By Renée McLaughlin
Our President and CEO, Phil Reitinger, had the opportunity to sit down with Tom Field, Vice President of Editorial at IMSG Network News, while here at RSAC 2017. He circles back from his interview last year with Tom discussing how we’ve formed the “coalition of the angry” in the form of the Global Cyber Alliance. But now, as we move through the first quarter of 2017, we’ve transition to the coalition of action. Discussing everything from the new administration’s draft cyber Executive Order, to our new GCA solutions, to our plans for the future to continue to make an impact by implementing solutions, you can watch the full interview here.
“We’re mad as hell, and we’re not gonna take it anymore.”
Expansion of DMARC Critical to Reducing
Spread of Malicious Emails
SAN FRANCISCO, February 14, 2017 – There is a fix that can prevent a great amount of email-born attacks on consumers and businesses. Unfortunately, the vast majority of public and private organizations globally, including leading cyber security companies, have not deployed DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent spammers and phishers from using an organization’s name to conduct cyber attacks, according to new research from the Global Cyber Alliance (GCA).
DMARC provides insight into any attempts to spam, phish or spear-phish using an organization’s brand or name. DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 2.5 billion email inboxes worldwide. However, DMARC adoption rates among enterprises and government remains low.
The UK Government’s guidance for government agencies directs them to implement DMARC[i] but as of December 2016 only five percent of UK public sector domains[ii] had done so. A mere 16 percent of the healthcare sector has adopted DMARC.
The latest research from GCA, an international cross-sector organization dedicated to confronting systemic cyber risk, finds that adoption remains low in the cyber security industry as well.
Only 15 percent of the 587 email domains (that were scanned) for companies exhibiting at the RSA Conference — one of the world’s largest gatherings of cyber security experts — use DMARC. Of the 90 RSA exhibiting organizations that do use DMARC, more than 66 percent use the DMARC policy of “none,” which only monitors for email domains, greatly reducing the effectiveness of DMARC.
It is time for the cyber security industry to lead the charge and push for DMARC use across the globe. GCA strongly advocates that organizations implement DMARC and has developed a free DMARC Setup Guide to make DMARC implementation easier (https://dmarc.globalcyberalliance.org/).
The value of correctly implementing DMARC is clear as studies[iii] have shown that organizations that use DMARC correctly receive just 23 percent of the email threats that those who do not use DMARC.
“As world leaders in cybersecurity, we can do better. DMARC protects brands and preserves consumer confidence. While no security effort is cost-free, clear guidance and tools, such as the GCA DMARC Setup Guide, make DMARC implementation practical, and the benefits are considerable. DMARC is one of the cyber security protocols that can broadly reduce risk, and the more it is implemented, the more protection if offers for everyone,” said Philip Reitinger, President and CEO of GCA. “I’m placing a stake in the ground and calling on the cyber security industry to lead the adoption of DMARC, with a goal that 50 percent of the companies that exhibit at the 2018 RSA Conference implement DMARC prior to the conference, and that 90 percent implement prior to the 2019 RSA Conference. Working together the cyber security industry can be a role model and make a difference.”
About The Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.
GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.
By Renée McLaughlin
Day Two at the RSA Conference has not disappointed. The GCA team has been tag-teaming the interviews, meetings, panels, catching up with partners and former colleagues…but sometimes in the excitement, we tend to forget about the importance of the basics.
Our President and CEO, Phil Reitinger, had the pleasure this morning to have a lengthy discussion with Adam Sedgewick at NIST. We’re looking forward to that video interview being published, but in the meantime, we thought it important to share some of the good work from NIST around the Cybersecurity Framework. Watch, learn, and enjoy!
By Phil Reitinger
As I sit on a plane-full of cyber security professionals winging our way toward RSA, I feel a surge of enthusiasm. I’m ready to transition back from cyber security Cassandra to Pollyanna – the future is bright! The reason? It seems to me that the both the Trump Administration and the Obama Administration have come to the very same conclusion about cyber security. They were and are ready to admit that we have been powerless over Information Technology (not just cyber security), and that our lives have therefore become unmanageable. We have consensus that it is time to join “IT Anonymous.” Moreover, the proposal from the Trump Administration to address our problem, at least as included in the draft cyber security executive order, makes considerable sense.
You may not recall the Obama Administration’s Cybersecurity National Action Plan, published just a few days over one year ago, which directed:
[Government] agencies will increase the availability of government-wide shared services for IT and cybersecurity, with the goal of taking each individual agency out of the business of building, owning, and operating their own IT when more efficient, effective, and secure options are available[.]
Yep, it was time to get most government agencies not only out of the cyber security business but out of the IT business entirely. Governments’ IT-life had become unmanageable.
The draft executive order from the Trump Administration reaches the same conclusion, with even greater explanation, justification, and direction. It says:
The executive branch has for too long accepted antiquated and difficult to defend IT and information systems.
and directs the Assistant to the President for Intragovernmental and Technology Initiatives to prepare a report on
The technical feasibility and cost effectiveness, with timelines and milestones, of transitioning all agencies to one or more consolidated network architectures … [and] to shared IT services, including email, cloud services, and cybersecurity services, and any legal, policy, or budgetary considerations to implementing that transition.
Hallelujah! (Yes, I mean that.) Perhaps the greatest problem in cyber security is security at scale, and transitioning the federal government to a more efficient model, with security embedded in shared-IT services that can be supplied by a common agency or outsourced to the private sector (with oversight) will increase the capability, effectiveness and agility of government IT and cyber security.
While we are on the Trump Administration draft executive order, I’m impressed. The order gets the key issues and puts each on a path for action. It implicitly identifies communications and electricity as infrastructures with the greatest potential for catastrophic and immediate damage. Just as important, it identifies market transparency of risk management by critical infrastructure entities as a key approach for enhancing their security – that is, make sure the market knows what critical infrastructure is doing, so at least publicly traded companies can be rewarded (or not) for their efforts. The approach isn’t that different from the Obama Administration’s May 2011 legislative proposal, “Our proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.” More agreement.
Some have called the draft EO “bloatware” because it calls for 9 reports – I disagree. I’m not a big fan of reports, and that is a lot of reports, but if each is a necessary preliminary step to build bureaucratic and political consensus for a new administration, prior to defining an action plan, I’m all in.
Sole Non-Profit Sponsor for RSA Conference 2017
As cybersecurity’s best and brightest minds prepare for RSA Conference 2017 next month in San Francisco, the Global Cyber Alliance (GCA) is proud to lend our support as the non-profit sponsor of this premier event.
RSA’s mission is to connect cybersecurity vendors, professionals, and government officials. The conference’s focus on empowering the cybersecurity industry to stay ahead of threats is a perfect complement to GCA’s focus on eradicating systemic cyber risks.
Over the course of the conference, which runs from February 13-17, GCA President and CEO, Philip Reitinger, will be an active voice, lending his extensive cyber security expertise in both the public and private sectors on two panels.
Panel 1 (February 15)
Law enforcement is playing a game of cybersecurity catchup. Global law enforcement coordination is still challenging, officers are undertrained and prosecutors are frustrated. The threat-by-threat, finger-in-the-dike approach isn’t working. By applying principles of predictive analysis to reduce risk in cybersecurity, as in other types of crime prevention, is it possible to stem the tide?
Additional panelists include:
Commander Christopher Greany-National Coordinator for Economic Crime, City of London Police
Scott S. Smith-Assistant Director, Federal Bureau of Investigation
Cyrus Vance, Jr.-District Attorney, New York County District Attorney’s Office
Panel 2 (February 17)
Predictive analysis is used by many professions to determine risk, shape prevention strategies and inform governance decisions. Continuous defense is exhausting, inefficient and leaves blind spots. Decisions are difficult to make, resources wasted, and systems and data left exposed because every day is tactical versus strategic. Can we create a risk dashboard to move from defense to offense?
Additional panelists include:
Graeme Newman-Chief Innovation Officer, CFC Underwriting
Troels Oerting-Group Chief Security Officer (CSO) and Group Chief Information Security Officer (CISO), Barclays
Jacob Olcott-Vice President, BitSight Technologies
If you are interested in attending RSA 2017 and have not signed up, please visit the official conference website and do so today. If you are a partner of the Global Cyber Alliance be sure to enter code 1U7GCAFD to receive our special discounted rate of $100 off a Full Conference Pass.