road to a two-lane highway," he said, referring to the fact that the SEC's move may give other government agencies more freedom to start leveraging the framework.

The SEC itself might do well to follow its own blueprint.  Yesterday the General Accounting Office (GAO) issued a report that found key weaknesses in the security controls in the SEC's own network, servers, applications, and databases.  Specifically the GAO found weaknesses in the following areas:

  • Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets. 
  • Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
  • Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers. 
  • Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server. 
The primary cause of the SEC's failing grade was the agency's failure to adequately oversee the work of a contractor during the migration of a key financial system to a new location.



NIST Privacy Workshop Aims at 'Wherever Privacy Risks Arise'


(Gaithersburg, MD)  The National Institute of Standards and Technology (NIST) hosted the first of a two-day privacy engineering workshop here today as a follow-on to the February release of its Framework for Improving Critical Infrastructure Cybersecurity.  Based on the first day's general sessions, the scope of NIST's privacy focus appears to be far broader than, and perhaps only slightly connected to, its origins in cybersecurity.

Although the penultimate version of the cybersecurity framework included an extensive privacy methodology appendix, the final version featured a more stripped-down privacy approach in response to the objections of critical infrastructure owners who perceived the original appendix as overly prescriptive. The privacy workshop is intended to help fill in the resulting privacy gaps in the framework, aiming to flesh out what NIST says is the paucity of identifiable "technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties." 

Despite its origins in the development of a cybersecurity framework, the workshop addresses a wide range of privacy issues, with the discussions encompassing privacy protections across a number of disciplines and industries. Specifically, the focus of the workshop is "privacy engineering," namely to "develop reusable tools and practices to facilitate the creation and maintenance of systems with strong privacy postures," Naomi Lefkovitz, Senior Privacy Policy Advisor, Information Technology Lab at NIST said.

When asked during Q and A whether NIST's approach extends beyond the privacy issues surrounding the cybersecurity framework, Lefkowitz said "we hope this is useful in many disciplines, wherever privacy risks arise".  During the development of the framework, she said "we lacked this whole foundational tool and vocabulary for privacy," NIST "need to step back a do a little more foundational work first."

Although most of the privacy-oriented attendees (few of the attendees had attended the earlier NIST cybersecurity workshops, based on a show of hands) seemed pleased by the workshop's discussion topics, a few critical infrastructure privacy representatives again expressed concern about the wide-ranging technical scope of NIST's latest privacy effort, fearing that it might produce far more granular privacy recommendations than they've seen in other, more policy-oriented venues.  Following the workshop, NIST plans to produce a report that is the basis for a NIST Interagency or Internal Report (NISTIR), solicit comments on that document and host a further workshop to refine the draft NISTIR.  

Cybersecurity Stocks Slip in March; Still Beat the Nasdaq for the Month, Market for the Year


Cybersecurity-related stocks slipped at the end of March, after reaching a yearly high during the first week of the month, according to my cybersecurity stock index.  As of the close on March 28, the index dipped to 106.21, down 3% from the close of 109.01 on February 28.

The companies in the stock index (see the table below) still managed to beat the Nasdaq (COMP), which dropped 4% from February 28 to March 28.  (Eight of the thirteen companies in the index trade on the Nasdaq.)  But they were outperformed by the Dow Jones Industrial Average (DJIA) and the S&P 500 (SPX), both of which remained almost exactly flat for the month.

The top performers for the month were AVG Technologies NV(NYSE:AVG), which jumped 23% during the month, and KEYW Holding Corp. (NASDAQ: KEYW) and Palo Alto Networks Inc. (NYSE: PANW), both of which advanced by 21%.  At the bottom were Barracuda Networks Inc. (NYSE: CUDA), which declined by 13% after a major climb in February, and Symantec Corp. (NASDAQ: SYMC), which dropped 14%.

Overall, though, cybersecurity stocks are still well ahead of the markets for the year, posting an index gain of 6%, compared to a 1% decline in the DJIA and a 1% uptick in both the SPX and COMP.



Twitter Delicious Facebook Digg Stumbleupon Favorites More