North Korea Again? WannaCry?

“Round up the usual suspects,” a phrase memorably used by Captain Louis Renault, the French prefect of police, to exonerate Rick Blaine of the killing of Nazi Major Strasser in the classic film Casablanca, has been culturally accepted as a way of saying “let’s start with those who most can agree are likely to have been involved in x.” Thus it should come as little surprise that a number of cybersecurity experts are now suggesting that hackers connected to North Korea unleashed the “WannaCry” malware virus that crippled computers around the world over the past weekend.

Of late, North Korea has been most in the news for its penchant for firing off missiles with varying degrees of success, while threatening to do very bad things to whatever country is near or at the top of its current enemies list. But just a couple years ago, U.S. intelligence officials alleged North Korea was behind the cyber attack on Sony Pictures. Admittedly, the fact that the hackers demanded Sony not release a comedy that centered on the assassination of North Korean leader Kim Jong-Un raised suspicions about North Korean involvement, but the more substantial evidence included the use of tools and techniques known to have been used by North Korean hackers in previous attacks on South Korea.

The WannaCry virus locked up over 200,000 computers and spread to more than 150 countries. The estimated losses to those affected run into the billions, largely due to the disruption. Companies in Europe, Russia, and China were particularly affected. Interestingly, at last count the “ransomware” had yielded a relatively paltry $50,000 to the perpetrators, which taken at face value suggests not many people paid the ransom.

The New York Times has a fascinating story about why China seems to have been disproportionately affected by the virus.

Long known as a haven for pirated software, the fact that major Chinese companies, government agencies and universities were disrupted speaks volumes about how widespread the use of pirated software is in China. It might also call into question just how carefully planned was the unleashing of the WannaCry virus. Although the relationship between China and North Korea seems to be a bit testy at the moment, one wonders whether North Korea really would like to be seen as behind an attack doing serious injury to Chinese interests. We’ll need a little more time to determine whether in rounding up the usual suspects we’ve gotten to the bottom of the planning behind the WannaCry virus.

By Tom Davis, SDI Cyber Risk Practice

May 16, 2017

It’s a Guy Thing

Hey guys!  This is a normal salutation, with a most unusual history. It turns out that American usage of the term “guy” traces back to the ill-fated Guido Fawkes. Guido was none other than Guy Fawkes, who now is best remembered as the face that adorns the masks worn by generations of anarchists and dissidents, including, of course, the noteworthy hacktivist group, Anonymous.

Guy Fawkes made his mark about 400 years ago when he participated in a plot to murder King James I. The basic idea was to blow the King to smithereens by touching off barrels of gunpowder stored beneath the House of Lords. Unfortunately for Mr. Fawkes, both he and the gunpowder were discovered in the early hours of November 5, 1605. In relatively short order, after a bit of torture to get at the truth, Guy Fawkes and seven of his co-conspirators were given a taste of English justice. Having been found guilty of attempting to assassinate the King, the following was prescribed: “each of the condemned would be drawn backwards to his death, by a horse, his head near the ground. They were to be “put to death halfway between heaven and earth as unworthy of both.” Their genitals would be cut off and burnt before their eyes, and their bowels and hearts removed. They would then be decapitated, and the dismembered parts of their bodies displayed so that they might become “prey for the fowls of the air.”

That rather ignominious end might have been the last we heard of Guy Fawkes were it not for the fact that an Act of Parliament proclaimed each succeeding November 5th as a day of thanksgiving for the deliverance of the King, and the English chose to celebrate “Guy Fawkes night” by lighting bonfires and tossing effigies of Guy Fawkes into them. In the strange way the world works, the English began referring to the effigies, and other strangely dressed folks, as guy, and Americans adopted the term and use it far more generally. The use of the bonfires offers another twist of irony, for English wits have long toasted Guy Fawkes as “the last man to enter parliament with honest intentions.”

Our Guy Fawkes wearing friends at Anonymous have just released a video warning us to prepare for World War III. Anonymous has a pretty good track record in predicting the impact of DDOS attacks it carries out, but its ability to accurately predict the apocalypse is open to question. However, their allegiance to the wearing of the Guy Fawkes masks is testament to the truth of at least part of their traditional sign off:  “prepare for what comes next. We are Anonymous. We are legion. We do not forgive. We do not forget.”

By Tom Davis, SDI Cyber Risk Practice

May 9, 2017

The Shadow May Have Got it Wrong

In 1937, an American radio series named “The Shadow” made its debut. Its dramatic opening line—“Who knows what evil lurks in the hearts of men? The Shadow knows!”—captured the imagination of the nation and lives on to this day. Lost in the shrouds of time is the line uttered at the close of each episode—-“The weed of crime bears bitter fruit. Crime does not pay…The Shadow knows!” It turns out The Shadow was not particularly prescient when it comes to today’s cyber criminals. It’s a fair bet The Shadow would see the world differently after running into the Shadow Brokers, a group which announced it presence with a series of messages like…

“!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

If you are following this at home, the Equation Group is allegedly tied to the National Security Agency, and is considered highly sophisticated in its hacking capabilities, presumed responsible for, among other things, the Stuxnet virus that crippled Iran’s nuclear program. So, the Shadow Brokers, acting on information from Kaspersky, itself accused of ties to Russian intelligence, offered to sell tools pilfered from an entity believed to have ties to American intelligence. This would make a grand movie plot, but the outcome here has significant real life implications.

The tools being sold and released by the Shadow Brokers are opening up vast new opportunities for cyber criminals. After the latest release by the group, security expert Matthew Hickey said “It is by far the most powerful cache of exploits ever released. It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.”

Forbes just ran a piece that looked at how the Shadow Brokers’ leaks have led to real world attacks, and what may be in the offing. The article closed with a timely reminder from security guru Bruce Schneier: “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.”

Who knows what evil lurks in the hearts of men? We are, once again, about to find out.

By Tom Davis, SDI Cyber Risk Practice

May 2, 2017

Exploring the Cybersphere – April 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

There is an adage, old, like all adages, that goes, “April showers bring May flowers.” One might add that a more particular benefit for those suffering from allergies is they wash the pollen from the air, offering sweet respite for at least short periods. In furtherance of this line of thought, the April cybersecurity news might fall under the heading “Into each life some rain must fall.”

New frontiers in cyber security: locomotives without wheels, moats, deep learning at the edge

Industry analyst Bob Sorensen recently told us something most IT managers already know deep in their apprehensive hearts: cyber security is in a sorry state (see “Be More Afraid,” Enterprise Tech, Nov. 18, 2016). Security at many companies is somewhat marginalized, an unfavored area that lies outside core IT operations and procedures, a focal point at many companies of ineffectuality and denial that can be characterized as: Don’t just do something, sit there! Part of the problem: cyber security is purely defensive in nature. We don’t want it until we need(ed) it. It doesn’t add to the bottom line, it’s a cost center seen as hindering optimal operations. Corporate boards tell senior managers that, yes, of course cyber security is important, but don’t let it interfere with daily business. Yet everyone grasps the bottom line and reputation risks of poor security….Instead of further bemoaning this state of affairs, let’s look at the bright spots, the best-in-class cyber security practices some companies have adopted and the emerging technologies that leverage big data analytics, machine learning and quantum computing.

Cybersecurity remains an elusive business priority

I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations… Allow me to provide a bit of analysis to this data (after all, I am an industry analyst): 1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously….

Why we should let our walls down when it comes to cybersecurity

With digital threats growing more rampant across the country and from around the world, the idea of building “walls” for cyber defense and protection can seem appealing. But even in this age of hackers relentlessly penetrating our networks, in the information technology security industry, we know that walls don’t work. The truth is that surrounding yourself with impenetrable barricades is akin to sticking your head in the sand. Walls by themselves fail to tackle the root cause of threats, meaning any sense of safety created is artificial. Organizations need to have a holistic security posture that spans their internal network and devices. More importantly, they must anticipate malicious external threats. For protection, traditional IT security systems have for a long time relied on perimeter defenses, such as firewalls, intrusion detection systems and intrusion prevention systems. But that paradigm has changed, as cybercriminals have evolved and cyberattacks have increased in volume and sophistication. In 2015, there were 430 million unique pieces of malware, up 36 percent from the prior year. It’s a number only continuing to explode. Singular perimeter defenses are no longer enough.

IT Getting Defensive

Preventing cyber attacks – this time it’s personal

Security professionals are putting pressure on themselves to secure their organization’s systems according to the findings of a new report. The 2017 Security Pressures Report from managed security specialist Trustwave surveyed over 1,600 security decision makers around the world and finds that while 53 percent of respondents report increased pressure in trying to secure their organization, that pressure is becoming more personal as 24 percent say they put the most pressure on themselves, up from 13 percent last year. The findings also show that pressure from the boardroom and from c-level executives has decreased significantly as it’s shifted to IT professionals themselves. The most feared repercussion of a cyber attack or breach is reputation damage to themselves or their company, ahead of financial damage to the company and termination of employment.

Former White House CIO calls for a cybersecurity reset

The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton. “I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.“I’ve got to tell you, this does not feel like winning to me,” Payton said.

I’m From the Government and I’m Here to Help

FTC takes over as top cybersecurity enforcer

The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules. The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber. That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission. Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.

Congress returns, but the real cybersecurity action is taking place off the Hill

Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland.

By Tom Davis, SDI Cyber Risk Practice

April 25, 2017

And the Answer Is…

The solution to the unending challenge of marshalling sufficient cybersecurity defense measures in any organization lies in (pick one)

  1. Artificial intelligence
  2. Cyber intelligence
  3. Employee education
  4. Endpoint security

The astute reader will disregard the pick one instruction and argue that each of these measures is helpful, assuming this reader is familiar with what each category entails. The first three categories are at least somewhat self-explanatory, the last, perhaps a bit less so.  Endpoint security is rapidly gaining favor as a method of protecting networks from access through remote devices such as laptops or smart phones or other mobile devices. Each of those devices is considered an endpoint, and is a potential entry point for a cyber threat. As work habits have changed and organizations have permitted employees to use personal devices to connect to enterprise networks, the threat has grown.

CNBC just reported on a UK based firm using artificial intelligence to swiftly respond to cyber attacks. In the story, they note “Australian cybersecurity company Nuix put out a report where they surveyed about 70 professional hackers and penetration testers at last year’s Defcon — the global hacking and security conference — to understand their perspective on cybersecurity. In the report, about 88 percent of the respondents said they could break through cybersecurity defenses and into the systems they target within 12 hours, while another 81 percent said they could identify and take valuable data within the same time frame even when the breach may not be detected for nearly 100 days on average.

The respondents said traditional countermeasures such as firewalls and antiviruses very rarely slowed them down, but having endpoint security technologies were more effective in stopping the attacks.”

Employee education, creating a culture of security sensitivity and best practices, arguably offers the best bang for the buck. Cyber intelligence, the committed act of learning about the actual threat universe surrounding an organization can offer an excellent return on investment. But if you accept the word of professional hackers and pen testers, endpoint security is well worth a look.

By Tom Davis, SDI Cyber Risk Practice

April 18, 2017

My House Is My Castle, and It’s About to Get Stormed

Does cybersecurity begin at home? It appears the answer is yes, at least for high net wealth individuals, as seen by insurance giant AIG. AIG just announced that it is offering cyber insurance to its high net worth personal lines insurance clients. The insurance product will be offered to policyholders of AIG’s Private Client Group who are victims of threats including cyber extortion and cyber bullying.

What will AIG’s clients get under this insurance? Well, according to an article in Insurance Journal, the insurance will cover expenses related to data restoration, and crisis and reputation management, among other claims. In addition, “AIG’s Private Client Group clients receive supplemental risk mitigation services, including a holistic assessment of devices, home networks, wireless access points and secure online accounts; training services for family members; online monitoring that assesses and tracks the availability of personal information; and a set of cyber assistance tools and resources including assistance from experienced fraud experts, provided by the identity and data defense specialist, CyberScout.”

It would seem that effectively evaluating risk posed to high net wealth individuals would be a bit daunting, but other insurance providers, including Chubb and HSB, are already in the home market, and we can expect that market to grow as smart, connected homes become ever more prevalent. We are introducing risk and becoming both more attractive and potentially vulnerable with each new device we add.

So, should you be looking at cyber insurance for your home? Here are some suggestions courtesy of the Wall Street Journal.

Does a service offer protection beyond what I’m already getting? Individuals who keep most of their money in bank checking or savings accounts and use credit cards generally are at less risk…because banks and credit-card issuers typically offer protection against liability for fraud. People with investment accounts should ask advisers and brokerages whether they offer written guarantees that clients will be made whole after a breach. Just 15% of broker-dealers and 9% of advisers have such written policies, a Securities and Exchange Commission survey found.

How much do I have to lose? For people with several million dollars’ worth of liquid and investible assets, the cost of extra security would be negligible…. But even for those with less money, any loss might feel painful, so people should make sure their funds are protected either by the Federal Deposit Insurance Corp., which protects deposits in checking, savings and money-market accounts, or a written policy from the investment firm.

Do I handle valuable financial data or intellectual property? A company executive or the founder of a startup who accesses financial or other sensitive information on a personal device or home computer may be a target. The concern is that hackers may target these types of individuals for their intellectual property or company details, and then make away with personal information while worming through their networks.

Not unlike insurance offerings aimed at the business market, in the end the best value of the home market offerings might lie in the way they offer the ability to strengthen home security defenses and educate people about cybersecurity realities and best practices. Risk reduction is the name of the game.

By Tom Davis, SDI Cyber Risk Practice

April 11, 2017

Dangerous Things?

While a student at Yale, Cole Porter wrote over 300 songs, including the famous Yale fight song Bulldog!Bulldog! ,which Yalies young and old bark out whenever the Yale football team scores. Legend has it Cole Porter wrote the song to commemorate Handsome Dan, the first Yale bulldog mascot. It is the world’s good fortune that Porter’s musical contributions did not peak with Bulldog! Bulldog!. During his illustrious career he authored such hit songs as Night and Day, Anything Goes, I Get a Kick Out of You, In the Still of the Night, and, of course, I’ve Got You Under My Skin.

I’m reminded of this last song by an article I just read (Cyborgs at work: Employees getting implanted with microchips) that looks at a Swedish company that offers to implant its workers with microchips the size of grains of rice that “function as swipe cards to open doors, operate printers, or buy smoothies with a wave of the hand.” How does it work?  The microchips use Near Field Communication (NFC) technology, the same technology used in contactless credit cards or mobile payments. When activated by a reader a few inches away, a small amount of data flows between the two devices via electromagnetic waves, opening the door (literally as well as figuratively) to a number of possibilities.

It turns out these microchip implants have been around for a couple of decades, and for the moment, serve modest purposes. The way most people have come into contact with the concept is through the microchips that have been implanted in pets. But the spillover to humans is gathering steam. A company called Dangerous Things sells the microchips and an injection kit. As if to help support the company’s brand concept, the chips are not injected in doctors’ offices, but rather in tattoo parlors and piercing shops.

Early adapters of the insertable microchip see the risks as minimal, particularly because of the limited transmission range, and many think the future of the technology is rife with possibility.  Of course, those possibilities could include privacy loss and identify theft, and perhaps far more nefarious cyber crimes. This generation of microchips will yield to the next gen, and where the process stops, well, as Porter lyricized, “I’ve got you deep in the heart of me. So deep in my heart that you’re really a part of me.”

By Tom Davis, SDI Cyber Risk Practice

April 4, 2017

Exploring the Cybersphere – March 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

March 28 is historically noteworthy for many reasons. One that stands out: In 1979,  the worst accident in the history of the U.S. nuclear power industry began to unfold on March 28th when a pressure valve in the Unit-2 reactor at Three Mile Island failed to close. People living around Harrisonburg, Pennsylvania fled, as did people living in the nation’s capital.  If the accident didn’t cause full out panic, it certainly induced a general uneasiness (and set the nuclear power industry back for generations). Although no one’s leaving for the exits yet, today a less drastic yet verifiable sense of uneasiness exists in another power industry… the cybersphere.  

Around the cyber world we go…

Exposure of CIA hacking tools renews debate over Americans’ cybersecurity vs. national security

Washington Post

WikiLeaks’ release on Tuesday of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security. Some of the tools, the anti-secrecy group said, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices. “At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.” He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

Why America’s current approach to cybersecurity is so dangerous  

It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the U.S. Office of Personnel Management. Likewise for big cyberattacks the year in 2014 (Sony PicturesHome Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions—from government to banks to the electric grid. Yet multiple surveys show that Americans tend to ignore even the most basic security measures with their own digital devices. How to account for our public interest but our personal … well … meh? We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended.

Russian security officers charged in Yahoo hack

The Justice Department announced charges Wednesday against four suspects in the massive 2014 Yahoo data breach, including two Russian security service officers. According to DOJ allegations, the hackers targeted high-profile government and military officials as well as commercial entities such as investment banks. A grand jury indicted the four men “for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts,” a Justice Department press release says. A DOJ official noted that the activity continued through 2016, but declined to comment on whether the suspects had any relation to the 2013 hack. Officials also noted that they had no reason to believe the hack was connected to the cyber attack on the Democratic National Convention allegedly carried about Russians.

How China is preparing for cyberwar

The US and China have significant differences on the legitimate uses and preferred shape of cyberspace. The 2011 White House International Strategy for Cyberspace, for example, states that the US will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.” In contrast, Beijing has argued for a norm of cybersovereignty, the idea that states have the right to control their own cyberspace much like they do any other domain or territory. While China has become increasingly more vocal and assertive about how cyberspace should be governed, it has yet to offer any justifications on how and why a state may conduct computer network attacks or espionage. Still, even in the absence of any official Chinese policies, it is possible to identify the motivations of state-backed hackers. Chinese leaders view cyberspace as essential to fostering economic growth, protecting and preserving the rule of the Chinese Communist Party, and maintaining domestic stability and national security.

Which leads to…

Companies increasingly face nation-state cyber attacks

Addressing an exploding number of nation-state cyberattacks is sapping the resources of companies, cybersecurity professionals say. Nation-state attacks on corporate assets used to be infrequent, but now companies sometimes feel like they are on the front lines of a cyberwar, panelists at the Global Cyberspace Cooperation Summit at the University of California, Berkeley said. 

A preview of coming attractions…

Consumer Reports to Grade Products on Cybersecurity

Dark Reading

The non-profit consumer ratings group Consumer Reports plans to evaluate cybersecurity and privacy when ranking products, Reuters says. It is currently working with organizations to create methodologies for doing this. An early draft of standards is available here. This decision was made following a recent increase in cyberattacks on IoT devices, many of which contain vulnerabilities easily exploited by hackers. Researchers believe these attacks are unlikely to cease because manufacturers do not want to spend on securing connected products.

The Insecurity of IoT Devices Presents New and Unique Cybersecurity Challenges 

Security experts point to the growing cybersecurity threats from the proliferation of smart, connected devices known as the Internet of Things. For example, last year’s Dyn attacks, initiated by about 100,000 endpoints using IOT devices, was viewed as the largest DDoS attack to date and interrupted service to a number of large websites. “We must wake up to the cyber risks posed by the billions of IOT devices,” said Thomas K. Billington, Chairman and Founder of Billington CyberSecurity, the host of the conference. “The Internet of Things therefore will be a key topic at our International summit.” “The rate at which these connected devices are proliferating is staggering, eluding attempts to harness or tame them within appropriate security protocols. We’ve long accepted the fact that no institution in the cyber age is any stronger than its weakest connected link, and the number of those weak links just got exponentially greater,” pointed out John McClurg, Vice President and Ambassador-At-Large, Cylance

And a caveat – protect yourself…

Cybersecurity in seven minutes

Knowing about cybersecurity risks isn’t the same as protecting against them. For instance, a recent survey from the Pew Research Center found that just 12 percent of Americans use a password manager, and only 3 percent use it regularly – even though that’s how security pros recommend everyone keep track of passwords. It takes time and effort to stay on top of best security practices, so all too often, people cut corners. That’s why we’ve put together a short guide to cybersecurity essentials. It will walk you through some of the most common risks, and the specific ways to protect yourself when it comes to three critical areas: Privacy: How someone else can see what you’re doing online or on your device. Security: How someone can intercept data. Control: How someone can take over your smartphone or computer. These scenarios illustrate the kinds of risks to watch out for, and how to protect yourself.

We Scored High on This Cybersecurity Quiz. How About You?

How much do you know about keeping your data and information safe? A new study from Pew Research Center finds that even amid high profile hacks on businesses and institutions that affect millions, many Americans don’t have a comprehensive understanding about what precautions need to be taken to prevent cybersecurity breaches. And perhaps it is unsurprising, but Pew says that “those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly.”

By Tom Davis, SDI Cyber Risk Practice

March 28, 2017

Always Ready, Always There… (and there too?)

Here’s a little piece of obscure history, the longest serving component of the United States armed forces is the Army National Guard. That’s right, the first militia regiments were organized by the General Court of the Massachusetts Bay Colony in 1636. Beginning with the Pequot War in 1637, the Army National Guard has participated in every war or conflict this nation has fought. Now, two members of Congress are advocating a unique Guard role in cyber warfare.

Congressmen Will Hurd, a Texas republican, and Reuben Gallego, an Arizona democrat, are suggesting the U.S. create a Cyber National Guard to access talent that might otherwise not participate in national defense. Congressman Hurd explains his idea thusly, “The federal government could forgive the student loan debt of STEM graduates who agreed to work for a specified number of years in the federal government in cybersecurity jobs at places like SSA or Department of Interior. Furthermore, when those individuals moved on to private sector jobs they would commit one weekend a month and two weeks a year to continued federal service. This would help ensure a cross-pollination of experience between the private and public sectors.”

Israel, which has mandatory military service, offers some insight into the approach. Cyber technology is a key part of the Israeli economy, and the nation has become a global leader in cybersecurity, in part by drawing on expertise and experience gleaned from the country’s elite military intelligence forces.  Much of the innovation in cybersecurity in Israel comes from people who complete their mandatory military service and then turn their cyber warfare expertise to the commercial sector.

The two members of Congress presented their ideas at the South by Southwest (SXSW) festival, a rollicking mix of music, film, and interactive media.  Not everyone was favorably impressed, but the notion of a cyber national guard has touched off a lively debate.  Pro’s and con’s are set forth in this article in csoonlinecom.

By Tom Davis, SDI Cyber Risk Practice

March 21, 2017

Hey, Smalls

In 1973, a book by British economist E.F. Schumaker took the world by storm, challenging conventional western economic theory, and championing the notion that appropriate scale was critical to long term sustainability. The book, “Small Is Beautiful: A Study of Economics as If People Mattered,” was hugely influential, as it mixed philosophy with economics to paint the picture of a far better world where small size could be embraced as a virtue. His message could be summed up in the phrase, “production by the masses, rather than mass production.” It remains the case today that small can be beautiful, but recent guidance from the U.S.  House of Representatives Small Business Committee reminds us that in the cyber world, small also can be quite perilous.

The congressional committee posted advice on how small businesses should prepare for cyber breaches and protect data. What was particularly notable was this chilling reminder, “nearly 60 percent of small companies go out of business following a hack and 71 percent of all cyber assaults occur at businesses with under 100 workers.”

The committee’s finding are consistent with information available from the National Cyber Security Alliance, as reported by David Wither of Tech.Co: “In another cyber security survey of 1,000 small business owners, 85 percent admitted that they believed large enterprises were more targeted than they were. This finding explains why small enterprises continue to pay little attention to Cyber Security. In reality, however, cyber criminals do not discriminate and have no priority targets. They attack any weak security system, whether it is a small business or a large one.”

The Small Business Committee’s advice for small businesses can be found here. For additional information, see these U.S. Small Business Administration’s tips.

To Mr. Schumaker’s estimable phrase, “Small Is Beautiful,” we add the caveat that from a cyber criminal’s perspective, beauty is in the eye of the beholder. One does not wish to be too beautiful a target.

By Tom Davis, SDI Cyber Risk Practice

March 14, 2017