Exploring the Cybersphere- March 2016

cybersphereThis week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Working on the inside game

The Most Dangerous Insider Cybersecurity Threat – And Five Steps to Conquer It
CSM
If you haven’t dealt with the threat of malicious insiders, you really haven’t figured out how to deal with internal threats to your cybersecurity program. Here’s what I mean. There are three faces of cybersecurity threats from within one’s own organization. Read more: Five steps to develop a successful insider threat program

No Place for TOR in the Secured Workplace
DarkReading
When it comes to corporate security, anonymity does not necessarily ensure protection of one’s private information – nor that of your employer. When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems. Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

This just in…protecting critical infrastructure is, well, critical

Protecting Critical Electric Infrastructure from Today’s Cyber Threats
CSM
A day doesn’t go by without headlines in the press about new cyber threats facing our nation or our allies overseas. It is no secret that the focus of many of these threats is critical infrastructure such as our electric grid, which is essential to the life, health, safety, and economic security of all Americans. The men and women of the electric utility industry take their charge to protect the electric grid from all evolving threats very seriously. Every day they are working to improve the security, reliability, and resiliency of the grid. Yet, the work that is happening behind the scenes is often overlooked. Protecting our critical infrastructure in today’s threat environment is no easy task, since sophisticated cyber threats are constantly adapting and evolving.

DHS: No Evidence of Ukraine Power Grid Hack in US
The Hill
The Department of Homeland Security said the U.S. power grid is not under threat from the historic cyberattack that recently took out a portion of Ukraine’s power grid. The December digital assault, widely believed to be the first example of hackers causing a widespread power outage, put energy companies around the world on edge as U.S. officials flew in to assist with the investigation. The attack “should be, and must be, a wake-up call for those who haven’t already been awakened by this problem and this risk,” Homeland Security Secretary Jeh Johnson said Tuesday at a Senate hearing about his agency’s budget.The DHS concluded the malicious software that downed the grid in Ukraine has not extended to the U.S. for the time being.

Emerging Challenges in Electric Grid Cybersecurity
The Hill
For years, policymakers have been concerned about a catastrophic cyberattack that could disrupt the electric grid, causing widespread power outages and impacting national security, the economy and public safety. As electric utilities and the government grapple with the myriad of cybersecurity challenges affecting critical electric infrastructure, a new challenge has emerged: cyber risk to the thousands of different businesses, vendors and suppliers that make up the electric sector supply chain. Corporations and government agencies alike are increasingly focused on cyber risk to the supply chain because data breaches affecting critical vendors, contractors and other business associates can cause direct harm to the first-party organization. These third-party incidents represent a growing attack trend.

Infrastructure Cyberattacks
The Washington Times
The commander of the U.S. Cyber Command warned last week that he expects a major cyberattack on critical infrastructure in the United States in the future. “It is only a matter of the ‘when,’ not the ‘if’ we’re going to see a nation-state, group or actor engage in destructive behavior against critical infrastructure in the United States,” Adm. Mike Rogers, Cyber Command chief and director of the National Security Agency, warned in a speech March 2. Adm. Rogers’ comments, made during a security conference in San Francisco, came seven weeks after a sophisticated cyberattack on the Ukrainian electrical power grid that disrupted large segments of the country’s power network. The incident was a “very well-crafted attack,” Adm. Rogers noted, and was focused on disrupting electrical power.

Finally, here are some interesting things DOD is doing

After Major Hack, Pentagon Taps Private Sector for Cybersecurity
NBC News
The U.S. Defense Department plans to hire private contractors to develop a $600-million-plus computer system for a new background check agency being set up after a security breach last year exposed the personal data of nearly 22 million people, a top official told Reuters. The Pentagon plans to meet interested companies and request proposals before Sept. 30, the end of fiscal year 2016, after finalizing requirements for a more flexible and adaptive replacement, said Richard Hale, the Pentagon’s deputy chief information officer for cybersecurity. In an interview with Reuters given late last week, he said the Pentagon hoped to build the new system as quickly as possible, but its progress would be measured by testing and events rather than preset dates.

Cyber Experts Invited to ‘Hack the Pentagon’
The Hill
The Defense Department is inviting “vetted hackers” to test its cybersecurity in a new pilot program called “Hack the Pentagon.” “This innovative project is a demonstration of [Secretary of Defense Ash] Carter’s continued commitment to drive the Pentagon to identify new ways to improve the department’s security measures as our interests in cyberspace evolve,” the Pentagon said in a statement Wednesday announcing the initiative. It’s the first “cyber bug bounty program in the history of the federal government,” and is modeled after similar competitions held by the nation’s biggest companies, the Pentagon said. Hackers are required to register and submit to a background check to participate in the program. It’s not clear if the vetted hackers have to be U.S. citizens.

DoD Issues Cybersecurity Discipline Guidance
Federal Times
The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks. The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon’s other large-scale cyber assessment tool, the department’s strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.

But apparently not everyone is enlisting in DOD’s efforts

US Tech Firms Bypassing Pentagon to Protect Deals with China, Strategist Says
The Guardian
Silicon Valley companies are shying away from selling cyberwarfare services to the Pentagon to avoid jeopardising their relationship with the Chinese market, a leading geopolitical strategist has suggested. Peter Singer, an author and senior fellow at the New America Foundation thinktank, said the United States and China are engaged in a new cold war – being fought partly in cyberspace – that “could turn hot.” Known tactics in this new cold war include Chinese cyber-spies stealing secrets relating to the US military’s F-35 stealth jet to build a clone warplane. Meanwhile, China has complained that the US takes advantage of its power to “unscrupulously monitor other countries” under the pretense of fighting terrorism.

And, here’s  something DOD probably won’t do

JOHN McAFEE: The US Should Subcontract its Cybersecurity to China
Business Insider
Steve Rogers, the eloquent and polished FBI spokesman whom I had the pleasure of debating on CNN two weeks ago, has been on national TV again – this time alerting the American public that terrorist events equivalent to what just just happened in Brussels, are soon coming to America. Let’s put aside, for the moment, the obvious implications regarding new demands for access into all of our lives for “security reasons”, and let’s look realistically at the true tragedy of this statement.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

March 29, 2016

active