Author Archive for Kathy Stershic

17
Jun
15

Are Processors Getting Close to Actually Thinking?!

Back after a long hiatus from a cross-country move, and where do I start? Unbelievable amount of disruptive technologically-based change, and the stakes are getting higher. I’ve hit multiple events around town of late, and am hearing some things that I find, well, a tad head-spinning.

The applications and implications of ‘Internet of Things’ and Big Data are accelerating.There is some GREAT stuff going on. Like the  National Institutes of Health are offering a new portal enabling researchers to collaborate on highly specialized data related to patients with Alzheimers disease. Cool! And a winery in California that is using connected sensors to maximize irrigation practices and vineyard yield. Yay! There are new apps for everything from monitoring weather patterns to traffic management. Things are coming on fast. But along with the benefits, the risks are of course growing.

Cyber security threats are getting worse (is that possible?) Aside from the massive data hack on 4M government workers, last week, I learned that China claims to have ‘graduated’ 2 million Cyber Warriors – looks like they were testing out their offensive via the government hack. Of course hackers are a worldwide breed. But as cyber crime increases, the authorities are not necessarily trained to detect or respond. How would a police officer investigating an auto accident be able to tell if that accident resulted from a hack of a car’s breaking system? Yikes.

I learned that IBM has created a chip with 256 million synapses modeled on human cognition. Something called neuro-morphic data. Hmmm. I wonder where that could go. I learned that massive amounts of data are growing at the ‘edge’, and that in 2 short years, the collective computing and storage capacity of smartphones will surpass all servers – worldwide. I heard a highly placed person at Microsoft say IoT can’t be all about money – it has to be about improving people’s lives. Nice! I heard a Cisco exec say the ghost in the machine can easily become the menace in the machine. Not so nice. I heard a representative from the FAA say that they’re staying away from the privacy aspects of drones because their charter is on safety in the air. Isn’t privacy directly linked to safety? And I learned that the black market price of a stolen health record now exceeds the price of a stolen credit card record by 20:1. And when someone else uses your health identify for themselves, your digital health profile can be changed, and the consequences (wrong meds, wrong injections) can be deadly.

Expert opinions on the role of government still vary. We may say some cyber policy this year, but data privacy policy at the Congressional level seems still far off. Some believe that “Where business leads, policy follows.”  Then it’s time for business to start getting more privacy-responsible. Right now, that doesn’t seem to be the case.

24
Mar
15

Cyber Bill Getting Close…?

Enjoyed a fascinating and very educational trip to Capital Hill last week, calling on various Representatives and Senators to lobby for Silicon Valley interests. The trip was sponsored by Silicon Valley Leadership Group –  I really admire their mission to interact directly with Congress on issues that affect our broad sector – not any one company. While their our many trade associations in DC, the fact that a large group traveled across the country to voice a unified opinion seemed to impress. Our delegation included leaders from large corporations to start-ups, all grappling with the same challenges – immigration, patents, trade issues, and especially high on the list – cyber security.

In light of accelerating attacks, punctuated by the very recent and massive Anthem and Blue Cross/Blue Shield breaches, the word among those we met with was that a bill, a real bill with a real chance of passing, was close. In fact, due to come out of committee within a couple of weeks and go to the House. Senators seem to also understand this is urgent. I felt optimistic that collectively they might actually get something done.

Privacy has been the chief concern about past bills proposed, and why none have made it through to date. We received assurances that the soon-to-be-released reincarnation of CISPA was significantly different and would address many of the previous privacy concerns (why couldn’t they have done that in the first place?).

It was noted that while Government has lots of resources to help defend, Industry must be willing to turn over data needed to enable that defense – 80-85% of malicious code is believed to be in the private sector. Expect the new bill to have safe harbor provisions to protect Service Providers and others who hold our data. We were told that there will be no sharing with the NSA (good they’ve figured that one out) or the DoD – there must be civilian oversight, and all indications were Dept of Homeland Security would be on point.

While it was great to hear optimism among Congress people and their staff who joined the discussions, education of the broader Congressional membership is still a big gap. Hopefully the recent high profile health data breaches, which apparently touched as many as one in four Americans, have been enough to get the attention this issue so critically needs so we could see something fair yet helpful passed this year. Fingers crossed.

IMG_2195

 

 

 

 

On a lighter note, Senator McCain was most gracious to pose with those of us who met with him.

23
Nov
14

The Uber Problem Isn’t a Culture Issue, It’s a Policy Issue

The recent comments of Uber’s SVP Emil Michael were certainly the scandal of the week. Mr. Michael’s demonstrated level of arrogance is not unique to Uber, although he has been one of the more cavalier about verbalizing it. Even the choice of company name implies arrogance – in German, “uber” means “over” and “above”. What this has to do with ride-sharing I’ve never understood.

Over several days I’ve seen a few articles referring to this blunder as a culture problem. I’m sure there is one there as there are in many hot companies. But this far exceeds culture. The bigger issue is that all manner of corporate entities now own large and growing amounts of data about their users, and the discretion about how to use or not use that data and who within a company can access it should not be left to culture.

