In an increasingly interconnected world, the field of cybersecurity has grown and so has the need to populate it with professionals from multiple backgrounds and disciplines. In 2013, the Atlantic Council first hosted a competition that requires students to engage in crisis management exercises in order to learn new skills and new ways to navigate the world of cybersecurity. Klara Jordan, GCA’s Executive Director, EU and Africa, has been involved since the competition’s first year. Read more here about her experience with Cyber 9/12 and why supporting this cause has become so important.
What a year it’s been for GCA!
Our last newsletter of 2019 is now available! Click on the picture below to get all the details.
Craig Newmark is concerned for the upcoming 2020 election regrading cyber attacks. Newmark fears that history will repeat itself which is why he partnered with the Global Cyber Alliance earlier this year. He donated $1 million to the nonprofit to support their creation of multiple toolkits for election officials, journalists, and community organizations.
“I’ve seen that our election and its integrity are being attacked by foreign adversaries and their domestic allies,” states the craigslist founder. “I feel that I should tell people who are smarter than me: Defend the election, and thereby defend the country.”
Additionally, Newmark will be donating another $750,000 via Craig Newmark Philanthropies in an effort to push GCA’s mission further.
To read the full article, please click on the picture below.
Megan Stifel, GCA’s Executive Director for the Americas, recently participated in the United Nations’ Open-ended Working Group (OEWG) on issues in Information and Communications Technology (ICT) and cyber. Read more here from Megan about the role civil society plays in broader efforts to reduce cyber risk.
By Megan Stifel
During the United Nations’ discussions on Information and Communication Technology (ICT) and cybersecurity issues recently, stakeholders discussed the critical and irreplaceable role civil society plays in operationalizing the emerging cybersecurity normative framework that fosters trust and stability in the ICT ecosystem. To be most effective, these organizations need strong support from governments and the private sector.
Civil society’s engagement on cybersecurity can take many forms, and the work done by the Global Cyber Alliance (GCA) provides many examples of this. GCA supports the Cybersecurity Tech Accord, the Paris Call, and the Cyber Peace Institute, which are just a few of the mechanisms through which stakeholders are amplifying and implementing best cybersecurity practices. Many of these best practices themselves were developed by civil society through multistakeholder processes. For example, the Center for Internet Security (CIS) Controls are recognized globally as best practices that can reduce risk by as much as 85%. Operationalizing these best practices through multistakeholder mechanisms reduces cyber risk and thereby contributes to the evolution of the normative framework recognized in the 2015 Group of Governmental Experts (GGE). Using multistakeholder processes, states can support civil society engagement on many other aspects of cyber risk reduction, including in discussions on norms, consideration of regulatory practices, procurement, and other incentives structures that foster support for collective action on cybersecurity.
To be most effective, however, civil society organizations need both remit and resources. States can support civil society and normative development by supporting organizations like GCA. GCA was established by CIS, itself a civil society organization, along with two law enforcement entities to help vulnerable populations reduce their cyber risk. These organizations established GCA in recognition of the broader impact such targeted engagement can have on the Internet ecosystem as a whole. It also acknowledges that civil society organizations like GCA can move with agility and inclusiveness that far exceeds that which is available to intergovernmental organizations.
GCA executes its mission by identifying, through stakeholder engagement, cyber risks for which there is insufficient attention but for which consistent engagement can result in scalable implementation of known or identifiable solutions that respect individual privacy while advancing security. Greatest progress is made when governments, the private sector, and civil society all work jointly to achieve objectives.
For example, the risk of Business Email Compromise (BEC) and phishing can be reduced significantly by implementing the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. GCA has played a significant role in the adoption of this capability by all types of organizations, including governments, for their own email systems. And the greatest progress has been made when governments and the private sector have specifically supported this work, as a number of nations and the Cybersecurity Tech Accord have done.
GCA’s engagement on DMARC is just one example in which a civil society organization has helped support governmental implementation of a standard developed by the technical community. And, consistent with our operating practices, we have measured the impact of this protocol. We studied more than 1,000 organizations and found that the use of this tool prevented at least $19M in losses in the global economy annually, calling attention to the broader impact of this hygiene tool.
Use of technical capabilities like DMARC also serves as an example of the importance of transparency and accountability in reducing digital risk. This hygiene capability supports just that; through open source tools anyone can determine whether an organization has implemented this proven best practice. Consider for a moment the implications that broad adoption of this email protocol can have for due diligence, accountability, and other recommendations identified in the recently released Global Commission on the Stability of Cyberspace (GCSC) report and in the work of the Global Forum on Cyber Expertise (GFCE).
Importantly, the actions of civil society groups can advance a culture of hygiene in places where governments and the private sector face challenges. For example, efforts such as ours to enhance the security of email through DMARC implementation, as well as the creation of our toolkits for small business, election offices, and the forthcoming toolkit for journalists, help create a culture and practice of cybersecurity by raising the level of these groups’ cyber hygiene, which collectively can reduce the impact of abuse and irresponsible behavior in the Internet ecosystem and thereby improve overall trust in ICTs.
Collectively, civil society organizations can have a measurable impact on operationalizing recognized norms of responsible behavior, but we need support from governments and the private sector to sustain our efforts. We all must recognize that such collective support is far less costly than the alternative, where trust in the Internet ecosystem and connected technologies continues to decline due in part to failure to take action on accepted best practices. Without intervention through enhanced cyber hygiene, this continuing decline in trust risks not only the social benefits of interconnected technologies but also the greater societal benefits, including achievement of the Sustainable Development Goals. Nation states, the private sector, and civil society can work together to reduce the cyber risks that threaten agreed upon global development goals, and they can begin now by supporting and using resources such as those developed by GCA to do so.
$750K in support from organization of craigslist founder to bolster cybersecurity efforts ahead of 2020 U.S. presidential election
NEW YORK, Dec. 18, 2019 – The Global Cyber Alliance (GCA) announces the launch of the Craig Newmark Trustworthy Internet and Democracy Program. In preparation for the 2020 U.S. presidential election, this initiative will provide news outlets, government functionaries, election officials, and community organizations with free toolkits and online forums to help protect them from cyber threats.
This effort is made possible through a $750,000 gift from Craig Newmark Philanthropies and builds on related work GCA conducted earlier in 2019 to create cybersecurity toolkits for election officials, voting rights nonprofits, and journalists. The organization of craigslist founder Craig Newmark donated more than one million dollars to support that initiative.
“This renewed support from Craig Newmark Philanthropies is integral to our core mission – enabling the Internet to reach its promise of benefitting citizens and societies,” said Philip Reitinger, President and CEO of the Global Cyber Alliance. “We are truly grateful for Craig’s dedication to our work and look forward to his continued counsel as we reach key stakeholders across the globe through this program.”
As part of the Craig Newmark Trustworthy Internet and Democracy Program, GCA will:
- Develop a cybersecurity toolkit for elected representatives and government functionaries, including Secretaries of State;
- Enhance the existing GCA cybersecurity toolkits for election offices and news;
- Establish community forums where toolkit users can provide one another with mutual support and receive guidance from GCA; and
- Expand outreach efforts for all three toolkits across news, social media, and email;
- Translate each toolkit into Arabic, Chinese, French, German, Japanese, and Spanish language.
“We are living in a critical time, when our democratic systems and those who make them happen require strong cyber protections to maintain their integrity,” said Newmark. “The Global Cyber Alliance has a proven track record of helping both the private and public sectors solve some of the most vexing Internet security challenges, and I’m proud to continue to support their efforts.”
Megan Stifel, Executive Director of Americas at the Global Cyber Alliance has been appointed to oversee the Craig Newmark Trustworthy Internet and Democracy Program. Stifel brings to this role a wealth of cybersecurity experience, having spent the majority of her career in government, including serving as the Director for International Cyber Policy at the National Security Council. Most recently, she was the Cybersecurity Policy Director at Public Knowledge.
“With the 2020 election fast approaching, we’re incredibly grateful to Craig Newmark Philanthropies for continuing to support our work to help secure journalists, election officials, government personnel, and voting rights nonprofits from cyber threats,” said Stifel. “I’m honored to oversee this new program and look forward to working with the dedicated individuals who will participate in it in the years to come.”
The gift from Craig Newmark Philanthropies will also establish the Craig Newmark Scholars Program, through which GCA will hire veterans, women, and reporters for one-year terms where they will help drive the organization’s mission. The initiative will offer these individuals an opportunity to enrich or start career paths in cybersecurity, providing an interdisciplinary experience and an immersion into the technical, partnership, fundraising, and policy aspects of cybersecurity work.
Those who are interested in applying to the scholars program should inquire at firstname.lastname@example.org.
About the Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect. Learn more at www.globalcyberalliance.org.
About Craig Newmark Philanthropies
Craig Newmark Philanthropies was created by craigslist founder Craig Newmark to support and connect people and drive broad civic engagement. It works to advance people and grassroots organizations that are getting stuff done in areas that include trustworthy journalism & the information ecosystem, voter protection, gender diversity in technology, and veterans & military families. For more information, please visit: CraigNewmarkPhilanthropies.org.
By Rick Tracy
Regardless of the size of your organization, there is no “easy button” for risk management. In order for the process to be effective and beneficial, you have to do the work.
Fortunately, the National Institute of Science and Technology (NIST) developed a risk framework that offers an easy-to-understand risk management methodology. Originally designed for the 16 critical infrastructure sectors in the United States, as defined by the Department of Homeland Security, the has become the framework of choice for many organizations beyond critical infrastructure, and is even being adopted around the world.
While the benefits of the NIST CSF can be realized by organizations of all sizes and missions, the reality is that small and medium-sized businesses (SMBs) have additional challenges when it comes to managing cyber risk. For instance, often times SMBs don’t have the skilled people on staff to conduct self-assessments and manage risk over time. They also may not have the financial resources to outsource the function to a third party.
How the NIST CSF Can Help SMBs
The simplicity of the NIST CSF can really help resource-constrained organizations do what they can with what they have. Since it’s a framework, organizations can use as much or as little of the CSF as they like. It is possible to start small and scale big incrementally over time.
The NIST CSF allows you to select security objectives that are meaningful to your business. For example, if you sell products and services via your website, then your website is critical to your business. If the website goes down, you lose revenue, so you might choose to start your risk management program around your website. The CSF helps you identify critical security objectives needed to manage risk associated with your web-based business. These security objectives create what the NIST CSF refers to as a Target Profile (i.e., the security objectives that you want to meet).
The CSF also recommends a very logical gap assessment process that allows you to determine if the critical capabilities are in place for your website. This gap assessment process helps you identify critical weaknesses so that remediation plans can be developed to quickly address critical risks. An assessment of your status yields what the NIST CSF refers to as a Current Profile, which enables you to identify any security objectives you don’t satisfy. These shortcomings are called Gaps by the NIST CSF. These Gaps must be remediated in order to achieve an acceptable level of risk, as defined by the organization in the Target Profile.
Expand Your Scope When You Are Ready
Over time, you can expand the scope of your security risk management program by adding additional security objectives – NIST CSF calls these Categories and Subcategories to your Target Profile. For example, you might decide to expand the scope of your program to include more than just the website. To do this you simply select additional security objectives i.e., more NIST Categories and Subcategories other aspects of the business, engage more detailed security controls e.g., CIS, 800-53, and ISO for more granular security definition, and/or add additional security objectives to your Target Profile.
The point is you decide when and how to expand your program based on risk tolerance and business need. The CSF allows you to scale your program when you like and how you like.
For companies that do business in the cloud, organizations like are aligning their cloud services (e.g., encryption, access control, audit logs, etc.) to CSF Categories and Subcategories. This further suggests that the CSF is becoming a universal standard for risk management. Such will make it even easier for organizations to use the CSF to assess and manage risk moving forward.
Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.
Members of the GCA team, including CEO, Philip Reitinger; Global Partnership Officer, Terry Wilson; Global Technical Officer, Adnan Baykal; Global Communications Officer, Aimée Larsen Kirkpatrick; and Executive Director, Americas, Megan Stifel, will provide updates and information about recent GCA accomplishments, the new partnership model, global strategy, and upcoming partner collaboration opportunities.
Please see the agenda for the webinar.
GCA’s November Newsletter is now available for your reading pleasure! Catch up on everything we’ve been up to this past month!
Click on the picture below to read the full newsletter.
By Roger Francis
In our complex and connected digital age, cybercrime has become the fastest growing form of criminal activity. The scale of cyberattacks has grown to such an extent that it’s no longer a case of if an organisation will be compromised, but when.
Malware outbreaks such as WannaCry and NotPetya, which occurred in 2017, served as wake-up calls to many businesses as to the value cyber insurance can play in recovering from a cyber incident. However, uptake is still relatively low compared with other commercial insurance products.
In its early years cyber insurance was perhaps more of a hedge against possible litigation resulting from a cyber incident, but since then it has evolved to become an essential component of a mature organisational incident response plan. Providing access to additional technical incident response capability and capacity when needed most has become vital, as has utilising a whole host of proactive risk reduction tools that run the gamut from security training and education to templated Incident Response Plans and Dark Web monitoring.
As cyber insurance gains traction, so does the frequency of cyber claims. A recent report issued by an insurance broker, Marsh, stated that individual insurers reported a huge surge in claims in 2018. As one example, our team at CFC handled over 1,000 cyber claims in 2018, and we expect this to increase by another 5% this year.
The rise in claims is an indication that cyber policy wording is getting closer to the mark – though to be honest, when a business purchases a cyber insurance policy, they’re really buying the claims service behind it, not the paper it is written on. While this fact is true of any insurance policy, this is even more critical when it comes to cyber, where incident response, technical expertise, and real-world cyber claims handling experience can make the difference between a business suffering a catastrophic loss or getting back online quickly.
Despite the many security tools available to businesses to improve cyber maturity and the work of organisations like the Global Cyber Alliance, the inescapable truth is that the vast majority of cyber incidents involve some kind of human error or oversight.
This is in part due to the truth that theft of funds, ransomware, extortion, and non-malicious data breaches usually involve the exploitation of the human element in any given business process, whether it be a victim falling to advanced social engineering and clicking on a phishing link, or failing to follow up on a wire transfer request with a phone call.
In each of these cases it would be easy to blame employees, touting a lapse in security awareness as the deficiency, but in reality, this is an oversimplification of the facts. By our very human nature we derive trust from our daily interactions, and in this digital age this interaction encompasses the computers and systems we use to carry out our daily activities.
Our natural instincts to trust can lead even the most well-informed and well-trained of us to click, download, install, open, and wire money to far flung parts of the world, without taking pause to consider the source of the request.
Cyber criminals prey upon this tacit trust and have become experts at digital manipulation, adapting traditional fraud techniques to be delivered at scale, using a range of techniques, from simple lures designed to convince victims to open a malicious document attachment, to more elaborate tactics, techniques, and procedures.
The good news is that cyber insurance continues to adapt in response to insureds’ needs and remains a critical component in tackling and remediating the impact of cybercrime.
Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance.
By Andy Bates
Neil Massa is the co-founder of SNH and one of the UK’s leading authorities on time management in the digital age. SNH is being used to improve productivity and wellbeing by organisations such as Salesforce, SAP, RSM, Clifford Chance, BT, Sage, DHL, and Sky. In most cases they expect to improve productivity by 10 to 15 percent within three months!
“I hear that there are one million vacancies in the cyber industry,” Neil said. “Every day we hear of AI and machine learning being used to make cyber experts more efficient. Yet there are a wide range of good practices that many people overlook which can make us more efficient.”
Since 2015, SNH has been running free courses for charities in the UK and now at each event they give a short pitch to all their charity contacts on the value of using GCA’s free services to improve cybersecurity.
“GCA is a charity and yet very few charities know about them,” Neil said. “Charities might think they have nothing to steal, yet we all know they have millions of data sets as well as donor money. The GCA is ideal for charities because GCA solutions are free at point of use but also help charities become more GDPR compliant.”
Andy Bates, GCA’s Executive Director in the UK, said he has worked with SNH in the past.
“I met SNH when I was at Verizon and deployed them successfully to help our sales force,” he said. “Part of their unique value proposition is they believe in using free solutions, so they were the perfect fit for GCA. It’s been great to work with SNH for the past two years, as we know that every month multiple charities are being impacted positively by GCA, but SNH weaves our message into their programme. It’s a true partnership.”
Look out for the SNH book which will be released soon. They claim it can save you three days a month and you can read it in just a few hours!
The author, Andy Bates, is the Executive Director of the United Kingdom, Middle East and India for the Global Cyber Alliance. You can follow him on Twitter @andycyberbates or connect with him on LinkedIn.