Category Archives: Op-Ed

It’s hard for campaigns to be transparent without aiding attackers

Posted on by

Everyone knows what happened to John Podesta in 2016. Hillary Clinton’s campaign manager clicked on a phishing email, and as far as we know, it was the first time a cyberattack shaped a presidential election. This time around, the campaigns are more focused on recognizing and stopping phishing attacks. That’s good, because phishing has become way more sophisticated over the last four years, including the painstaking research smart attackers run. So if we were to see a repeat of 2016, where would hackers conduct their homework? They could look no further than the Federal Election Commission, whose website illustrates how tough it is to balance transparency and security. The bad guys are looking, too Check out the FEC’s campaign finance data repository. It enables anyone to see where campaigns are spending their money: They’re required to list individuals, vendors, and others they are paying to support their operations. The site […]

The post It’s hard for campaigns to be transparent without aiding attackers appeared first on CyberScoop.

Continue reading It’s hard for campaigns to be transparent without aiding attackers

Building a resilient cyber future

Posted on by

During the early days of the Cold War, American planners wrestled with the emerging challenge of deterring a Soviet nuclear strike. Recognizing the destructive potential of nuclear weapons, the U.S. opted to focus its efforts on ensuring that adversaries clearly understood the U.S. capacity to retaliate and impose costs. Defense and resilience was a secondary priority. We did not, for example, build our subway systems hundreds of feet underground to double as fallout shelters, as the Soviets did. We relied heavily on the concept of mutually assured destruction to dissuade adversaries. With the Cyberspace Solarium Commission, we have assessed that a strong offense does not convey the same deterrent in cyberspace as it does in nuclear or conventional war. While the ability to impose costs is important, a U.S. strategy to secure ourselves in cyberspace must prioritize defense, denying adversaries the opportunity and benefits brought by attacking us in this […]

The post Building a resilient cyber future appeared first on CyberScoop.

Continue reading Building a resilient cyber future

It’s time to set behavior norms for responsible nations

Posted on by

Years ago, I held senior leadership positions in the U.S. military focused on cyber-operations, policy and strategy. What kept me up at night was the concern that a loosely controlled third-party actor or organization — operating with suspicious motivations or questionable skills at the behest of an adversary — might initiate a cyberattack that could escalate to a physical conflict. The warning signs are there. Consider the NotPetya attack, which was described by Wired Magazine as “an act of cyberwar… that was likely more explosive than even its creators intended.” This nation-sponsored attack demonstrated the dangers that could lead to conflict. While part of the challenge is technological, it also comes down to establishing and adhering to behaviorial norms. In cyberspace, there are no rules that describe and govern what type of behavior is and isn’t acceptable. There have been several efforts in this direction, notably the U.S.-China Cyber Agreement […]

The post It’s time to set behavior norms for responsible nations appeared first on CyberScoop.

Continue reading It’s time to set behavior norms for responsible nations

Why aren’t presidential candidates talking about cybercrime?

Posted on by

At the start of the last Democratic primary debate, the candidates were asked what makes them best prepared to be commander-in-chief. Sen. Elizabeth Warren, D-Mass., and former South Bend Indiana Mayor Pete Buttigieg highlighted tackling cyber threats. And that is where the extent of the subject ended. As of the last debate, all eight events have been held without any substantive discussion about a national security threat that arguably impacts more Americans than any other. If candidates want to connect with more voters about the issues that are actually affecting their daily lives, they should talk about their plans for grappling with cyber threats—particularly cybercrime. Cybercrime is hitting millions of Americans—no matter their location or political affiliation. A shocking one-in-four Americans now say that they or someone in their household has been a victim of cybercrime. The U.S. Conference of Mayors estimates 170 local and state governments have been hit […]

The post Why aren’t presidential candidates talking about cybercrime? appeared first on CyberScoop.

Continue reading Why aren’t presidential candidates talking about cybercrime?

Weak encryption means putting our military at risk

Posted on by

Last month, a brigade of U.S. soldiers deployed to the Middle East received instructions from their superiors to use two commercial encrypted messaging applications, Signal and Wickr, on their government issued cell phones. These leadership cues trickled down from the Department of Defense’s (DoD) position that strong encryption is critical to national security. While U.S. Attorney General William Barr continues to push for a broad mandate for backdoors for law enforcement, those on the front lines of protecting America have notably decided on a different approach. Simply put, weakening encryption means putting our military service members at risk. In a recent letter to Rep. Ro Khanna, D-Calif., DoD Chief Information Officer Dana Deasy made clear that the use of encryption to protect the mobile devices of our service members and their stored data is an “imperative.” Deasy makes clear that the use of commercial encryption and virtual private networks (VPNs) […]

The post Weak encryption means putting our military at risk appeared first on CyberScoop.

Continue reading Weak encryption means putting our military at risk

Cybersecurity’s warranty challenge

Posted on by

Making the best decision about risk sometimes means forgoing cybersecurity’s best practices. That can be the unfortunate reality for companies with equipment that is under warranty. Security leaders sometimes have to make the tough choice of forgoing a patch because in some cases, it would void the manufacturer warranty on the product if applied, and leave them on the hook for any potential costs if the equipment were to break. This dilemma highlights the complicated nature of security decision-making. Even in today’s world – where security threats cost businesses $45 billion in 2018 – making the right decision to manage a company’s risk can mean juggling competing priorities, like limiting the risk of a cyberattack with the financial risk of repairing costly equipment without a warranty. Patching is one of cybersecurity’s most commonly accepted best practices. By patching systems, companies are closing up known vulnerabilities in their infrastructure, devices or […]

The post Cybersecurity’s warranty challenge appeared first on CyberScoop.

Continue reading Cybersecurity’s warranty challenge

The Cyber speaks: What will actually happen in 2020

Posted on by

Editor’s Note: It seems like the entire cybersecurity sector has something to say about what the future holds for 2020. But what do the computers themselves think? Kelly Shortridge, VP of product security at Capsule8, forced a bot to read more than 1,000 cyber security predictions for 2020 and then asked it to write predictions of its own. Here is the result. The article is all generated through Markov chains and is only super lightly edited for clarity. Intro The year 2020 indicates more years. The year 2020 expects to showcase more budgets and detecting weird things and anomalies. 2020 will very likely bring a greater risk. There is a lot of skepticism that has existed for years, but in 2020 we will have to consider that top security conferences could lead to even disasters based on the activities of ‘undesirable’ individuals. Looking forward, 2020 promises to be the easiest […]

The post The Cyber speaks: What will actually happen in 2020 appeared first on CyberScoop.

Continue reading The Cyber speaks: What will actually happen in 2020

States are at a crossroads when it comes to cybersecurity

Posted on by

A few weeks ago, I participated in a cybersecurity panel at the National Association of State Technology Directors Annual Conference. The theme of the event, “The Crossroads of Technology,” was very fitting from my perspective because it was clear that state and local government organizations are, in fact, at a major crossroads when it comes to cybersecurity. These enterprises are clearly feeling the wear-and-tear of phishing, malware, and ransomware attacks that must feel like a daily occurrence. In fact, during the conference, news broke about the state of Texas being hit with a coordinated ransomware attack that disrupted systems of 22 local governments. Our panel – filled with cybersecurity leadership from South Carolina and Florida — Here is what I learned: Give Up or Fight Harder? When standing at a cybersecurity crossroads, which path do you take? Often, the unrelenting nature of cyberattacks makes people feel like throwing in the […]

The post States are at a crossroads when it comes to cybersecurity appeared first on CyberScoop.

Continue reading States are at a crossroads when it comes to cybersecurity

Windows 7 end-of-life is coming. How much should you worry?

Posted on by

Every few years, Microsoft causes some panic across industry sectors by announcing the end-of-life of one of its older Windows operating systems. In this case, Windows 7 is going “end of life” on Jan. 14, meaning Microsoft will no longer be regularly updating the system with fixes when a security vulnerability is found. The company is urging users – both consumer and enterprise – to update their systems to the latest operating system: Windows 10. As the weeks tick down until the deadline, the question becomes: how big of a security threat is this? We’ve seen the real-world attacks that can come from unpatched vulnerabilities in an out-of-date operating system. There are also valid reasons an organization could choose to hedge its bets and not upgrade. Ultimately, it is a conversation about risk, and more specifically, how much risk is an organization willing to assume in the face of a […]

The post Windows 7 end-of-life is coming. How much should you worry? appeared first on CyberScoop.

Continue reading Windows 7 end-of-life is coming. How much should you worry?

Your company should manage your cyber risk like any other risk

Posted on by

The best thing company boards can do is manage cybersecurity risk is to approach it like any other business risk. To be effective, there must be a working relationship between the boards and the CISO, where goals are aligned, strategy drives protection options, and the business plan gives leadership clear risk appetite choices. A CISO should center their protection goals around high-value business assets and initiatives aligned to the business’s strategic and operational objectives. This person should understand the business at a broad operational level, from the priorities of legal, finance, IT, HR, and R&D to revenue streams, regulatory requirements, and core operations and assets that drive competitive advantage and customer experience. All of those disparate parts of the company have threat exposure across many operational surfaces. As we’ve learned from breaches, attackers will leverage any operational exposure to get a foothold, including facilities, personnel, and a company’s supply chain. […]

The post Your company should manage your cyber risk like any other risk appeared first on CyberScoop.

Continue reading Your company should manage your cyber risk like any other risk