Top Experts: C-Suite Execs Have 'Caught Religion' in Wake of Target Breach

(Washington, DC)  Given the high-profile ouster of Target's CEO in the wake of the retailer's massive data breach, cybersecurity has been--and should be--elevated to executive suites across corporate America, a string of top security experts said yesterday. Speaking at a day-long cybersecurity conference hosted by Bloomberg Government here, current and former top government and industry cyber specialists issued a wake-up call to business and critical infrastructure leaders that cybersecurity can no longer be relegated to the purely technical realm.

"Cybersecurity is foundational," Admiral Mike Rogers, Commander of U.S. Cyber Command and Director of the National Security Agency said. "You must own this problem. This is just not your IT and computer people. You have to own this problem as a leader."

"This is becoming a CEO issue," Lou Von Thaer, President of the National Security Sector of Leidos, said. "We are being asked by directors all the time to be briefed," Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike said. "I hear all the time from the board members…they actually think the IT people are purposively speaking in gibberish so they cannot be subjected to oversight."

Although litigation and liabilities are the primary outcome of Target-like breaches, the challenge of handling a huge, complex crisis might be the bigger reason that executives are suddenly paying attention. "In some respects the greatest liability risk is not a legal one but a crisis management one," Donald Fagan of Covington and Burling said. "It is the Target issue…that has caught the attention of many businesses out there. They’ve caught religion"

Target may be the poster child for the massive damage that can ensue from a cybersecurity breach, but the company did most things right when it came to cybersecurity. Target would have received a high grade in terms of how well it followed the cybersecurity framework issued by the National Institute of Standards and Technology earlier this year, Stewart Baker of Steptoe & Johnson said.  "They just didn't respond to the overwhelming number of alerts they got."

"People have to understand how good a company Target is when it comes to cybersecurity," Michael Leiter, Senior Counselor to the CEO of Palantir Technologies said. "That means there really is no company that doesn't face this as a business risk."

Read More

Rep. Mike Rogers: Chinese Indictments Are 'Glitz and Glamour' But Legislation More Important

(Washington, DC)  House Intelligence Committee Chairman Mike Rogers (R-MI) said yesterday that the Justice Department's high-profile indictment of Chinese military officials for cyber theft of U.S. business secrets is "great for glitz and glamour" but it's more important that Congress act on cyber legislation by August if the government wants to ensure true cybersecurity. Speaking at an event hosted by the George Washington University Cybersecurity Initiative, Rogers said "I agree with the indictments and I agree with certain visa restrictions [b]ut it can't be done in isolation."

The Obama administration's largely symbolic move is "great for glitz and glamour but nothing followed," Rogers said. "It's the right idea but the wrong execution.  If only we could get the second piece of this, which allows the private sector to defend itself," Rogers said, referring to the Cyber Intelligence Sharing and Protection Act, which would facilitate the sharing of cybersecurity information between the private sector and the government.

Although the House has passed the bill, it's stalled in the Senate, a situation that Rogers thinks is improving and believes has to be resolved by August or else prospects for near-term cybersecurity legislation will die. "I think we've made tremendous progress in the last few months. I hate to say it but if we don't get something moving in August, it will get lost in the haze."

Rogers is cautiously optimistic that a bill could move in the next thirty days, with the contentious issues narrowed down to a "few short issues," particularly the question of how a portal for sharing information with the government gets structured. "We've narrowed down the issues on the portal," Rogers said.

Speaking at the same event, Toomas Hendrik Ilves, President of Estonia, a country widely considered to be home to the first true cyber warfare attack, said that new intellectual concepts are needed to successfully battle cyber threats given the radically novel dangers posed by the modern connected era. "We have major intellectual tasks ahead of us," he said. We are facing the modern equivalent of Thomas Hobbes' "war of all against all"  and "we need our Jeffersons, our Voltaires in this area."

Estonia is at the forefront of protecting individual online identities as a key strategy for ensuring security, with everyone using two-factor public key infrastructure using RSA 2048 encryption. "We have come to the conclusion that you cannot have any genuine security without a secure online identity," Hendrik said.  "That is the dilemma of all Internet relations.  You don't know who's who."

Read More

Government Cybersec Leaders: Just Patch Your System, Do Strong Passwords

(Washington, DC)  Despite vulnerabilities such as Heartbleed grabbing headlines, the best methods for ensuring adequate system security are often the most basic forms of cyber hygiene, such as patching systems and ensuring strong passwords, a group of government cybersecurity experts agreed today. Speaking at the GovSec conference here, Ron Layton, Deputy Chief Information Officer, U.S. Secret Service said "what's the best investment for our resource dollar?  Patch your system.  The vast majority of successful breaches use very low-level techniques."

