Posts Tagged ‘cyber security


Cyber Bill Getting Close…?

Enjoyed a fascinating and very educational trip to Capital Hill last week, calling on various Representatives and Senators to lobby for Silicon Valley interests. The trip was sponsored by Silicon Valley Leadership Group –  I really admire their mission to interact directly with Congress on issues that affect our broad sector – not any one company. While their our many trade associations in DC, the fact that a large group traveled across the country to voice a unified opinion seemed to impress. Our delegation included leaders from large corporations to start-ups, all grappling with the same challenges – immigration, patents, trade issues, and especially high on the list – cyber security.

In light of accelerating attacks, punctuated by the very recent and massive Anthem and Blue Cross/Blue Shield breaches, the word among those we met with was that a bill, a real bill with a real chance of passing, was close. In fact, due to come out of committee within a couple of weeks and go to the House. Senators seem to also understand this is urgent. I felt optimistic that collectively they might actually get something done.

Privacy has been the chief concern about past bills proposed, and why none have made it through to date. We received assurances that the soon-to-be-released reincarnation of CISPA was significantly different and would address many of the previous privacy concerns (why couldn’t they have done that in the first place?).

It was noted that while Government has lots of resources to help defend, Industry must be willing to turn over data needed to enable that defense – 80-85% of malicious code is believed to be in the private sector. Expect the new bill to have safe harbor provisions to protect Service Providers and others who hold our data. We were told that there will be no sharing with the NSA (good they’ve figured that one out) or the DoD – there must be civilian oversight, and all indications were Dept of Homeland Security would be on point.

While it was great to hear optimism among Congress people and their staff who joined the discussions, education of the broader Congressional membership is still a big gap. Hopefully the recent high profile health data breaches, which apparently touched as many as one in four Americans, have been enough to get the attention this issue so critically needs so we could see something fair yet helpful passed this year. Fingers crossed.






On a lighter note, Senator McCain was most gracious to pose with those of us who met with him.


Final Lessons from the Silicon Valley Cyber Security Summit – Dealing with Data Privacy?

The third and final Cyber Summit panel brought the growing privacy issue to the fore. The esteemed panelists from DC all noted Washington’s keen awareness of damage done from the NSA debacle, which has created a big rift in public trust of the government [not that it was so great before]. There is now timidity around addressing the cyber threat through aggressive legislation that will be seen as too invasive of personal privacy, especially until NSA surveillance practices get cleared up. Senator Chambliss had claimed substantial compromise to that end in the proposed Cybersecurity Information Sharing Act over previous legislative attempts.


I just can’t help but think that in the immediate aftermath of a potentially significant attack, we’ll see a Patriot Act-level response out of Congress – the consequences of which would most likely be irreversible. It would be far better for proactive and more balanced legislation to be passed in the very near term, before such an attack could happen. The bottom line is that when people don’t trust their government, they won’t share information the government will need to protect them.

Consumer privacy is a whole other issue. Many websites pay lip service to privacy by including obscure links in miniscule font that can take visitors through a maze of pages to an ultimate opt-out page. Facebook changes its policies so often that no one can keep up. The great majority of internet users simply don’t see or use these links. Sanford Reback, Senior Technology Analyst at Bloomberg Government, spoke of the need for corporations to exercise what is known in legal terms as ‘responsible use’ of personal data – and that Washington knows legislation will be needed to enforce this.

He noted that ‘policy must catch up with capability and capacity.’ At a Federal level, how long that will take and what it might look like are unknowns, but 47 states and the District of Columbia have already enacted their own information notification legislation. A Federal act would need to establish notification standards but without weakening state laws already in place, and without making it so complicated that businesses wont’ be able to comply. I figure if they’ve been able to get there with Gramm Leach Bliley and HIPAA, we can get there with digital privacy requirements too.

There were other great insights and little pearls dropped across the Summit, but a blog post can get too long. A key takeaway for me was that while corporations will always be competitive, the seriousness and urgency of this issue create an unusual “we’re in this together” dynamic that I found hopeful. While government and business can, should and will help, the bad guys and gals are out there, looking for new ways to get at what we’ve got – and that includes YOUR data. The best defense for now is to be active about guarding what you can and help spread the word to your friends and fam. Vaya Con Dios!


Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.




Cyber Movement

In time for the SOTU, the Obama Administration late yesterday finally issued the much anticipated Executive Order to strengthen cybersecurity protection. It had been in the works since last October.  

Some key provisions:

  • Within 120 days, DHS, the Office of the Director of Nat’l Intelligence and Dept of Justice will issue instructions to ensure the timely production and dissemination of unclassified cyber threat reports that can be more broadly shared than they can be today
  • Security clearances for critical infrastructure employees will be expedited
  • The Enhanced Cybersecurity Services program will be expanded – this program allows sharing of classified cyber threat information by and with defense contractors and other cleared personnel. It will now be open to a wider array of critical infrastructure companies
  • The National Institute of Standards and Technology will work with other government agencies and private industry in developing the Cybersecurity Framework – a new risk framework and best practices – due out within a year; DHS will oversee voluntary adoption

However, since EOs aren’t the law, the cyber EO can’t require threat reporting to the government or eliminate possible privacy-related and antitrust liability for sharing information with the government or other companies.  It still will rely on voluntary cooperation, until such time as Congress may act.

The White House intends for the EO to motivate Congress action. Unfortunately, all we’ve seen so far this year is the re-introduction of last year’s CISPA bill (Cyber Intelligence Sharing and Protection Act), which failed due to privacy concerns, coming back in identical form. Since the new Executive Order offers greater privacy protection (its leadership point of view), we obviously have a ways to go in getting to middle ground – if that will be at all possible with this Congress. Given the critical nature of this situation (witness the recent spate of attacks on US banks), we at least now have a starting place.


Cyber Security – Who Will Be Minding Your Business?

I don’t think anyone would argue that cyber security is a BIG problem. Not just hackers trying to get at your hard drive through sneaky emails. There are bad guys out there who might want to do things like take down the power grid. Or knock out entire networks. Or bring transportation systems to their knees. The threats are real and many.  There is a definite and proper role for strong, coordinated government initiatives to protect the country from cyber attacks – such action is, in my opinion, overdue. But who in the government is given that responsibility – and substantial accompanying authority – is up for grabs, and a power play is unfolding. I suspect most Americans have no idea of the changes that could happen fairly soon.

There is a Senate cyber security bill sponsored by John McCain [called SECURE IT] that would authorize internet service providers and other private sector companies to monitor communications and share information – potentially YOUR communications – with the National Security Agency (NSA) – the secret spy guys – or other Federal agencies. The bill contains very loose language defining ‘cyber threat indicators’ that would give the NSA a lot of leeway to track pretty much whatever they want – in effect imposing military authority over civilian activities.  Information sharing would be “notwithstanding any law.” That means any other existing law would be subordinate to it.  And with the NSA being a secretive agency by its nature, any misuses or over-reach would be hard to get at.

A probably more suitable agency to take on cyber security management is the Department of Homeland Security.  It is non-military and more appropriate to oversee private sector concerns. Even then, we still need a line between private sector networks and government entities – not everything should be the government’s for the taking. The implications for individual citizens and American corporations are staggering.

There are other bills under consideration in the House and the Senate that would be less threatening to civil rights and personal privacy – I won’t claim to understand the detailed legalese – but McCain’s bill seems to have some momentum that should not be ignored. Our government needs to do something, very soon, but I don’t think we need a Patriot Act for the internet. A reasonable balance between security and privacy must be maintained.

Average people need to understand that there will soon likely be significant albeit unseen changes in the open and free internet we’ve grown up with. While Google’s recent lack of ‘privacy policy’ made big news, I wonder how many people actually changed their online habits to protect their own data.  If the NSA is next to have at our digital information, I think we’ve really moved One Giant Step closer to Orwell’s Big Brother.  For those who find this possibility troubling, you might need to do something – like write your Senator and tell them so.

More information on the SECURE IT and other cyber security bills is available on the Center for Democracy and Technology’s web site.


Another View on Vulnerability (I Still Want to Go Back to the Bubble)

OK, I seem to be in a cyber security phase.  If the defense guys and wonks are rabid about the lack of policies to address this issue, the lawyers are grappling with a different angle.  At today’s Nebraska U Law conference, four big brains debated the slippery slope of domestic vs. international law, crime vs. espionage, kinetic vs. ‘soft’ attack, information sharing vs. security concerns, and the constant challenge of balancing diplomatic restraint and policy trade-offs in the face of known attacks from sovereign state actors (like China and Russia).

One of the panelists quoted a 3rd party who said “we’re the walking dead and don’t know it yet.”  This echo’d something I heard at last week’s seminar – “They could shut us down any time they want to; they just don’t want to.”  Who is ‘they?’ I pondered with some concern. The exposure of our electrical grid has become a common topic of conversation. Apparently there is a rumor that China has put something called logic bombs in it, which have the sole purpose of destroying the system.  BUT, China is our biggest creditor – so can we really force this suspicion?  Does this seem like an urgent problem to anyone but me???

Civil, criminal, conflict (war), and espionage attacks fall under the jurisdiction of different governmental authorities – perhaps at the federal or international level, but possibly at the state or even more local level. (And we all know how well these agencies share with each other.) This imposes different protective and prosecutorial statutes, but also creates an enormous grey area over terminology, definitions and boundaries around what constitutes what kind of cyber ‘activity’ (apparently even the word ‘attack’ is loaded and has a strict context. ) The complexity of digital technologies makes cyber aggression difficult to trace and even more difficult to prosecute. Short of a clear instance of physical harm, building a legal case that will stand up with the appropriate adjudicating authority seems quite challenging.

Best to prevent such incidents in the first place, right?  I come back again to the defense issue.  The list of vulnerable apps was long – mobile, cloud, IPv6, medical devices, smart grid, supply chain reliability, and behavioral advertising…doesn’t that cover just about EVERYTHING that makes the modern world run?  As at last week’s Potomac conference, I saw an enormous  disconnect between Silicon Valley and Washington. Today’s legal experts also described Silicon Valley as just overwhelmingly concerned with making as much money as possible, with security and data privacy as afterthoughts.  Well it would seem to me there is enormous financial opportunity (and a fair bit of glory) for the innovator that figures out real protection for the digital infrastructure that runs today’s world.  The point of view of today’s panelists certainly reinforces the growing urgency for policy makers and high tech innovators to somehow come together – fast – in figuring this out.


Vulnerability (or… can I go back to my bubble now please?)

And until now I was only worried about hackers trying to get into my bank account. I learned yesterday that there are 6 categories of cyber threat perpetrators – at least according to one expert at the Potomac Institute, a policy think tank that studies cyber security, among other things technological. Select nation states (read that China, Russia, Iran?), organized terrorist groups, cyber-social ‘malefactors’ (such as the group Anonymous), hooligans, hactivists, and just plain old criminals all pose cyber threats, each with different motivations, capabilities and resources.  Kind of makes me miss the good old days of the Mob, which at least was predictable and bounded.

The august panel at today’s Cyber Symposium were decidedly hawkish, but while I didn’t agree with a lot of their politics, I absolute respect their grasp of the issues and their passion around dealing with the threat. By the time it was over, my world view was somewhat changed. Risks are everywhere – from the technology supply chain to the memory stick in someone’s pocket to our unsecured energy grid. Life as we depend on it could come to a screeching halt in less than a second, if the right malware is released into the system. As with other forms of terrorism, you can’t let this stop you from living your life, but more aggressive approaches to this situation are indeed warranted.  

While I listened to this group of Washington-insider defense experts debate what policy action is required from which branches of government, I was struck by an over-riding thought: this is not a traditional defense situation, and Washington is NOT going to solve this problem. Industry might. It is the ICT industry who innovates, who develops the technology in the first place (albeit often from publicly funded basic research), and who has the unencumbered agility to try different things. Besides, the private sector is concerned with its own security, so is already working on these issues.

Yes, industry will expect and deserve to be paid, but heads of U.S. corporations are also Americans, and I’m just not that cynical yet to think they wouldn’t be willing to collaborate on helping protect the country and the national infrastructure – which by the way affects their customers too.

Yesterday, the digital divide was so glaringly apparent to me – the one betweenWashington and the Silicon Valley. Government and industry are going to have to get together in a hands-on practical way about this issue. Or not…  Stay alert, people. And keep your Norton up to date.

%d bloggers like this: