Building a resilient cyber future

During the early days of the Cold War, American planners wrestled with the emerging challenge of deterring a Soviet nuclear strike. Recognizing the destructive potential of nuclear weapons, the U.S. opted to focus its efforts on ensuring that adversaries clearly understood the U.S. capacity to retaliate and impose costs. Defense and resilience was a secondary priority. We did not, for example, build our subway systems hundreds of feet underground to double as fallout shelters, as the Soviets did. We relied heavily on the concept of mutually assured destruction to dissuade adversaries. With the Cyberspace Solarium Commission, we have assessed that a strong offense does not convey the same deterrent in cyberspace as it does in nuclear or conventional war. While the ability to impose costs is important, a U.S. strategy to secure ourselves in cyberspace must prioritize defense, denying adversaries the opportunity and benefits brought by attacking us in this […]

The post Building a resilient cyber future appeared first on CyberScoop.

Continue reading Building a resilient cyber future

It’s time to set behavior norms for responsible nations

Years ago, I held senior leadership positions in the U.S. military focused on cyber-operations, policy and strategy. What kept me up at night was the concern that a loosely controlled third-party actor or organization — operating with suspicious motivations or questionable skills at the behest of an adversary — might initiate a cyberattack that could escalate to a physical conflict. The warning signs are there. Consider the NotPetya attack, which was described by Wired Magazine as “an act of cyberwar… that was likely more explosive than even its creators intended.” This nation-sponsored attack demonstrated the dangers that could lead to conflict. While part of the challenge is technological, it also comes down to establishing and adhering to behaviorial norms. In cyberspace, there are no rules that describe and govern what type of behavior is and isn’t acceptable. There have been several efforts in this direction, notably the U.S.-China Cyber Agreement […]

The post It’s time to set behavior norms for responsible nations appeared first on CyberScoop.

Continue reading It’s time to set behavior norms for responsible nations

Why aren’t presidential candidates talking about cybercrime?

At the start of the last Democratic primary debate, the candidates were asked what makes them best prepared to be commander-in-chief. Sen. Elizabeth Warren, D-Mass., and former South Bend Indiana Mayor Pete Buttigieg highlighted tackling cyber threats. And that is where the extent of the subject ended. As of the last debate, all eight events have been held without any substantive discussion about a national security threat that arguably impacts more Americans than any other. If candidates want to connect with more voters about the issues that are actually affecting their daily lives, they should talk about their plans for grappling with cyber threats—particularly cybercrime. Cybercrime is hitting millions of Americans—no matter their location or political affiliation. A shocking one-in-four Americans now say that they or someone in their household has been a victim of cybercrime. The U.S. Conference of Mayors estimates 170 local and state governments have been hit […]

The post Why aren’t presidential candidates talking about cybercrime? appeared first on CyberScoop.

Continue reading Why aren’t presidential candidates talking about cybercrime?

Weak encryption means putting our military at risk

Last month, a brigade of U.S. soldiers deployed to the Middle East received instructions from their superiors to use two commercial encrypted messaging applications, Signal and Wickr, on their government issued cell phones. These leadership cues trickled down from the Department of Defense’s (DoD) position that strong encryption is critical to national security. While U.S. Attorney General William Barr continues to push for a broad mandate for backdoors for law enforcement, those on the front lines of protecting America have notably decided on a different approach. Simply put, weakening encryption means putting our military service members at risk. In a recent letter to Rep. Ro Khanna, D-Calif., DoD Chief Information Officer Dana Deasy made clear that the use of encryption to protect the mobile devices of our service members and their stored data is an “imperative.” Deasy makes clear that the use of commercial encryption and virtual private networks (VPNs) […]

The post Weak encryption means putting our military at risk appeared first on CyberScoop.

Continue reading Weak encryption means putting our military at risk

Cybersecurity’s warranty challenge

Making the best decision about risk sometimes means forgoing cybersecurity’s best practices. That can be the unfortunate reality for companies with equipment that is under warranty. Security leaders sometimes have to make the tough choice of forgoing a patch because in some cases, it would void the manufacturer warranty on the product if applied, and leave them on the hook for any potential costs if the equipment were to break. This dilemma highlights the complicated nature of security decision-making. Even in today’s world – where security threats cost businesses $45 billion in 2018 – making the right decision to manage a company’s risk can mean juggling competing priorities, like limiting the risk of a cyberattack with the financial risk of repairing costly equipment without a warranty. Patching is one of cybersecurity’s most commonly accepted best practices. By patching systems, companies are closing up known vulnerabilities in their infrastructure, devices or […]

The post Cybersecurity’s warranty challenge appeared first on CyberScoop.

Continue reading Cybersecurity’s warranty challenge

The Cyber speaks: What will actually happen in 2020

Editor’s Note: It seems like the entire cybersecurity sector has something to say about what the future holds for 2020. But what do the computers themselves think? Kelly Shortridge, VP of product security at Capsule8, forced a bot to read more than 1,000 cyber security predictions for 2020 and then asked it to write predictions of its own. Here is the result. The article is all generated through Markov chains and is only super lightly edited for clarity. Intro The year 2020 indicates more years. The year 2020 expects to showcase more budgets and detecting weird things and anomalies. 2020 will very likely bring a greater risk. There is a lot of skepticism that has existed for years, but in 2020 we will have to consider that top security conferences could lead to even disasters based on the activities of ‘undesirable’ individuals. Looking forward, 2020 promises to be the easiest […]

The post The Cyber speaks: What will actually happen in 2020 appeared first on CyberScoop.

Continue reading The Cyber speaks: What will actually happen in 2020

States are at a crossroads when it comes to cybersecurity

A few weeks ago, I participated in a cybersecurity panel at the National Association of State Technology Directors Annual Conference. The theme of the event, “The Crossroads of Technology,” was very fitting from my perspective because it was clear that state and local government organizations are, in fact, at a major crossroads when it comes to cybersecurity. These enterprises are clearly feeling the wear-and-tear of phishing, malware, and ransomware attacks that must feel like a daily occurrence. In fact, during the conference, news broke about the state of Texas being hit with a coordinated ransomware attack that disrupted systems of 22 local governments. Our panel – filled with cybersecurity leadership from South Carolina and Florida — Here is what I learned: Give Up or Fight Harder? When standing at a cybersecurity crossroads, which path do you take? Often, the unrelenting nature of cyberattacks makes people feel like throwing in the […]

The post States are at a crossroads when it comes to cybersecurity appeared first on CyberScoop.

Continue reading States are at a crossroads when it comes to cybersecurity

Windows 7 end-of-life is coming. How much should you worry?

Every few years, Microsoft causes some panic across industry sectors by announcing the end-of-life of one of its older Windows operating systems. In this case, Windows 7 is going “end of life” on Jan. 14, meaning Microsoft will no longer be regularly updating the system with fixes when a security vulnerability is found. The company is urging users – both consumer and enterprise – to update their systems to the latest operating system: Windows 10. As the weeks tick down until the deadline, the question becomes: how big of a security threat is this? We’ve seen the real-world attacks that can come from unpatched vulnerabilities in an out-of-date operating system. There are also valid reasons an organization could choose to hedge its bets and not upgrade. Ultimately, it is a conversation about risk, and more specifically, how much risk is an organization willing to assume in the face of a […]

The post Windows 7 end-of-life is coming. How much should you worry? appeared first on CyberScoop.

Continue reading Windows 7 end-of-life is coming. How much should you worry?

Your company should manage your cyber risk like any other risk

The best thing company boards can do is manage cybersecurity risk is to approach it like any other business risk. To be effective, there must be a working relationship between the boards and the CISO, where goals are aligned, strategy drives protection options, and the business plan gives leadership clear risk appetite choices. A CISO should center their protection goals around high-value business assets and initiatives aligned to the business’s strategic and operational objectives. This person should understand the business at a broad operational level, from the priorities of legal, finance, IT, HR, and R&D to revenue streams, regulatory requirements, and core operations and assets that drive competitive advantage and customer experience. All of those disparate parts of the company have threat exposure across many operational surfaces. As we’ve learned from breaches, attackers will leverage any operational exposure to get a foothold, including facilities, personnel, and a company’s supply chain. […]

The post Your company should manage your cyber risk like any other risk appeared first on CyberScoop.

Continue reading Your company should manage your cyber risk like any other risk

When it comes to cybersecurity, the federal government is nowhere to be found

To no one’s surprise, lots of big challenges chronically plague the cybersecurity world. But the biggest headache of all may be the relative inaction of the federal government, which unlike some other advanced nations simply isn’t doing its part. For years, the U.S. has been periodically promulgating feckless mandates, including some issues from the White House, that accomplish virtually nothing. The half-hearted attempts at actionable measures contribute to weaknesses and help open the door to breaches. Consider, for example, just a few instances: Last month, tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency were stolen in a digital breach. A federal contractor had transferred copies of the images to its network in violation of the contract. Then the subcontractor’s network was hacked – likely by a foreign government interested in tracking Americans or in the agency’s procedures. Tensions between the […]

The post When it comes to cybersecurity, the federal government is nowhere to be found appeared first on CyberScoop.

Continue reading When it comes to cybersecurity, the federal government is nowhere to be found