By Phil Reitinger
I spent Monday and Tuesday last week in Den Haag and Brussels, signing a Memorandum of Understanding with Europol and then meeting with European Commission officials and operators. It was a great visit from start to finish, and I saw a particularly interesting thing the second day. Half of the EC-connected people we met with on cyber security were women. I wonder if that would have been true even a few years ago.
The involvement of women in cyber security isn’t new. In my own experience, the very first executive with whom I worked on cyber security was then Attorney General Janet Reno, and while she wasn’t a techie, she had a strong interest in technology and helped U.S. law enforcement to be as prepared as possible for the coming changes. I worked for a number of other accomplished women over the following years – a Cabinet Secretary, Deputy Secretary, and corporate executive.
At GCA, a good chunk of the executive team, and the whole team, are women. So is one of our Board members (Yurie Ito of CyberGreen). But as a community, we still have a ways to go, especially when you get to the pure technical positions. There are great women there, including some notable hackers (in the good sense); but a report last year from CREST studied the underrepresentation of women in cyber security, referring to an (ISC)2 workforce study that indicated only 10% of the global cyber security workforce are women. If only 10% of the GCA workforce were women, we wouldn’t be able to run the organization, operate effectively in Europe, or communicate.
Changing this dynamic requires action on many levels, from the technical to the executive. For example, the UK’s National Cyber Security Centre along with GCHQ has launched a cyber security technical competition for teenage girls “to find the best and brightest candidates to protect the nation from future cyber attacks.” There are lots of words for that, but they are all synonyms of “awesome.”
You too can play a part. Ensure women cyber security executives have access to the mentors and networks they (like any other executive) need – at GCA in the US, we use the Executive Women’s Forum. Make sure professional development is available at all levels.
That’s all. No magic wand, just hard work over the years to improve our industry. Kind of like cyber security itself.
By Phil Reitiner
Businesses may be sighing in relief that the new U.S. administration is opposed to additional regulation and has imposed a “regulatory moratorium.” This will almost certainly slow the pace of additional federal regulation on cybersecurity and privacy in the United States. But it doesn’t mean the end of regulation. Indeed, a combination of factors will often lead to the same result – imposition of additional mandates – but in a less efficient and more burdensome way. Mandates will be imposed but from a greater diversity of sources, with less clarity on what the actual requirements are. If you recall the Saturday Night Live skit about the Olympia Restaurant, the “Cheeseburger” skit, and if cyber regulation is “Coke,” what you are going to get is “No Coke, Pepsi.” You can still have a carbonated, sweet beverage but with a slightly different taste and maybe not what you wanted.
Cybersecurity and privacy regulation will arise from at least three sources:
First, the lack of new mandates from the U.S. government doesn’t mean less regulation from non-U.S. entities. The most significant of these may be the European Commission’s General Data Protection Regulation (GDPR), which will have significant effects for most international businesses and allows fines of up to 4% of “global annual turnover.” That’s a significant amount. Also of import is the Commission’s Directive on the Security of Network and Information Systems (the “NIS Directive”). China – an important market – is adopting cybersecurity regulation too. Keep in mind that there are about 200 countries, along with additional international bodies with significant authority, such as the International Telecommunications Union.
Second, U.S. states may charge in where the federal government fears to tread. New York State is proceeding down this path with additional regulatory mandates for financial institutions. Many of you will also be familiar with the plethora of state breach disclosure regulation that developed when California first adopted SB 1386. The diversity of those breach disclosure requirements has led to repeated calls from industry for imposition of a harmonized U.S. federal breach disclosure requirement, because federal regulation would be less burdensome.
Third, the lack of clear requirements will lead quasi-regulators, including the Federal Trade Commission in the U.S. and others (e.g., privacy commissioners) around the world to impose prospective entity-specific requirements and after-the-fact fines, resulting in de facto regulation. In the case of the FTC, an allegation that a company was negligent in failing to take “reasonable” practices, and therefore engaged in unfair trade practices, may lead to imposition of a 20-year consent decree (which is entity-specific regulation) with regular reporting to the FTC.
It’s hard to say if this mélange will result in stronger, or weaker, mandates. Some privacy advocates have opposed a single U.S. federal law because a mix of state laws likely results in companies having to comply with the maximum set of requirements. There is one certain result, however: cybersecurity spending for consultants and lawyers will increase.
And regardless of your view of additional regulation, I hope most of you will agree with the need for clarity, transparency, and technology neutrality in any set of mandates. If governments want companies to do more to protect themselves – which they both should want and actually do want – then it is incumbent upon government to make clear what that is and how it can be determined if a mandate is to be imposed.
Enjoy your beverage. I hope you like Pepsi.
Sole Non-Profit Sponsor for RSA Conference 2017
As cybersecurity’s best and brightest minds prepare for RSA Conference 2017 next month in San Francisco, the Global Cyber Alliance (GCA) is proud to lend our support as the non-profit sponsor of this premier event.
RSA’s mission is to connect cybersecurity vendors, professionals, and government officials. The conference’s focus on empowering the cybersecurity industry to stay ahead of threats is a perfect complement to GCA’s focus on eradicating systemic cyber risks.
Over the course of the conference, which runs from February 13-17, GCA President and CEO, Philip Reitinger, will be an active voice, lending his extensive cyber security expertise in both the public and private sectors on two panels.
Panel 1 (February 15)
Law enforcement is playing a game of cybersecurity catchup. Global law enforcement coordination is still challenging, officers are undertrained and prosecutors are frustrated. The threat-by-threat, finger-in-the-dike approach isn’t working. By applying principles of predictive analysis to reduce risk in cybersecurity, as in other types of crime prevention, is it possible to stem the tide?
