Archives for December 2016

Oh the Cyber Memories of 2016

Memory is the diary that we all carry about with us
(Yes, but it usually chronicles the things that have never happened, and couldn’t possibly have happened.)
Oscar Wilde

Dear Diary,

As 2016 draws to an end, time slows, as though the world becomes reluctant to let go of this year in favor the next.  The steadily dwindling moments offer opportunity for reflection, a chance to look back at the way 2016 unfolded.  At #cyberTuesday, January began with an Oscar Wilde quote, and an admonition to go forth and sin no more.

In February, we looked at cyber crime through the eyes of William Francis “Slick Willie” Sutton. Continuing the theme of sin and crime, the anniversary of the Lindbergh kidnapping provoked a look at the growing use of ransomware as March arrived.

In April, we revisited computer/psychopath Hal (acronym for Heuristically programmed ALgorithmic Computer) from the blockbuster film 2001: A Space Odyssey to examine the promise and threat of artificial intelligence. We followed that in May by using the Eric Burdon song Spill the Wine to discuss how much we may be inadvertently revealing of ourselves as our personally identifiable information (PII) is accessed and used.

In June, we took advantage of the good weather to visit Belleville Wisconsin, to offer a taste of cheese curds and a look at how an old computer server used to operate a family business could be infiltrated by Chinese hackers and deployed to attack targets around the world. Naturally that led to us continuing the food theme in July by reporting on litigation arising out of fast food restaurant chain Wendy’s announcement that it had misrepresented the magnitude of a breach it had suffered that apparently affected 1,025 of its restaurants.

The dogs days of August allowed us to turn to American baseball to look at the role insider negligence plays in cyber breaches. (Hint—it’s huge). Then, in September, we reviewed a proposal that requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure safety within New York’s financial services industry. Interestingly, the proposed cyber regulations contain a requirement that either the board of directors or a senior officer certify that the company is in compliance with the regulations.

As we entered October we used the origin of the term sabre rattling to look at how the Obama administration was contemplating a potential cyber attack on Russia in retaliation for alleged meddling in the U.S. presidential election, a story that continues to have legs. We followed in November by looking at the disconnect between what we say about cyber crime, and what we actually do to protect ourselves. Finally, in December, we used the marvelous Christmas movie Miracle on 34th Street to look at Yahoo’s ongoing travails stemming from being the victim of the two largest breaches in internet history.

Yes Virginia, 2016 did happen, and not having to rely on our memories allows us to chronicle the year relatively faithfully.  We hope 2017 provides wonderful memories for all of you. Happy New Year!

By Tom Davis, SDI Cyber Risk Practice
December 27, 2016

SDI’s Top Moments of 2016!

As 2016 came to a close, we’ve reflected on some of our favorite moments and on just a few of the tremendous achievements our clients have accomplished. SDI is honored to be on their team.

Army Historical Foundation

On September 14, as part of our ongoing public relations work for the Army Historical Foundation, SDI produced the official groundbreaking of the National Museum of the United States Army at Ft. Belvoir, Virginia. Scheduled for completion in 2019, the Museum will showcase the U.S. Army’s never-before-seen artifacts, documents, and images. “This Museum is going to offer everyone—all Americans, free of charge—an experience that you cannot find in the pages of a history book or on Google,” said General Mark Milley, Army Chief of Staff at the ceremonial groundbreaking.

Sergeant Major of the Army Daniel Dailey, GEN Mark A. Milley, AHF’s General Gordon Sullivan, Secretary of the Army Eric Fanning, Assistant Secretary of the Army (IE&E) Katherine Hammack, and AHF’s General William Hartzog break ground for the Nation Museum of the United States Army. Photo Credit: Army Historical Foundation

In 2016, the Army Historical Foundation’s Facebook audience increased by over 150% and AHF almost doubled its number of Twitter followers (@NatlArmyMuseum).

Dublin Airport Authority

SDI worked with our Irish client Cork Airport and the Dublin Airport Authority, to gain U.S. approval for a license permitting Norwegian Air to fly a Cork-Boston route.  The license was finally granted after an unprecedented three year delay by US Department of Transportation. The first ever transatlantic flights from Cork to the U.S. will launch in July at 65 euros one way, benefiting tourists and business travelers on both sides of the Atlantic.

Elizabeth Dole Foundation

On September 27, we were pleased to work with Senator Elizabeth Dole and the Elizabeth Dole Foundation to launch the Hidden Heroes Campaign with Campaign Chair Tom Hanks and special guest Tom Brokaw in Washington, D.C. The campaign will create national awareness and support for the 5.5 million loved ones providing care to a wounded, ill or injured service member or veteran.

Campaign Chair Tom Hanks joined Senator Elizabeth Dole for the official launch of the Hidden Heroes Campaign. Photo Credit: Lisa Nipp

In July, we helped launch the Hidden Heroes Cities campaign, inviting every U.S. city to join the Foundation and its national partners to create a support network for their local military and veteran caregivers. Mirroring the national resolution adopted by the U.S. Conference of Mayors, the Foundation urged every city to adopt their own resolution as the first step in their efforts to become a Hidden Heroes City. SDI continues to work with mayors’ offices across the nation and by years end, 65 cities have pledged their support.

Mayor Carolyn Goodman and Dole Fellow Heidi Woodring make it official. Las Vegas is a Hidden Heroes City!

Family and Employer Programs and Policy (FEPP)

SDI was delighted to return to a favorite client from the past, again providing media and public affairs support for the outstanding and much needed National Guard and Reserve programs under FEPP – Yellow Ribbon Reintegration Program (YRRP), Employer Support of the Guard and Reserve (ESGR), and Service Member and Family Readiness (SMFR). We are also proud to once again be assisting with the Secretary of Defense Employer Support Freedom Award event recognizing the nation’s employers most supportive of their Guard and Reserve employees.

Giant Food

Giant stepped up to sponsor the National Capital Barbecue Battle, one of the largest and most unique food and music festivals in the nation. We didn’t join the contest, but we did join world champion competitive eater, Joey Chestnut, before he broke the world record at the event, eating 73 hot dogs in 10 minutes at DC’s first ever Nathan’s Famous Hot Dog Eating Contest!

Giant National Capital Barbeque Battle celebrates the art of cooking and the joy of eating. Photo Credit: Giant Food

We also helped Giant launch its trailblazing partnership with the Capital Area Food Bank to increase the amount of high quality, nutritious food for those in need through greater corporate donations of produce and protein.

Gordon Reid, President of Giant Food of Landover, Md. presents check to Nancy Roman, President and CEO of the Capital Area Food Bank. Photo Credit: Giant Food

Institute of Museum and Library Services (IMLS)

This year marked First Lady Michelle Obama’s final presentation of the National Medal for Museum and Library Service, recognizing 15 museums and libraries making a significant difference in their communities. We’ve been privileged to publicize this event for the last five years as the First Lady powerfully encouraged museums and libraries to keep up their important work.

First Lady Michelle Obama presents National Medal to Brooklyn Public Library. Photo Credit: Institute of Museum and Library Services

LUNGevity Foundation

Sadly, LUNGevity lost its dynamic Board Vice Chairman Jerry Sorkin on October 26 after a nine year valiant battle with lung cancer. We were honored to join with and support almost 2,000 of Jerry’s friends on the National Mall November 6 for the annual Breathe Deep DC 5k walk which Jerry founded. More than $350,000 was raised for critical research into the early detection and treatment of lung cancer.

Photo Credit: Peter Jacobstein

LUNGevity, the nation’s leading nonprofit focused on lung cancer, ended the year with the release of exciting new research that dispels assumptions about patients’ willingness to undergo additional biopsies and launched the LUNGevity Lung Cancer Navigator mobile app. The app was created for lung cancer patients, family caregivers, and support team members to manage life following a lung cancer diagnosis.

The Marine Corps Heritage Foundation (MCHF)

2016 marked the 10th anniversary of the National Museum of the Marine Corp as it enters its Final Phase to create new galleries telling stories from Vietnam to today and a state-of-the-art big screen theater, all scheduled to open in Spring 2017. SDI continues to engage the media and public to inform them of the Museum’s award-winning architecture, galleries, and exhibits, celebrating the history and traditions of the U.S. Marine Corps.

