Cyber Bill Getting Close…?

Enjoyed a fascinating and very educational trip to Capital Hill last week, calling on various Representatives and Senators to lobby for Silicon Valley interests. The trip was sponsored by Silicon Valley Leadership Group –  I really admire their mission to interact directly with Congress on issues that affect our broad sector – not any one company. While their our many trade associations in DC, the fact that a large group traveled across the country to voice a unified opinion seemed to impress. Our delegation included leaders from large corporations to start-ups, all grappling with the same challenges – immigration, patents, trade issues, and especially high on the list – cyber security.

In light of accelerating attacks, punctuated by the very recent and massive Anthem and Blue Cross/Blue Shield breaches, the word among those we met with was that a bill, a real bill with a real chance of passing, was close. In fact, due to come out of committee within a couple of weeks and go to the House. Senators seem to also understand this is urgent. I felt optimistic that collectively they might actually get something done.

Privacy has been the chief concern about past bills proposed, and why none have made it through to date. We received assurances that the soon-to-be-released reincarnation of CISPA was significantly different and would address many of the previous privacy concerns (why couldn’t they have done that in the first place?).

It was noted that while Government has lots of resources to help defend, Industry must be willing to turn over data needed to enable that defense – 80-85% of malicious code is believed to be in the private sector. Expect the new bill to have safe harbor provisions to protect Service Providers and others who hold our data. We were told that there will be no sharing with the NSA (good they’ve figured that one out) or the DoD – there must be civilian oversight, and all indications were Dept of Homeland Security would be on point.

While it was great to hear optimism among Congress people and their staff who joined the discussions, education of the broader Congressional membership is still a big gap. Hopefully the recent high profile health data breaches, which apparently touched as many as one in four Americans, have been enough to get the attention this issue so critically needs so we could see something fair yet helpful passed this year. Fingers crossed.

 

 

 

 

On a lighter note, Senator McCain was most gracious to pose with those of us who met with him.

One Congresswoman’s Perspective on Why We Don’t Have National Cybersecurity or Privacy Policies

I was able to attend an interesting discussion yesterday hosting Congresswoman Betty McCollum, a Democrat from Michigan who  journeyed all the way to Santa Clara, CA in the interest of furtherig dialog and understanding between herself as a Representative on the powerful Appropriations Committee and the high tech community. Kudos to her for the sincere outreach, and to the Silicon Valley Leadership Group for putting the event on.

During the event, I was able to ask for her opinion on where Congress stood with passing any cyber security or data privacy legislation in the foreseeable future. While her response was candid, I must admit it was a bit of a surprise – she said she didn’t think I’d want them passing any legislation because they don’t understand the issues, and that most Congresspeople are inept when it comes to technology – even using it. Well there, at least somebody called it out.

She went on to sound the alarm (as was also heard from Senator Saxby Chambliss at last August’s Silicon Valley Cyber Security Summit) that Congress needs a wake-up call, that they’re failing the American people on this issue, that we need to get our act together, and and and…   Representative McCollum went on to bemoan the volume of issues and work to keep up on, the lack of staff capacity due to budget cuts, Congressional discord, the Tea Party, etc. etc. etc. It was sadly the kind of dodge from an uncomfortable question that seems an auto-response from those in elected office. Lot’s of ‘we need to’s’ and ‘we shoulds’ but no action. At this point I could only see an abrogation of duty, but what else is new? These threats are real and core to national defense and well being. I wonder how many in the Congress might think they should actually learn about technology – goes to show the effects of having minions take care of all of that pesky stuff for you.

Given the pace at which cyber attacks and malware are accelerating; given the unprecedented collection of data from everywhere about everyone; and if the Gentlewoman from Minnesota’s position is correct – and I fear it is, we’ll likely be in for an uninformed, ill-advised Congressional knee jerk reaction when some big time dookie hits. Whomever has their ear about the correct course of action at such time is likely to influence policy that will last for many years. As the Patriot Act shows, once they do something, they don’t un-do it, no matter how much it might need undoing.