In the case of the kind of information Uber collects, this can come down to issues of personal safety – where someone lives, where they travel, how late they party, how vulnerable they might be when calling for a midnight ride. There is plenty wrong with the taxi system (I take them fairly often and cringe at the high prices and often surly service) but the reason I have not opted for Uber or other such services is that taxis are regulated for a reason.

Use of personal data should be as well. Until the government might get its act together on protecting citizens right to some measure of privacy, corporations would do well, and perhaps garner some favorable points with customers, to establish and enforce very strict data collection and usage policies, and be very transparent about those policies with their users.

03
Oct
14

One Congresswoman’s Perspective on Why We Don’t Have National Cybersecurity or Privacy Policies

I was able to attend an interesting discussion yesterday hosting Congresswoman Betty McCollum, a Democrat from Michigan who  journeyed all the way to Santa Clara, CA in the interest of furtherig dialog and understanding between herself as a Representative on the powerful Appropriations Committee and the high tech community. Kudos to her for the sincere outreach, and to the Silicon Valley Leadership Group for putting the event on.

During the event, I was able to ask for her opinion on where Congress stood with passing any cyber security or data privacy legislation in the foreseeable future. While her response was candid, I must admit it was a bit of a surprise – she said she didn’t think I’d want them passing any legislation because they don’t understand the issues, and that most Congresspeople are inept when it comes to technology – even using it. Well there, at least somebody called it out.

She went on to sound the alarm (as was also heard from Senator Saxby Chambliss at last August’s Silicon Valley Cyber Security Summit) that Congress needs a wake-up call, that they’re failing the American people on this issue, that we need to get our act together, and and and…   Representative McCollum went on to bemoan the volume of issues and work to keep up on, the lack of staff capacity due to budget cuts, Congressional discord, the Tea Party, etc. etc. etc. It was sadly the kind of dodge from an uncomfortable question that seems an auto-response from those in elected office. Lot’s of ‘we need to’s’ and ‘we shoulds’ but no action. At this point I could only see an abrogation of duty, but what else is new? These threats are real and core to national defense and well being. I wonder how many in the Congress might think they should actually learn about technology – goes to show the effects of having minions take care of all of that pesky stuff for you.

Given the pace at which cyber attacks and malware are accelerating; given the unprecedented collection of data from everywhere about everyone; and if the Gentlewoman from Minnesota’s position is correct – and I fear it is, we’ll likely be in for an uninformed, ill-advised Congressional knee jerk reaction when some big time dookie hits. Whomever has their ear about the correct course of action at such time is likely to influence policy that will last for many years. As the Patriot Act shows, once they do something, they don’t un-do it, no matter how much it might need undoing.

Keep changing your passwords folks.

22
Aug
14

Final Lessons from the Silicon Valley Cyber Security Summit – Dealing with Data Privacy?

The third and final Cyber Summit panel brought the growing privacy issue to the fore. The esteemed panelists from DC all noted Washington’s keen awareness of damage done from the NSA debacle, which has created a big rift in public trust of the government [not that it was so great before]. There is now timidity around addressing the cyber threat through aggressive legislation that will be seen as too invasive of personal privacy, especially until NSA surveillance practices get cleared up. Senator Chambliss had claimed substantial compromise to that end in the proposed Cybersecurity Information Sharing Act over previous legislative attempts.

 

I just can’t help but think that in the immediate aftermath of a potentially significant attack, we’ll see a Patriot Act-level response out of Congress – the consequences of which would most likely be irreversible. It would be far better for proactive and more balanced legislation to be passed in the very near term, before such an attack could happen. The bottom line is that when people don’t trust their government, they won’t share information the government will need to protect them.

 
Consumer privacy is a whole other issue. Many websites pay lip service to privacy by including obscure links in miniscule font that can take visitors through a maze of pages to an ultimate opt-out page. Facebook changes its policies so often that no one can keep up. The great majority of internet users simply don’t see or use these links. Sanford Reback, Senior Technology Analyst at Bloomberg Government, spoke of the need for corporations to exercise what is known in legal terms as ‘responsible use’ of personal data – and that Washington knows legislation will be needed to enforce this.

 
He noted that ‘policy must catch up with capability and capacity.’ At a Federal level, how long that will take and what it might look like are unknowns, but 47 states and the District of Columbia have already enacted their own information notification legislation. A Federal act would need to establish notification standards but without weakening state laws already in place, and without making it so complicated that businesses wont’ be able to comply. I figure if they’ve been able to get there with Gramm Leach Bliley and HIPAA, we can get there with digital privacy requirements too.

 
There were other great insights and little pearls dropped across the Summit, but a blog post can get too long. A key takeaway for me was that while corporations will always be competitive, the seriousness and urgency of this issue create an unusual “we’re in this together” dynamic that I found hopeful. While government and business can, should and will help, the bad guys and gals are out there, looking for new ways to get at what we’ve got – and that includes YOUR data. The best defense for now is to be active about guarding what you can and help spread the word to your friends and fam. Vaya Con Dios!

21
Aug
14

Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.

 

 

18
Aug
14

What I Learned at the Silicon Valley Cyber Security Summit – Part 1

I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].

The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.

One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!

Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!!  Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.

Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.

For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’  Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.

My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!




%d bloggers like this: