Archives for March 2017

Exploring the Cybersphere – March 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

March 28 is historically noteworthy for many reasons. One that stands out: In 1979,  the worst accident in the history of the U.S. nuclear power industry began to unfold on March 28th when a pressure valve in the Unit-2 reactor at Three Mile Island failed to close. People living around Harrisonburg, Pennsylvania fled, as did people living in the nation’s capital.  If the accident didn’t cause full out panic, it certainly induced a general uneasiness (and set the nuclear power industry back for generations). Although no one’s leaving for the exits yet, today a less drastic yet verifiable sense of uneasiness exists in another power industry… the cybersphere.  

Around the cyber world we go…

Exposure of CIA hacking tools renews debate over Americans’ cybersecurity vs. national security

Washington Post

WikiLeaks’ release on Tuesday of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security. Some of the tools, the anti-secrecy group said, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices. “At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.” He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

Why America’s current approach to cybersecurity is so dangerous  

It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the U.S. Office of Personnel Management. Likewise for big cyberattacks the year in 2014 (Sony PicturesHome Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions—from government to banks to the electric grid. Yet multiple surveys show that Americans tend to ignore even the most basic security measures with their own digital devices. How to account for our public interest but our personal … well … meh? We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended.

Russian security officers charged in Yahoo hack

The Justice Department announced charges Wednesday against four suspects in the massive 2014 Yahoo data breach, including two Russian security service officers. According to DOJ allegations, the hackers targeted high-profile government and military officials as well as commercial entities such as investment banks. A grand jury indicted the four men “for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts,” a Justice Department press release says. A DOJ official noted that the activity continued through 2016, but declined to comment on whether the suspects had any relation to the 2013 hack. Officials also noted that they had no reason to believe the hack was connected to the cyber attack on the Democratic National Convention allegedly carried about Russians.

How China is preparing for cyberwar

The US and China have significant differences on the legitimate uses and preferred shape of cyberspace. The 2011 White House International Strategy for Cyberspace, for example, states that the US will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.” In contrast, Beijing has argued for a norm of cybersovereignty, the idea that states have the right to control their own cyberspace much like they do any other domain or territory. While China has become increasingly more vocal and assertive about how cyberspace should be governed, it has yet to offer any justifications on how and why a state may conduct computer network attacks or espionage. Still, even in the absence of any official Chinese policies, it is possible to identify the motivations of state-backed hackers. Chinese leaders view cyberspace as essential to fostering economic growth, protecting and preserving the rule of the Chinese Communist Party, and maintaining domestic stability and national security.

Which leads to…

Companies increasingly face nation-state cyber attacks

Addressing an exploding number of nation-state cyberattacks is sapping the resources of companies, cybersecurity professionals say. Nation-state attacks on corporate assets used to be infrequent, but now companies sometimes feel like they are on the front lines of a cyberwar, panelists at the Global Cyberspace Cooperation Summit at the University of California, Berkeley said. 

A preview of coming attractions…

Consumer Reports to Grade Products on Cybersecurity

Dark Reading

The non-profit consumer ratings group Consumer Reports plans to evaluate cybersecurity and privacy when ranking products, Reuters says. It is currently working with organizations to create methodologies for doing this. An early draft of standards is available here. This decision was made following a recent increase in cyberattacks on IoT devices, many of which contain vulnerabilities easily exploited by hackers. Researchers believe these attacks are unlikely to cease because manufacturers do not want to spend on securing connected products.

The Insecurity of IoT Devices Presents New and Unique Cybersecurity Challenges 

Security experts point to the growing cybersecurity threats from the proliferation of smart, connected devices known as the Internet of Things. For example, last year’s Dyn attacks, initiated by about 100,000 endpoints using IOT devices, was viewed as the largest DDoS attack to date and interrupted service to a number of large websites. “We must wake up to the cyber risks posed by the billions of IOT devices,” said Thomas K. Billington, Chairman and Founder of Billington CyberSecurity, the host of the conference. “The Internet of Things therefore will be a key topic at our International summit.” “The rate at which these connected devices are proliferating is staggering, eluding attempts to harness or tame them within appropriate security protocols. We’ve long accepted the fact that no institution in the cyber age is any stronger than its weakest connected link, and the number of those weak links just got exponentially greater,” pointed out John McClurg, Vice President and Ambassador-At-Large, Cylance

And a caveat – protect yourself…

Cybersecurity in seven minutes

Knowing about cybersecurity risks isn’t the same as protecting against them. For instance, a recent survey from the Pew Research Center found that just 12 percent of Americans use a password manager, and only 3 percent use it regularly – even though that’s how security pros recommend everyone keep track of passwords. It takes time and effort to stay on top of best security practices, so all too often, people cut corners. That’s why we’ve put together a short guide to cybersecurity essentials. It will walk you through some of the most common risks, and the specific ways to protect yourself when it comes to three critical areas: Privacy: How someone else can see what you’re doing online or on your device. Security: How someone can intercept data. Control: How someone can take over your smartphone or computer. These scenarios illustrate the kinds of risks to watch out for, and how to protect yourself.

We Scored High on This Cybersecurity Quiz. How About You?

How much do you know about keeping your data and information safe? A new study from Pew Research Center finds that even amid high profile hacks on businesses and institutions that affect millions, many Americans don’t have a comprehensive understanding about what precautions need to be taken to prevent cybersecurity breaches. And perhaps it is unsurprising, but Pew says that “those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly.”

By Tom Davis, SDI Cyber Risk Practice

March 28, 2017

Always Ready, Always There… (and there too?)

Here’s a little piece of obscure history, the longest serving component of the United States armed forces is the Army National Guard. That’s right, the first militia regiments were organized by the General Court of the Massachusetts Bay Colony in 1636. Beginning with the Pequot War in 1637, the Army National Guard has participated in every war or conflict this nation has fought. Now, two members of Congress are advocating a unique Guard role in cyber warfare.

Congressmen Will Hurd, a Texas republican, and Reuben Gallego, an Arizona democrat, are suggesting the U.S. create a Cyber National Guard to access talent that might otherwise not participate in national defense. Congressman Hurd explains his idea thusly, “The federal government could forgive the student loan debt of STEM graduates who agreed to work for a specified number of years in the federal government in cybersecurity jobs at places like SSA or Department of Interior. Furthermore, when those individuals moved on to private sector jobs they would commit one weekend a month and two weeks a year to continued federal service. This would help ensure a cross-pollination of experience between the private and public sectors.”

Israel, which has mandatory military service, offers some insight into the approach. Cyber technology is a key part of the Israeli economy, and the nation has become a global leader in cybersecurity, in part by drawing on expertise and experience gleaned from the country’s elite military intelligence forces.  Much of the innovation in cybersecurity in Israel comes from people who complete their mandatory military service and then turn their cyber warfare expertise to the commercial sector.

The two members of Congress presented their ideas at the South by Southwest (SXSW) festival, a rollicking mix of music, film, and interactive media.  Not everyone was favorably impressed, but the notion of a cyber national guard has touched off a lively debate.  Pro’s and con’s are set forth in this article in csoonlinecom.

By Tom Davis, SDI Cyber Risk Practice

March 21, 2017

Hey, Smalls

In 1973, a book by British economist E.F. Schumaker took the world by storm, challenging conventional western economic theory, and championing the notion that appropriate scale was critical to long term sustainability. The book, “Small Is Beautiful: A Study of Economics as If People Mattered,” was hugely influential, as it mixed philosophy with economics to paint the picture of a far better world where small size could be embraced as a virtue. His message could be summed up in the phrase, “production by the masses, rather than mass production.” It remains the case today that small can be beautiful, but recent guidance from the U.S.  House of Representatives Small Business Committee reminds us that in the cyber world, small also can be quite perilous.

The congressional committee posted advice on how small businesses should prepare for cyber breaches and protect data. What was particularly notable was this chilling reminder, “nearly 60 percent of small companies go out of business following a hack and 71 percent of all cyber assaults occur at businesses with under 100 workers.”

The committee’s finding are consistent with information available from the National Cyber Security Alliance, as reported by David Wither of Tech.Co: “In another cyber security survey of 1,000 small business owners, 85 percent admitted that they believed large enterprises were more targeted than they were. This finding explains why small enterprises continue to pay little attention to Cyber Security. In reality, however, cyber criminals do not discriminate and have no priority targets. They attack any weak security system, whether it is a small business or a large one.”

The Small Business Committee’s advice for small businesses can be found here. For additional information, see these U.S. Small Business Administration’s tips.

To Mr. Schumaker’s estimable phrase, “Small Is Beautiful,” we add the caveat that from a cyber criminal’s perspective, beauty is in the eye of the beholder. One does not wish to be too beautiful a target.

By Tom Davis, SDI Cyber Risk Practice

March 14, 2017

What If “Cyber” Is The Wrong Word?

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  Here he raises an interesting question.

Often, how you characterize a problem will determine your plan of attack to solve the problem. To illustrate, I often use this example with both clients and friends.

If I were to ask you: “How long can you and your business survive without your computer?” your answer would likely be something along the lines of “I need my computer to do everything!” While I suspect this is most likely true, such a response does very little for your resilience. Should such a case ever arise in your life, you would be left scrambling to find some sort of solution to keep your business operations going.

But what if I were to ask you: “You don’t have your computer for three days, a week, or even two weeks…what do you do?”  By asking the question in this manner, you are undoubtedly forced to look at the problem in a very different way. In fact, you have to look at the problem in a very different way because your survival depends on it.

The word “cyber” means different things to different people. In virtually every training session I put on, one of my first actions is to go around the room and ask people what “cyber” means to them. If I am lucky, perhaps two or three people will have a similar answer, but in most cases, the definitions vary, even when people share similar job titles and roles.

I trust that you see there is a big problem here. “Cyber” is arguably the greatest challenge we face today, yet we cannot come to a consensus as to what “cyber” is.

Let me try to unpack the “cyber” issue a different way, one that I have found to be extremely helpful and have been using recently to help people tackle their challenges. In its current state, I see the “cyber” issue actually being two separate problems, forming one overarching issue.

The first problem is network. I believe “network” as a definition is fairly self-explanatory. I also believe we can all agree that protecting the network is primarily a technical issue that requires specialized skills. Based on industry trends, the argument could also be made that the majority of “cyber solutions” are network-based. But I could also make the case that a network-centric strategy may not be in your best interests.

The second problem is information. I also believe that “information” as a definition is fairly self-explanatory, but I would argue that we do a very poor job protecting information. Protecting information could range from training your staff, to internal policies, to utilizing industry standards, to practices on how to handle sensitive documents, and physical security (though this specific issue can jointly fall into the network category as well).

When you put these two pieces together, I characterize this as a data security issue.

I do not see many “cyber solutions” that properly address the “information side” of this problem. The key to solving any problem is asking the right questions. I am confident that unpacking the problem into two distinct problems– network and information–will lead you to the best solution for your needs.

March 7, 2017

See George’s previous post, How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?