Keep changing your passwords folks.

Final Lessons from the Silicon Valley Cyber Security Summit – Dealing with Data Privacy?

The third and final Cyber Summit panel brought the growing privacy issue to the fore. The esteemed panelists from DC all noted Washington’s keen awareness of damage done from the NSA debacle, which has created a big rift in public trust of the government [not that it was so great before]. There is now timidity around addressing the cyber threat through aggressive legislation that will be seen as too invasive of personal privacy, especially until NSA surveillance practices get cleared up. Senator Chambliss had claimed substantial compromise to that end in the proposed Cybersecurity Information Sharing Act over previous legislative attempts.

 

I just can’t help but think that in the immediate aftermath of a potentially significant attack, we’ll see a Patriot Act-level response out of Congress – the consequences of which would most likely be irreversible. It would be far better for proactive and more balanced legislation to be passed in the very near term, before such an attack could happen. The bottom line is that when people don’t trust their government, they won’t share information the government will need to protect them.

 
Consumer privacy is a whole other issue. Many websites pay lip service to privacy by including obscure links in miniscule font that can take visitors through a maze of pages to an ultimate opt-out page. Facebook changes its policies so often that no one can keep up. The great majority of internet users simply don’t see or use these links. Sanford Reback, Senior Technology Analyst at Bloomberg Government, spoke of the need for corporations to exercise what is known in legal terms as ‘responsible use’ of personal data – and that Washington knows legislation will be needed to enforce this.

 
He noted that ‘policy must catch up with capability and capacity.’ At a Federal level, how long that will take and what it might look like are unknowns, but 47 states and the District of Columbia have already enacted their own information notification legislation. A Federal act would need to establish notification standards but without weakening state laws already in place, and without making it so complicated that businesses wont’ be able to comply. I figure if they’ve been able to get there with Gramm Leach Bliley and HIPAA, we can get there with digital privacy requirements too.

 
There were other great insights and little pearls dropped across the Summit, but a blog post can get too long. A key takeaway for me was that while corporations will always be competitive, the seriousness and urgency of this issue create an unusual “we’re in this together” dynamic that I found hopeful. While government and business can, should and will help, the bad guys and gals are out there, looking for new ways to get at what we’ve got – and that includes YOUR data. The best defense for now is to be active about guarding what you can and help spread the word to your friends and fam. Vaya Con Dios!

Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.

 

 

What I Learned at the Silicon Valley Cyber Security Summit – Part 1

I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].

The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.

One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!

Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!!  Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.

Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.

For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’  Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.

My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!

Unconventional Wisdom for Entrepreneurs

At today’s Destination Innovation event sponsored by #NVTC Northern Virginia Technology Council, entrepreneurship and technology innovation in the Northern Virginia / DC Metro area was rightfully celebrated – there is a lot going on here! The event offered mini-pitches from local innovators well beyond government-focused solutions that tend to be associated with this area. Congratulations to award winners @LynxFit, @homesnap, @LMI_org, and especially @KeyCyberSec who is serving a high value social purpose that also has great growth potential!

There were two keynotes. Carly Fiorina gave a sporting mom-and-apple-pie speech that surprisingly, at least to me, centered around policy.  Despite her failed California Senate bid, she clearly still has political ambitions and was positioning accordingly. The second keynote was from local tech hero @Michael Chasen, founder of Blackboard, who nurtured his higher ed start-up service from a garage to a $1.7B selling price. He is now on to a new venture @SocialRadar.  His remarks were resonant for the aspirational attendees, many of whom were start-ups dreaming of making it big. His very personalized speech focused on 5 unconventional wisdoms learned from his journey with Blackboard. While I’m not sure how many of them were truly ‘unconventional’ they were spot-on for what it takes to make it in today’s market.

1) Be passionate about what you’re undertaking [and be an expert in your field]

2) Focus on the business – not the office. In other words, don’t worry about the ‘stuff’ – he showed a picture of his original, ergonomically awful desk chair that he claimed to still use

3) Share the vision – and sell the execution

4) Constantly seek advice [and pay attention to it]

5) Realize that disruption changes everything – and then changes everything again

Whether you are a tech company or any other innovative venture, these were great insights, born from direct experience, by which to run your business. Very proud to have had a small hand in this event, and truly impressed with the level of entrepreneurship to be found in this region. Silicon Valley, take note!

So Tomorrow is “The Day We Fight Back”?

February 11 is supposed to be a day of mass protest against NSA surveillance. Named ‘The Day We Fight Back’ it is reportedly the brainchild of a 34 year old former Congressman from Rhode Island, David Segal, and supported by “hundreds” of internet companies and various other political, civil and digital rights groups – both conservative and liberal.

The intent seems to be to evoke the same kind of digital ground swell that emerged 2 years ago around the Stop Online Privacy Act (SOPA) and Protect Intellectual Property Act (PIPA), in which the Congress was so caught off guard by the power of major websites going dark or posting protest messages for a single day that the proposed legislation was immediately killed. [See my post from Jan 26, 2012]

Tomorrow’s event, from what I can find online as of today, has some fairly significant differences from the Stop SOPA/PIPA movement.

For one, I don’t see the NSA bending to public will like Congress did – votes are not at stake, the intelligence community moves in a totally different (and mysterious) way, and the White House has already outlined its plan for NSA reform.

Tomorrow’s action also has mixed goals – along with people just generally stating that they think NSA surveillance is evil and unAmerican (which is rather vague), apparently some of the protesting organizations will also “ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act [how many Americans even know what those are?] and also use the event as an opportunity to commemorate Aaron Swartz, a controversial figure. While Swartz was a leader in the anti-SOPA/PIPA effort, his later prosecution for computer fraud and abuse, and subsequent suicide left a conflicted reputation.

Further, this is supposed to be an international event for others around the globe to express their outrage with the NSA reaching into their borders. I’m feeling like the message is mixed. Without a single firm goal, this effort could go the way of the Occupy movement.

But I’m curious. None of us likes the idea of the NSA or any other government entity collecting information on us. The privacy issue has been building steam for a long while, and Snowden pushed it out into the open. Tomorrow is the first real organized effort, and maybe something will come out of it.  I find it interesting that the more radical Electronic Frontier Foundation is a main sponsor of the event, yet DC’s Center for Democracy and Technology, perhaps more practiced in the ways to get things done on The Hill, is not even connected with it.

I’ve been predicting [hoping for?] some sort of privacy legislation for the past couple of years. The issue is gathering steam, but change doesn’t come without the people’s voice. How many will actually feel outraged enough to call or email their Congressperson tomorrow? How many are more interested in the Olympics? Should be an interesting day.

First Steps Toward Privacy Policy?

Regardless of how one feels about Edward Snowden, he certainly has brought the privacy issue to the forefront. While the NSA has been in the eye of the media storm, private industry’s collection of personal data is on the coat tails. In President Obama’s speech last week, he alluded to directing one of his advisers to “lead a comprehensive review of big data and privacy.” That most likely will be targeted at the incredibly sophisticated Marketing practices now conducted by many corporations – and “Big Data” is just getting started.

People are becoming more aware of how much information about them is being tracked. If you compound the NSA  debacle with the impact of the 2013 holiday season Target data breach (I personally had to replace my debit card), the privacy issue is becoming a lot more real for average citizens. Government moves slow – but it looks like it is starting to move on this issue – and that most likely will mean some changes for the companies (big and small) who have gotten quite used to collecting, using, selling information about us as a core business model.