Photo Credit: Marine Corps Heritage Foundation

Mary Furlong and Associates

From the “What’s Next  Boomer Summit” in Washington DC to the  “Silicon Valley Boomer Venture Summit”, SDI worked with Mary Furlong and Associates to co-produce two cutting edge conferences, offering nuanced insight into smart aging technology, products and services targeted to the over 50 audience.  We also co hosted a wonderful holiday party at the National Press Club for influencers on aging issues in Washington DC.  On the spur of the moment, Bob Blancato,Chairman of the Commonwealth Council on Aging in Virginia and an AARP Board member, and Susan Davis, Vice Chair of the Irish Smart Ageing Exchange launched their new Democratic-Republican prognostications on how the incoming Trump Administration will view and respond to the many issues surrounding the aging population from Medicare to Social Security to the faster adoption of devices and technologies to improve the length and quality of our lives!

Photo Credit: Mary Furlong and Association

Joint Women’s Leadership Symposium

For the sixth year, SDI worked with the Sea Service Leadership Association  to produce and publicize the 29th annual Joint Women’s Leadership (JWLS) Symposium in June.  And in December, JWLS, the largest gathering of military women in uniform, won “Event of the Year” at the Stevie Awards for Women in Business in New York City!

SSLA President, LCDR Rosie Goscinski, USN and Rear Admiral June Ryan recognize the Republic of Korea Navy at JWLS awards luncheon. Photo credit: Mike B. Photography

WWI Centennial Commission

As we head into 2017, we are hard at work putting plans in place for the upcoming U.S. commemoration in Kansas City, Mo, marking the U.S. entry into World War.

Chairman Susan Davis with WWI Centennial Commission’s Executive Director Dan Dayton.

Congratulations to our exceptional clients! We are proud to stand by your side and look forward to a great 2017 for all!

Austin Courtney, Associate Account Executive
January 3, 2017

May Need a Miracle on First Avenue

One of the tests of a true lover of Christmas films is whether one can quickly identify the actress who played the wondrous Maureen O’Hara’s daughter in Miracle on 34th Street. The answer is…Natalie Wood. If you are of a certain age you’ll be amused to be reminded that Miracle on 34th Street received a ‘B’ rating (morally objectionable in part) from the Legion of Decency because Maureen O’Hara played a divorcée. I take it as a sign of moral progress that the Legion of Decency had the decency to disband, possibly after determining that its ratings actually were spurring people to see “salacious” films. As for Miracle on 34th Street, it overcame the harsh censure of the Legion of Decency to become a holiday treasure, a true gift that keeps on giving.  Another gift that keeps on giving, in the cyber world, is the ongoing travails of Yahoo.

You’ll recall that in September of this year, Yahoo announced it was the victim of what was then the largest breach in internet history, with 500 million accounts compromised. In its subsequent quarterly filing with the SEC, Yahoo noted the damage done by the breach, particularly the impact on Yahoo’s pending acquisition by Verizon.  Yahoo reported, “There is no assurance that the Sale transaction will be consummated in a timely manner or at all. In addition, the anticipated benefits of the Sale transaction may not be realized. Potential risks and uncertainties related to the Sale transaction include, among others:

  • the existence or occurrence of any event, change or other circumstance that could give rise to the termination of the Stock Purchase Agreement, which, in addition to other adverse consequences, could result in the Company incurring substantial fees, including, in certain circumstances, the payment of a termination fee to Verizon under the Stock Purchase Agreement;
  • risks that Verizon may assert, or threaten to assert, rights or claims with respect to the Stock Purchase Agreement as a result of facts relating to the Security Incident and may seek to terminate the Stock Purchase Agreement or renegotiate the terms of the Sale transaction on that basis;….

Yahoo also alertly forecast “Breaches of our security measures, such as the Security Incident, or perceived breaches, have caused and may in the future cause, the market perception of the effectiveness of our security measures to be harmed and cause us to lose users and customers.” In this regard the company was prescient. In the records are made to be broken department, last week Yahoo announced it had discovered another breach, this one affecting one billion accounts. Yahoo’s stock price quickly dropped six percent, and it became both the object of customer fury and subject of ridicule around the world. Ominously, many experts jumped in to advise Yahoo customers to close their accounts, and offered detailed instructions about so doing.  Germany’s cybersecurity authority criticized Yahoo for failing to adopt adequate encryption techniques and suggested German consumers should switch to other email providers.

The implications of the latest breach for Yahoo’s acquisition by Verizon are profound. Presumably, Verizon is keenly interested in Yahoo’s reach, which may be diminishing with each passing day. We can expect that some announcement about the future of the acquisition will be forthcoming shortly. In the meantime, senior executives at Yahoo may be feeling like they are living in Whoville while the Grinch steals Christmas. (Dr. Seuss for the uninitiated)

We wish each of you a Merry Christmas and a wonderful holiday season.

By Tom Davis, SDI Cyber Risk Practice
December 20, 2016

How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

aaeaaqaaaaaaaad6aaaajgmwnzviy2myltbkywitngjhmy1hnjbllwnjm2q3mgy0ngvkywThis week’s post will introduce you to George Platsis, the newest member of SDI’s cyber team. George has an interesting educational background, with graduate degrees in Business Administration, Disaster and Emergency Management, Law, and Cybersecurity. He describes himself as a “practitioner-educator,” and his work focuses on what he terms “the people side” challenges of cyber and information security. What follows is excerpted from a series of pieces he posted on cybersecurity.

This week’s Episode will focus on one specific area of cyber security decision making: How do you spend your money? Or more accurately: Are you spending your money wisely? Let’s start with the obvious: cyber security is big business and will only continue to get bigger. We spent close to $75 billion USD in 2015 with projections showing that by 2020 we will be investing $170 billion USD in the field.

Similarly, the insurance industry (always looking to insure something) is predicting the “cyber insurance market” to grow from $2.5 billion USD in 2015 to $7.5 billion USD by 2020. (Personally, I think one big breach, followed by one nasty and huge class action payout, will make the “cyber insurance market” grow much more than what has been predicted.)

In 2014, in the U.S. alone, $25 billion USD and 1.2 billion hours were spent trying to deal with cybercrime, one in five small-to-medium businesses were affected, and some projections indicate that the cybercrime will cost core business over $2 trillion USD by 2019.

In other words, a lot of money is being spent, lost, sunk, or has drifted away into the ether.

Where the money is being spent is interesting though. According to IDC, an IT analyst firm, the hot areas for growth are security analytics / SIEM (10​%​); threat intelligence (10​% +); mobile security (18​%)​; and cloud security (50​%​).

My bias is already well known and declared: where is the investment in people?

A metaphor may be useful here.

Does a safe car make a safe driver? No. Reality is, in over 90% of car accidents, human error is the primary factor.

Does a secure network make a user act securely and safely in cyberspace? No. Reality is, in over 95% of cyber incidents, human error is the primary factor.

In the car accident scenario, did we go into some mass hysteria and start spending billions and billions of dollars into creating safer cars? No. The strategy was mixed. We continue to try to get bad drivers off the road, we invest in creating safer cars, and we focus a considerable amount of our efforts in driver safety awareness.

But the same cannot be said for cyber security.

As indicated above, in 2015, we spent about $75 billion USD on cyber security solutions. Of that, estimates show that only $1 billion USD was spent on educational security awareness solutions.

Let’s so some quick math: we spend 13% ($1 billion of $75 billion) of our total cyber security solution expenditure on an issue that is responsible for 95% of our problems.

Not sure if that makes for good business.

Read the rest of George’s post here.



Internet of Things – Risk and Opportunity

communication-1439187_960_720It’s difficult to work in business today without coming across the terms “Big data” and “Internet of Things.” Five years ago McKinsey & Company called big data the next frontier for innovation. The next year, the New York Times upped the ante by declaring this the Age of Big Data. Indeed, we interact today in a system of commerce that is increasingly shaped by big data, and while the rise in this data can be attributed to many sources, perhaps the most profound of these is what has become known as the Internet of Things.

For the uninitiated, big data describes large, complex data sets that are collected from the multitude of technologies we use every day. Typically, the rise in big data is traced to the overall increase in internet usage through computers or smart phones. Every time we visit a website, make an online order, or send an email, that activity is recorded and organized into these large data sets. In recent years the number of internet-connected devices has diversified. Now, everything from household appliances to televisions to our vehicles is network connected through what has broadly been called, an Internet of Things, or IOT.

If big data once primarily originated through our interactions with intangible websites, it’s now increasingly coming from our interactions with tangible objects. For consumers, this data can be packaged and presented in a multitude of ways that profess to add value. For example, pacemakers  that wirelessly connect to online monitoring systems can reduce doctor’s visits and provide faster feedback when problems arise. Egg trays that send a text when you’re running low on eggs add efficiencies to grocery shopping. The span of industries that make up these “smart devices” is truly limitless.

For businesses, the IOT is game-changing. Just as big data helps consumers make more educated decisions, it can also give producers a better understanding of trends in usage. The days of focus groups telling producers what they want is passé. Now, companies can uncover that on their own through this 24/7 system of feedback. Industries aren’t just working more efficiently with the IOT, they are completely transforming.

Take the car insurance industry, which has long used indirect measurements such as general trends within the population to create a risk profile and corresponding policy price for customers. The system is inherently inefficient as these are, at best, educated guesses as to how a person drives. The advent of insurance telematics, which allows insurers to personalize a rate based on the direct measurement of big data that is taken from a customer’s car, promises to change that. Not only would this benefit good drivers who have been paying too much, but it would make the whole industry more efficient.

Just as the IOT has presented businesses with the opportunity to understand consumers in new ways, it also gives communications firms the opportunity to more precisely tailor their messages to consumers.

This big data revolution in communications is occurring in several ways. One is the increase in sophistication of Customer Relationship Management (CRM) systems. When these systems are coupled with programs trained to mine through the mounds of big data that companies are able to compile, companies can approximate individualized messages. Just as insurers no longer have to guess about how to price their rates, communications professionals working with big data no longer have to guess about which message will resonate the most with a general audience because they are capable of giving each consumer their own message.

The technology behind the IOT continues to develop at breakneck speeds, and it’s crucial that communications professionals understand this growing trend. IOT-connected products are already a big industry, with the world’s largest businesses investing heavily in developing them, and consumers increasingly expecting the added features of these smart devices. It’s crucial that clients know and understand this opportunity. As their products and services develop around this trend, communications professionals must also tailor messages that will resonate with the hungry investors and expectant consumers alike.

Of course, along with new opportunities come new concerns. In this case, those concerns center around privacy. Big data gives companies and communications professionals unparalleled access to consumers’ lives. Naturally, consumers will be leery of such access, and legislation and industry standards will continue to evolve to address their privacy issues. Businesses would do well to develop and consistently revise privacy policies cognizant of these standards. Savvy communications professionals will prioritize privacy concerns in their messages to consumers. The fallout from high-profile cyber attacks against Target, Linkedin, and Yahoo, among others, proves that consumers take internet privacy extremely seriously. Any developments in IOT will by necessity be taken with an abundance of caution.

These concerns aside, the development of the IOT most certainly signals a wealth of opportunities for the communications industry. If harnessed correctly and responsibly, it can be used as a powerful tool to connect businesses and consumers in ways never before imagined.

By Jake Thornburgh

An Avalanche Comes Tumbling Down

malware-avalanche-3An avalanche is a force of incredible destruction. The deadliest avalanche in history took place on May 31, 1970, in Peru. Known as the Huascaran Avalanche, it was triggered by the Ancash earthquake. The epicenter of the earthquake was located 21 miles off the coast of Peru in the Pacific Ocean. A massive avalanche rolled through the towns of Yungay and Ranrahirca when the earthquake sent snow, ice, water, mud, and rock tumbling down from the northern walls of Mount Huascarán. The avalanche was moving upwards of 335 kilometers per hour when it buried Yungay and Ranrahirca. Twenty thousand people died.

A very different Avalanche has been wreaking havoc around the world, but it seems to now have lost its fury.  Last week, after more than four years of investigation, authorities in Germany, the Hague, the U.S., and the U.K. announced they had dismantled an international criminal infrastructure platform known as ‘Avalanche’. The European Union’s law enforcement agency, Europol, described the network as follows: “The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.”

The U.K.’s National Crime Agency issued a statement that said in part, “In a single day of coordinated action, more than 830,000 malicious web domains were taken down, breaking the channel between criminals and the computers they controlled. In addition, five individuals were arrested, 37 premises were searched and 39 servers were seized, while 221 servers were put offline through abuse notifications sent to the hosting providers. Victims of malware were identified in over 180 countries. Avalanche, which was set up in 2009, comprised up to 600 servers worldwide and was used to host as many as 800,000 web domains at a time. Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data….At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.”                         ‘

Avalanche basically was a platform for cyber criminals.  They could order malware from a menu, and use it to conduct malware campaigns around the world. In a stark reminder of the ease of access to cyber criminals, the network was advertised through postings—similar to advertisements—on underground online criminal forums.

Were you affected by Avalanche? The malware affects Microsoft Windows systems. The U.S. Computer Emergency Readiness Team offers links to several anti-malware programs you can use to check. Europol offers a similar resource here.

By Tom Davis, SDI Cyber Risk Practice
December 6, 2016