Additional panelists include:
Commander Christopher Greany-National Coordinator for Economic Crime, City of London Police
Scott S. Smith-Assistant Director, Federal Bureau of Investigation
Cyrus Vance, Jr.-District Attorney, New York County District Attorney’s Office
Panel 2 (February 17)
Predictive analysis is used by many professions to determine risk, shape prevention strategies and inform governance decisions. Continuous defense is exhausting, inefficient and leaves blind spots. Decisions are difficult to make, resources wasted, and systems and data left exposed because every day is tactical versus strategic. Can we create a risk dashboard to move from defense to offense?
Additional panelists include:
Graeme Newman-Chief Innovation Officer, CFC Underwriting
Troels Oerting-Group Chief Security Officer (CSO) and Group Chief Information Security Officer (CISO), Barclays
Jacob Olcott-Vice President, BitSight Technologies
If you are interested in attending RSA 2017 and have not signed up, please visit the official conference website and do so today. If you are a partner of the Global Cyber Alliance be sure to enter code 1U7GCAFD to receive our special discounted rate of $100 off a Full Conference Pass.
By Phil Reitinger
In Monty Python’s Holy Grail, after a massacre of wedding guests by Sir Lancelot, the King of Swamp Castle says, “This is supposed to be a happy occasion. Let’s not bicker and argue about who killed who.” As cyber security goes these days, sometimes I feel like the King of Swamp Castle, and sometimes like the wedding guest who yells about Lancelot, “He’s killed the best man!”
Ironically, the King of “Swamp” Castle is right. The core issue in cyber security these days is that offense beats defense. If someone devotes enough resources to compromise your network over enough time, the odds are significantly in his or her favor. Thus, you often hear stated “there are only two types of companies: those that have been hacked and those that will be.” Until we can change this basic equation in favor of the defense – by building a cyber ecosystem that can defend itself, by devoting more resources to prevention especially of systemic risks, and by much broader use of resilient technologies like trustworthy secure systems (see NIST Sp. Pub. 800-160) – worrying about “who killed who (sic)” may be a waste of time.
But while placing blame on the cyber murderer may be a waste of time, it is not always so, and looking for the murderer has value. Even if offense beats defense, we need to avoid resignation, and must guard against:
- Know-Nothingism – U.S. President-elect Trump is correct that “hacking is a very hard thing to prove.” That doesn’t mean we shouldn’t try to prove it or attribute the hack where possible. Even if, for example, general deterrence of hackers by criminal prosecution is not effective because the risk of getting caught is low, specific deterrence of particular persons, entities, or countries is possible. And knowing sources of threats – threat intelligence – can be critical in mounting an effective defense.
- Silence – When we have information on threats and hacking, we heed to share it. Attribution, even if far short of certainty, can be invaluable in determining the motivation behind an attack and its likely target. Knowledge about attacks and compromises, even if attribution is completely unknown, can improve the defenses of others. Last, speaking openly about attacks and their effects helps prevent characterization of malicious hacking and cyber risk as normal, acceptable, and immutable.
- Fatalism – Sometimes folks want to throw up their hands. “Stop hacking? Fuhgeddaboutit!” Again, U.S. President-elect Trump is substantially correct that “no computer is safe,” but that doesn’t mean that no computer should be safe, or that it is not possible to do a much better job of making computers safe. The new U.S. Administration will have some challenges here, with its preferences against regulation and expending additional resources.
In other words, the wedding guest is right too. If Lancelot killed the best man, or even likely killed the best man (because Lancelot has a bloody sword and best man a stab wound), then that is worth knowing, saying, and acting upon even if a better suit of armor for the best man would have stopped the attack.
By Phil Reitinger
The United Kingdom published its new National Cyber Security Strategy on 1 November. “Piffle,” you say, “not another cyber security strategy.” In this case, you’d be wrong.
Cyber security is a critical topic, with significant breaches in the UK and elsewhere, election-related hacking in the United States, and record-setting denial-of-service attacks globally. Our nations have been doing “cyber security” for decades, but every year the problem has become worse, not better. It’s easy to collapse into cynicism. Regardless, the UK strategy is a step in the right direction.
First, it is important in these interesting times to be clear and compelling. The UK strategy puts forward a simple but evocative description of the approach – “Defend. Deter. Develop.” – that can help galvanize government and national action. Like the 2010 UK Counterterrorism strategy, “Pursue Prevent Protect Prepare,” the taxonomy allows people to understand the strategy and their own role in furthering it.
Second, the UK strategy gets into details, focusing on concrete steps rather than policy blather. The UK strategy calls for, among other things, implementing Domain Name System (DNS) blocking/filtering, and deploying an email verification system (meaning DMARC) – two projects in which the Global Cyber Alliance has a special interest. Generally absent are phrases like “encourage to consider” (with some exceptions, like the box on encryption on p. 52) found in the occasional other strategy.
Third, the UK strategy bites off the issue of direct government action and regulation, where necessary. “The Government will … invest to maximise the potential of a truly innovative UK cyber sector … identify and bring on talent … [and] will also make use of all available levers … to drive up standards of cyber security across the economy, including, if required, through regulation.” The UK strategy draws a middle line between the pure “partnership” strategy in the US and what seems to be a heavier regulatory focus elsewhere.
No strategy is perfect, but focusing on clarity, action, and accountability will take you a long way.