"We are still at the precipice of one of the most disruptive forces in our society [b]ut just do a strong password and you're good," he added.

"You don't necessarily need to worry about the most recent APT [advanced persistent threat] if you have 20% of your computers that are unpatched that can be had by a hacker with no skill whatsoever," Patrick Morrissey, Former Director of Investigations and Protective Operations, Blackberry, and Former CISO, U.S. Secret Service, said. "That is where the bad guys are going to come in. The sophisticated hacker is not going to waste his technique on you.  Don't worry so much about being exploited by the latest and greatest.  Just stay up to date on your patches."

The best method for ensuring adequate cybersecurity within the federal government is information sharing and collaboration, something that is bolstered by trust but hampered when no crisis is pressing on the nation. "Trust and relationships is what it’s all about," Dave Pekoske, Chairman of the FBI-private sector partnership InfraGard National, said.

However, "the agencies are not going to be giving up the keys to the kingdom" to other agencies, Morrissey said, particularly if a truly collaborative relationship is absent. "People are going to be reluctant to share information with those agencies if they don't believe the agencies are going to protect them as they should."

Information sharing among government agencies is problematic for a number of reasons, not the least of which are the varying definitions of  security clearance and "need to know" statuses across agencies.  But agencies do collaborate better in the midst of a crisis.  "The government does work well in crises but the farther we get away from 9/11 it becomes a problem," Morrissey said.

Another perennial problem that hampers work across agencies is the lack of qualified cybersecurity personnel, who tend to steer clear of the government or bolt for the higher paid private sector after relatively short stints.  "It's a huge challenge for us right now," Eric Strom, Unit Chief, Cyber Initiative and Resource Fusion, NCFTA, FBI, said. "It's hard to take an investigator and teach them cyber skills."

Read More

GE Acquires Wurldtech as Cybersecurity Acquisition Deals Hum Along

GE announced today a deal to buy privately-held Vancouver-based cybersecurity firm Wurldtech, underscoring the increasingly hot market for cybersecurity tech firm acquisitions.  Wurldtech specializes in cybersecurity technologies for critical infrastructure industries and big industrial concerns including power plants, oil refineries and other key providers.

This deal follows FireEye's $70 mil. announced acuqisition of nPulse technologies earlier this week and caps a string of at least 26 cybersecurity acquisition deals over the past year.  (See table below.)  Clearly it's a good time to be a cybersecurity tech start-up or well-respected small solutions supplier.

Read More

FTC to Snapchat: If You Promise Security, You'd Better Deliver It

(Washington, DC)  In a move that could have wide-ranging effects on how Internet and mobile application providers approach both privacy and data security, the Federal Trade Commission (FTC) today entered into a consent order with mobile messaging app provider Snapchat, subjecting the company to a series of requirements aimed at ensuring that Snapchat maintains and protects the privacy, security and confidentiality of any consumer information.  The action, which officials labeled as a "significant" move by the agency, follows a complaint issued by the FTC that despite Snapchat's claims, images and videos transmitted via the application did not completely self-destruct and that adequate security of the service was not in place.

In announcing the consent order here at a Media Institute luncheon, FTC Chairwoman Edith Ramirez stressed not only the deceptive claims regarding content self-destruction (recipients could use tools outside of the application to save both photo and video messages), but also the need to maintain strict security practices, particularly when those practices are promoted as part of a product's appeal.  "The Snapchat case vividly illustrates that there is no data privacy without data security," she said.

Pointing to the high-profile data breaches over the past year, Ramirez said "despite the threats posed by data breaches, I am concerned that many companies continue to underinvest in data security and make fundamental mistakes when it comes to protecting sensitive consumer information."  Hinting at increased action by the FTC when promoted security fails to materialize, Ramirez noted that "the FTC’s enforcement work in this area has shown that some companies fail to take even the most basic security precautions, such  as failing to update antivirus software or to require network administrators to use strong passwords."

In making its original complaint against Snapchat, the FTC alleged that despite its claims of implementing adequate security measures, SnapChat "did not employ reasonable security measures to protect personal information from misuse and unauthorized disclosure." It alleged that Snapchat failed to implement proper identity verification upon sign-up, allowing users to send personal images to complete strangers who had registered with false phone numbers.  Moreover, the complaint alleges, Snapchat failed to secure its "Find Friends" feature, which resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

In discussing the order with reporters following its release, Chris Olsen, Assistant Director, Division of Privacy and Identity Protection at the FTC said the case is a "new statement in our body of cases" because it tackles "a major player on many platforms with many users" and because Snapchat made "unequivocal express claims about the privacy of its service."

