Posts Tagged ‘information technology policy

24
Mar
15

Cyber Bill Getting Close…?

Enjoyed a fascinating and very educational trip to Capital Hill last week, calling on various Representatives and Senators to lobby for Silicon Valley interests. The trip was sponsored by Silicon Valley Leadership Group –  I really admire their mission to interact directly with Congress on issues that affect our broad sector – not any one company. While their our many trade associations in DC, the fact that a large group traveled across the country to voice a unified opinion seemed to impress. Our delegation included leaders from large corporations to start-ups, all grappling with the same challenges – immigration, patents, trade issues, and especially high on the list – cyber security.

In light of accelerating attacks, punctuated by the very recent and massive Anthem and Blue Cross/Blue Shield breaches, the word among those we met with was that a bill, a real bill with a real chance of passing, was close. In fact, due to come out of committee within a couple of weeks and go to the House. Senators seem to also understand this is urgent. I felt optimistic that collectively they might actually get something done.

Privacy has been the chief concern about past bills proposed, and why none have made it through to date. We received assurances that the soon-to-be-released reincarnation of CISPA was significantly different and would address many of the previous privacy concerns (why couldn’t they have done that in the first place?).

It was noted that while Government has lots of resources to help defend, Industry must be willing to turn over data needed to enable that defense – 80-85% of malicious code is believed to be in the private sector. Expect the new bill to have safe harbor provisions to protect Service Providers and others who hold our data. We were told that there will be no sharing with the NSA (good they’ve figured that one out) or the DoD – there must be civilian oversight, and all indications were Dept of Homeland Security would be on point.

While it was great to hear optimism among Congress people and their staff who joined the discussions, education of the broader Congressional membership is still a big gap. Hopefully the recent high profile health data breaches, which apparently touched as many as one in four Americans, have been enough to get the attention this issue so critically needs so we could see something fair yet helpful passed this year. Fingers crossed.

IMG_2195

 

 

 

 

On a lighter note, Senator McCain was most gracious to pose with those of us who met with him.

22
Aug
14

Final Lessons from the Silicon Valley Cyber Security Summit – Dealing with Data Privacy?

The third and final Cyber Summit panel brought the growing privacy issue to the fore. The esteemed panelists from DC all noted Washington’s keen awareness of damage done from the NSA debacle, which has created a big rift in public trust of the government [not that it was so great before]. There is now timidity around addressing the cyber threat through aggressive legislation that will be seen as too invasive of personal privacy, especially until NSA surveillance practices get cleared up. Senator Chambliss had claimed substantial compromise to that end in the proposed Cybersecurity Information Sharing Act over previous legislative attempts.

 

I just can’t help but think that in the immediate aftermath of a potentially significant attack, we’ll see a Patriot Act-level response out of Congress – the consequences of which would most likely be irreversible. It would be far better for proactive and more balanced legislation to be passed in the very near term, before such an attack could happen. The bottom line is that when people don’t trust their government, they won’t share information the government will need to protect them.

 
Consumer privacy is a whole other issue. Many websites pay lip service to privacy by including obscure links in miniscule font that can take visitors through a maze of pages to an ultimate opt-out page. Facebook changes its policies so often that no one can keep up. The great majority of internet users simply don’t see or use these links. Sanford Reback, Senior Technology Analyst at Bloomberg Government, spoke of the need for corporations to exercise what is known in legal terms as ‘responsible use’ of personal data – and that Washington knows legislation will be needed to enforce this.

 
He noted that ‘policy must catch up with capability and capacity.’ At a Federal level, how long that will take and what it might look like are unknowns, but 47 states and the District of Columbia have already enacted their own information notification legislation. A Federal act would need to establish notification standards but without weakening state laws already in place, and without making it so complicated that businesses wont’ be able to comply. I figure if they’ve been able to get there with Gramm Leach Bliley and HIPAA, we can get there with digital privacy requirements too.