I invite visitors to revisit my white paper from last Spring where I shared some thoughts on what potential policy changes around Big Data and privacy could mean for marketers and communicators.  It included a useful piece of advice from Tim Keller, a law partner with Lindquist and Vennum’s IT, Internet and eCommerce practice (in Minneapolis), and author of the blog Big Data and The Law: “To prepare for radical shifts in data management policy, have as much knowledge about your data as you can, so when a legislator says you can’t have it, you throw away as little as possible.” It might be time to start thinking a little harder about that.

BYOD: Where’s the Line Between Your Job and Your Life?

I recently read a very interesting article* on the growing BYOD [Bring Your Own Device] trend. The article touted a Gartner [market research] prediction that by 2017, one half of employers worldwide will stop providing digital devices and require employees to bring their own to work. Wow.

Even if it’s only one quarter of employers by then, the implications of such a change are profound for both parties. Wouldn’t we all love the convenience of one PC for all of our stuff?  Wouldn’t life be simpler if we had a single smartphone instead of one for work and one for personal? Wouldn’t companies like to save all that money by having workers pay for the assets needed to perform their jobs?

Maybe not so much. There are some significant considerations on both sides that will require technological as well as legal solutions before this could work.

Security is most obvious. Employers will rightfully want to and in most cases legally have to protect their systems and their data. Device-based security is found wanting in the age of ultra-sophisticated hacking. But what legal right would an employer have to force an employee to install security technologies on their personal device?

PCs have long been vulnerable, but today’s mobile devices are ever more subject to attack – especially smartphones and tablets where people download all kinds of apps. Employees often use insecure public networks, and goodness knows what their kids might do on devices left around the house. Legitimate users with unknowingly compromised devices could introduce havoc to the corporate network.

Leveraging the Cloud could help, but there are still many security concerns there as well. We can certainly expect cloud security to be greatly improved by 2017, but hackers will never rest. And once corporate data is downloaded to an employee’s personal asset, the employer has lost control.

Privacy is another big issue. How would one confidently partition personal data from employer data? Will your employer be able to see what web sites you visit? What apps you use? As with NSA tracking of private citizens, how would you know where and when you might be compromised? Conversely, what about employees’ family members who go on a little snooping expedition on the company network?

There are also productivity concerns. Certain software could restrict what employees can do with their devices, negatively impacting productivity. And what about the right to work? Will qualified workers be legally denied jobs because they don’t personally own the latest and greatest technology that companies define as mandatory work tools? Perhaps iPads will become the digital equivalent of the uniform. What about when employment ends – what happens to the downloaded data, the company software, the network access?

This is a really complex issue that requires much more thought and vetting before BYOD can be successfully implemented on a broad scale. How comfortable would you be integrating your personal devices into your job?

*Thanks to IEEE’s Computer magazine, November 2013 issue

Clowns to the Left of Me, Drones to the Right…?

Interesting time as always at last night’s gala Media Predicts: 2014 (#MP14) – where Silicon Valley PR folk hobnob with tech media elite. Always fun to hear next year’s predictions, catch a little gossip, and look back at what predictions were way off base last year! Shout out to PRSA Silicon Valley for putting on this event – it’s a lot of work and always well done.

One of the hot discussion topics was Amazon’s drone delivery vision – while Bezos went on 60 Minutes last Sunday to describe what he sees as feasible by 2015, a Monday faux news story had floated that such delivery was imminent – it got yuks for the best PR stunt of the week. Still, the visionary Bezos sees this as in the realm of the possible in the not too distant future. Who knows if it will be, but the very idea of it begs policy consideration on multiple levels, and fast.

Seriously, commercially owned flying objects buzzing around my house – or my head? Will have to start carrying a baseball bat! Someone at last night’s event joked about would people have the right to shoot down aircraft that invaded their property without permission. Would the FAA have to regulate? Will we have sky ‘roads’ when competing vendors start sending their little buzzies at the same time? What happens to my UPS guy? I like him!

Futuristic silliness, probably – or is it? As we all know, technology changes quickly and DC has a very hard time keeping up. Consider this advanced warning.