Although the FTC has brought a number of cases against individual apps for deceptive privacy practices and last year sued HTC America for negligently injecting security vulnerabilities in its devices that put sensitive consumer information at risk, the Snapchat case appears to reflect a new direction by the agency in holding companies responsible for failing to meet promised security protections.  "If you are making promises about security, privacy or anonymity, you have to keep those promises," Olsen said.

In its complaint, the FTC pointed to specific security promises that it contends Snapchat did not uphold, including "boilerplate" statements in its privacy policy.  For example, in its policy Snapchat said "[Parent company] Toyopa Group, LLC is dedicated to securing customer data and, to that end, employs the best security practices to keep your data protected" and "We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction."

Under the order, which will be put out for 30 days for public comment before it becomes final, Snapchat will have to cease any misrepresentation, establish, implement and maintain a comprehensive privacy program and conduct initial and biennial assessments of and reports on that program from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.  Those assessments and reports will continue for twenty years. Any violation of the order will cost Snapchat $16,000 per day per new violation or $16,000 per day for a continuing violation.

Read More

FCC Chairman: Implement NIST Cybersecurity Framework So That We Don't Have To

(Los Angeles, CA) The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today urged the cable industry to get moving on the implementation of the cybersecurity framework released by the National Institute of Standards and Technology (NIST) earlier this year.  Speaking at the National Cable and Telecommunications Association (NCTA) annual conference here, Wheeler said that broadband networks are at a critical cybersecurity juncture and that the "more we learn about the challenges of cybersecurity and the costs of failure, the more apparent the importance of addressing it with best efforts, including yours."

Pointing to the work of the Communications, Security, Reliability and Interoperability Council (CSRIC) of the FCC, Wheeler said that the outcome of the industry-led CISRIC should be done "in such a way that those charged with oversight across the regulatory tapestry, recognize and understand the accepted cyber risk."

CISRIC is leveraging the NIST framework for its work and "over the course of the year we will need to see this translate into actual implementation," he said.  "We’re intending this to be a new regulatory paradigm, and we’re giving you the opportunity to write it. I urge you to step up, so we don’t have to."

Although both the telecom and cable industries have embraced the NIST framework, many communications sector representatives have expressed fear that the voluntary nature of the framework could become mandatory at the Commission over time.  The FCC offered no further information on Wheeler's speech to the cable attendees, instead pointing to archived video of the last CISRIC meeting for more context.

The big news out of Wheeler's speech was his further clarification on where he is headed with the FCC's upcoming net neutrality rulemaking.  Leaked outlines of the controversial regulatory action have stirred public interest advocates and Silicon Valley companies to decry what they perceive to be forthcoming FCC-sanctioned creation of pay-for-play "fast lanes" on the Internet, whereby broadband providers (with cable companies serving as the "principal" broadband providers in the U.S.) can charge content and application providers more for quicker delivery to end Internet users.

In impassioned tones, Wheeler rejected the idea that the FCC would effectively kill net neutrality by sanctioning the creation of Internet fast lanes.  "Any new rule will assure an open pathway that is sufficiently robust to enable consumers to access the content, services and applications they demand and innovators and edge providers the ability to offer new products and services," he said.

Wheeler, who headed the NCTA himself thirty years ago, rebutted charges that as a former cable lobbyist he is predisposed to do the industry a favor in the net neutrality debate.  "Now, as Chairman of the FCC, I do not intend to allow innovation to be strangled by the manipulation of the most important network of our time, the Internet."

Read More

Cybersecurity Venture Funding Heats Up; Tally Tops At Least $630 Mil.

With the NSA, retail payment system breaches, Heartbleed vulnerabilities and other kinds of damaging digital security developments creating a vortex of never-ending headlines, it's little surprise that venture capitalists seem to be pouring money into cybersecurity start-ups at an accelerating pace.  In the past two days, Synack, a crowd-source vulnerability testing start-up founded by two former NSA analysts, and automated malware detection start-up Sentinel Labs announced they snagged a combined $18 mil. in capital from blue-chip Silicon Valley funders.

Synack got $7.5 mil. from Google Ventures and Kleiner Perkins, while Sentinel Labs got $12 mil. from a groupd of investors that includes Accel Partners and Granite Hill Capital Partners.  They join an impressive list of cybersecurity tech start-ups that have been catching the attention of tech's biggest money men since the beginning of 2012.

According to my list, which reflects only the funding announcements that have come across my radar screen, total cybersecurity-related tech start-up funding since over the past two years tops at least $630 mil.  This year alone, around $143 mil. in venture capital has flowed to cybersecurity companies and the pace seems to be picking up.

The tally below doesn't include the venture capital flowing into adjacent sectors, such as big data players, where a good deal of cybersecurity tech development occurs.  In all probability, the amount of venture capital flowing to new cybersecurity tech creation probably over the past two years probably nears the $1 bil. mark, if not higher.

Read More