 
There were other great insights and little pearls dropped across the Summit, but a blog post can get too long. A key takeaway for me was that while corporations will always be competitive, the seriousness and urgency of this issue create an unusual “we’re in this together” dynamic that I found hopeful. While government and business can, should and will help, the bad guys and gals are out there, looking for new ways to get at what we’ve got – and that includes YOUR data. The best defense for now is to be active about guarding what you can and help spread the word to your friends and fam. Vaya Con Dios!

21
Aug
14

Tales from the Silicon Valley Cyber Security Summit – Part Deux

While the policy panel discussion at last week’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.

The good news – cyber presents a great career opportunity! As in, we need lots of help. Now. The not as good news, 40% of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance which will help automate intervention, but there is still a need for people to skillfully apply them, and for others to come up with them in the first place in the face of a never-ending game of new threats. One speaker gave a statistic that only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.

There are a growing number of formal university programs in this area – Mo Qayoumi, President of San Jose State, noted that they are launching new certificate programs in cyber security and big data analysis starting in the Spring 2015 semester, and I found many others online. I was very surprised to hear that only 12% of computer science majors are female, and that population has been steadily shrinking for 2 decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not even thinking about the problem. Hmmm.

Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexandar [former head of US CyberCommand] went calling at least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Cyber Maryland and Virginia’s Mach37, and the many Silicon Valley start-ups trying to make a go.

Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so delegate off to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100M IT budget, 5-15% should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate Boards, there is uncertainty about what to actually do to prepare.

This is obviously a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting national treasures, your home and quality of life, our critical infrastructure and our national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized it thus: ‘the technology that empowers us also imperils us.” Hoping more of us come to understand that and step up.

 

 

18
Aug
14

What I Learned at the Silicon Valley Cyber Security Summit – Part 1

I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].

The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.

One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!

Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!!  Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.

Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.

For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’  Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.

My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!

14
Jul
14

Net Neutrality Comment Period Winding Down

July 15 is the deadline for public comment on the FCC’s proposed changes to net neutrality regulations. In this 60 day period, the FCC is reporting they have received close to 675000 comments so far – that’s a BIG number. Perhaps one of the more influential statements came today from The Internet Association, a consortium of Silicon Valley heavy hitters who banded together (at least in this forum) a year and a half ago to lobby on behalf of the industry’s interest. In an email issued this morning, they strongly advocated for retaining an open internet, espousing three tenets:

1. Internet Users Should Get What They Want, When They Want It
The Internet should be free from censorship, discrimination and anticompetitive behavior, protected by simple and enforceable rules that ensure a consumer’s equal access to the content they want.
2. Internet Users Should Get What They Pay For
Broadband subscribers should get the bandwidth they are paying for – content should be treated equally, without degradations in speed or quality.  No artificial slow lanes.
3. All Networks Should Have Equal Protection
No matter how users choose to connect to the Internet, net neutrality rules should apply universally on both wireless and wireline networks.

It remains to be seen how much influence the ‘voice’ of innovation may have – many big companies are included in this group and they stand to gain from less competition, but still see the value in fostering the new.

Should be an interesting week…

10
Feb
14

So Tomorrow is “The Day We Fight Back”?

February 11 is supposed to be a day of mass protest against NSA surveillance. Named ‘The Day We Fight Back’ it is reportedly the brainchild of a 34 year old former Congressman from Rhode Island, David Segal, and supported by “hundreds” of internet companies and various other political, civil and digital rights groups – both conservative and liberal.

The intent seems to be to evoke the same kind of digital ground swell that emerged 2 years ago around the Stop Online Privacy Act (SOPA) and Protect Intellectual Property Act (PIPA), in which the Congress was so caught off guard by the power of major websites going dark or posting protest messages for a single day that the proposed legislation was immediately killed. [See my post from Jan 26, 2012]

Tomorrow’s event, from what I can find online as of today, has some fairly significant differences from the Stop SOPA/PIPA movement.

For one, I don’t see the NSA bending to public will like Congress did – votes are not at stake, the intelligence community moves in a totally different (and mysterious) way, and the White House has already outlined its plan for NSA reform.

Tomorrow’s action also has mixed goals – along with people just generally stating that they think NSA surveillance is evil and unAmerican (which is rather vague), apparently some of the protesting organizations will also “ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act [how many Americans even know what those are?] and also use the event as an opportunity to commemorate Aaron Swartz, a controversial figure. While Swartz was a leader in the anti-SOPA/PIPA effort, his later prosecution for computer fraud and abuse, and subsequent suicide left a conflicted reputation.

Further, this is supposed to be an international event for others around the globe to express their outrage with the NSA reaching into their borders. I’m feeling like the message is mixed. Without a single firm goal, this effort could go the way of the Occupy movement.

But I’m curious. None of us likes the idea of the NSA or any other government entity collecting information on us. The privacy issue has been building steam for a long while, and Snowden pushed it out into the open. Tomorrow is the first real organized effort, and maybe something will come out of it.  I find it interesting that the more radical Electronic Frontier Foundation is a main sponsor of the event, yet DC’s Center for Democracy and Technology, perhaps more practiced in the ways to get things done on The Hill, is not even connected with it.

I’ve been predicting [hoping for?] some sort of privacy legislation for the past couple of years. The issue is gathering steam, but change doesn’t come without the people’s voice. How many will actually feel outraged enough to call or email their Congressperson tomorrow? How many are more interested in the Olympics? Should be an interesting day.

02
Jan
14

BYOD: Where’s the Line Between Your Job and Your Life?

I recently read a very interesting article* on the growing BYOD [Bring Your Own Device] trend. The article touted a Gartner [market research] prediction that by 2017, one half of employers worldwide will stop providing digital devices and require employees to bring their own to work. Wow.

Even if it’s only one quarter of employers by then, the implications of such a change are profound for both parties. Wouldn’t we all love the convenience of one PC for all of our stuff?  Wouldn’t life be simpler if we had a single smartphone instead of one for work and one for personal? Wouldn’t companies like to save all that money by having workers pay for the assets needed to perform their jobs?

Maybe not so much. There are some significant considerations on both sides that will require technological as well as legal solutions before this could work.

Security is most obvious. Employers will rightfully want to and in most cases legally have to protect their systems and their data. Device-based security is found wanting in the age of ultra-sophisticated hacking. But what legal right would an employer have to force an employee to install security technologies on their personal device?

PCs have long been vulnerable, but today’s mobile devices are ever more subject to attack – especially smartphones and tablets where people download all kinds of apps. Employees often use insecure public networks, and goodness knows what their kids might do on devices left around the house. Legitimate users with unknowingly compromised devices could introduce havoc to the corporate network.

Leveraging the Cloud could help, but there are still many security concerns there as well. We can certainly expect cloud security to be greatly improved by 2017, but hackers will never rest. And once corporate data is downloaded to an employee’s personal asset, the employer has lost control.

Privacy is another big issue. How would one confidently partition personal data from employer data? Will your employer be able to see what web sites you visit? What apps you use? As with NSA tracking of private citizens, how would you know where and when you might be compromised? Conversely, what about employees’ family members who go on a little snooping expedition on the company network?

There are also productivity concerns. Certain software could restrict what employees can do with their devices, negatively impacting productivity. And what about the right to work? Will qualified workers be legally denied jobs because they don’t personally own the latest and greatest technology that companies define as mandatory work tools? Perhaps iPads will become the digital equivalent of the uniform. What about when employment ends – what happens to the downloaded data, the company software, the network access?

This is a really complex issue that requires much more thought and vetting before BYOD can be successfully implemented on a broad scale. How comfortable would you be integrating your personal devices into your job?

*Thanks to IEEE’s Computer magazine, November 2013 issue




%d bloggers like this: