A New Administrations and Cyber Security

The recent presidential election has brought the issue of cyber security to the front page of most new sites and newspapers. It appears that Russia hacked into the Democratic National Committee headquarters and that China hacked into federal employee records at the Office of Personnel Management. Foreign governments are looking at our nation’s private information. So what action should the US take? And what happens if we don’t do anything?

Cyber security is unlike most other forms of science. For example, medical research is very expensive and requires tremendous technology for progress. There aren’t too many teens in their parent’s basements pushing the boundaries of medical research. That’s untrue for cyber security. A sole individual with a good computer and a keen mind can make tremendous headway in the creating or destroying security systems. 
 
In short, cyber security in the US will progress – with or without assistance from the White House. 
 
There are some benefits of staying out of the way. Big institutions tend to add bureaucracy, slowing progress to a crawl. Left alone to evolve, programmers might generate insightful and innovative solutions that would have been crushed under the weight of over-management. Sadly, capturing those wild-west developments becomes incredibly difficult if not under the watchful eye of a federal program.
 
Generally, privately funded research will keep pace with the worldwide race of building and breaking security. But private companies might simply sell their secrets to the highest bidder.
 
The solution is difficult to define: allow progress in an organic, creative way while trapping the results and keeping solutions inside our borders. The players are even more difficult to wrangle: renegade programmers, educational institutions, private firms, and federal offices. They aren’t going to play well with others.
 
The good news is that cyber security may not necessarily need federal funds to progress. The bad news is that without those funds, progress might simply land in the hands of the foreign players who already have their hands in our private affairs. 

A New Generation Makes its Demands

In 2012, The Journal of Leadership, Accountability and Ethics (vol. 9(6) 2012) published an article about the working habits of Millennials. Three points stand out:

  1. “Many of this generation’s parents are affluent middle-agers who are now confronted with progenies who are drawn to the “softer” side of life: art, poetry, music, and the surreal world of games.”
  2. “While many of them excelled in high school and college, they don’t seem attracted to the current structured world of work out there.”
  3. “Many of them seem to explore their options, waiting for the right moment or opportunity to come along, and not in a hurry to proactively chase it.”

So, if you are building a company and hiring the younger generation of workers, how do you appeal to their sensibilities?

First, don’t focus on the traditional benefits that come with employment. Health insurance, stable income, and a promise of advancement mean very little to these 20-somethings. They’ve grown up in a world where Fortune 500 companies lay off thousands of people and Federal employees are sent home during systematic shut-downs. To them, no job is secure. Health insurance is available outside of the workplace. And there are endless freelance jobs to earn money from a living room couch or local coffee shop.

Second, don’t mention the 9-5 hours. In fact, you might completely rethink those hours anyway. Why? These Millennials, heavy with tech skills, will happily walk away from your company if you press them to work a traditional workday. They will work hard; but on their time. And if you don’t like it, find someone else. (And good luck with that.)

Finally, don’t expect them to work forever. You might spend endless hours seeking the right candidate, vetting all applicants, and providing company training only to find your Millennial opts to spend winter in Switzerland skiing. You spent three months hiring and only got two months of work out of your new tech employee.

It’s time to rethink some of the traditional constraints of employment. In fact, something as inconvenient as a long commute could dissuade your Millennial from staying at the job. Remote working (from home or an approved coworking space) could go a long way in keeping a good employee from disappearing at the first hint of snow. Or sun.

Millennials have been raised well, by overly protective parents. They don’t approach the world of work with much apprehension or fear. They are a confident bunch without much to lose. And the companies that learn how to adapt to their standards might find a competitive edge for future growth in all markets.

What Cyber Security Will Mean in 2017

First, let’s dispel the myth of hackers sitting on a couch or slamming espresso shots in a 24-hour café. At some point in the past, there may have been enough one-off hackers to comprise some measurable percentage of cyber threats. But those days are over. Hacking is big business. And these businesses are operating inside and outside of the US. They are looking at standard big-business issues like supply and demand, market competition, and industry trends. And yes, there will always be independent hackers. But the real threat now comes in the form of highly organized teams with strategic initiatives.

Ransoms are an increasingly popular tool for the black hat players. In some ways, the transactions are quick and easy. The ransom amounts are fairly easy to calculate: the cost of data recovery (hiring a tech specialist) plus the cost of recovering brand image. In short, your standard ransom demand isn’t going be less than $25,000 (or so) going forward. And that’s just the floor. Plus a good black hat hacker will make sure he gets paid on both sides of the equation – wear the mask during the ransom and the white hat during the repair.

While breaching big companies is always a splashy way to make headlines (think: Yahoo, Target, and Yahoo again), the big companies have vast financial resources to stay ahead of the hacking curve. Thus the future of hacking is in the mid-level company. The perfect target: on-line grocery retail and delivery. They have enough money to pay big ransoms, but they aren’t invested enough in the tech industry to keep on top of client login and payment data.

The truly sophisticated hackers can’t be bothered with PII anymore. They want to play the markets. And by sneaking in the back door of major corporations, they can gain access to the kinds of corporate intelligence that an inside trader can only dream about. And not only can they play the market, they can manipulate the markets by releasing information to the media strategically.

The face of cyber security changes daily. The players are in every corner of the world, rolling the dice in a game against each other, major corporations, and every government on the planet.

The Human Factor

Cyber security isn’t all zeros and ones. In fact, the greatest threat to cyber security may be sitting under the mousepad at the reception desk. Or in an unlocked office. Or in your company’s training manuals.

The human factor is the generally the weak link in any cyber security system. Humans simply don’t have the kind of built-in encryption system necessary to keep out intruders. Humans can be trusting and lazy. And those are the exact behaviors a good hacker will leverage to gain access to your systems.

Keep in mind, it only takes a tiny crack in the security system for a hacker to get into your system. And with all the focus on overseas hackers, your data is still unsecure from physical intrusion. Passwords taped to the computer screen are the easiest way for someone to gain access to your internal software. No one will notice a “maintenance man” checking the lights in an office. Once hackers are working from the inside, it’s easier to maneuver around the limited, internal security measures.

Email remains one of the easiest ways to gain remote access to a system. And because we access email through multiple platforms, hackers can easily dupe unsuspecting users. If you only use one device to review your email (for example, through Google on your desktop), then you are very familiar with the way your email messages look. But email messages look slightly different depending on the device (phone, tablet, laptop, tv, etc), so you have less of a filter. Strange-looking emails don’t stand out. So when a hacker creates an email to appear as if it’s coming from a friend, you’re more likely to open, read, and download.

Finally, if you are a manager or executive, you are sensitive to data security. Your front desk receptionist is not. The receptionist is worried about opening paper mail, answering phone, and keeping guests comfortable. A sly email from a hacker could easily be opened in the haze of busy day.

If you house sensitive data of any kind, you are going to be the target of a hack. The best cyber security expert can’t account for all human activity. Consider a company-wide training on a quarterly basis to ensure everyone in your company is aware of new and emerging issues.

Autistic People Can Solve Our Cybersecurity Crisis

Autistic People Can Solve Our Cybersecurity Crisis

Wired, November 26, 2016

Alan Turing was the mastermind whose role in cracking the Nazi Enigma code helped the Allies win World War II. He built a machine to do the calculations necessary to decipher enemy messages and today is hailed as the father of the com­puter and artificial intelligence. He’s also widely believed to have been autistic.

Turing was not diagnosed in his lifetime, but his mathematical genius and social inelegance fit the profile for autism spectrum disorder (ASD).

And his story illustrates how society benefits when it gives a voice to those who think different. Until he came along, no one perceived the need for a com­puter; they simply needed to crack the code. It took a different kind of mind to come up with that unexpected, profoundly consequential solution.

While Turing’s renown has arguably never been higher, today we are failing to recognize the potential in millions of other talented minds all around us. Like Turing, many of them are also capable of exceptional technological expertise that can help to safeguard our nation.

The Centers for Disease Control and Prevention report that more than 70 million people worldwide—1 percent of the global population—are living with autism. In the US, an upward trend in diagnosis means that the number of adults with ASD is expected to top 3 million by 2020. And today, according to expert estimates, 70 to 90 percent of them are unemployed or underemployed.

The common prejudice is that people with ASD have limited skills and are difficult to work with. To the extent that’s true, it’s a measure of our failure as a society. Almost half of those diagnosed with ASD are of average or above-average intellectual ability.

And we have clear evidence that job-focused training and support services, especially in the transition to adulthood, can make a huge difference, leading to higher levels of employment, more independence, and better quality of life.

But few are getting such help. Programs for adolescents and adults with ASD receive less than 1 percent of all autism-related funding in the US, public and private. (Most spend­ing is on research into the causes of the syndrome and on programs for children.) That we are not preparing these individuals for the future is more than just a personal tra­gedy; it’s a monumental waste of human talent.

In what kinds of jobs could we match the interests and passions of people with ASD and our country’s needs? Well, it just so happens that there is a massive labor shortage in the vital field of cybersecurity. Globally, the damage from cyber attacks by criminals, terrorists, and hostile states is projected to exceed $2 trillion by 2019. Yet the number of unfilled jobs in this area is growing and will likely reach 1 million worldwide next year.

At the same time, more than three-quarters of cognitively able individuals with autism have aptitudes and interests that make them well suited to cybersecurity careers. These include being very analytical and detail-oriented as well as honest and respectful of rules. And there are many other areas in which these talents could quite literally be employed.

A few innovative firms, including Microsoft, SAP, and Freddie Mac, already have pilot programs for hiring people with autism to fill sophisticated IT jobs and other positions. The Gates Foundation, the Milken Institute, and the Hilibrand Foundation have also funded valuable employ­ment and research programs.

But given the coming tsunami of adults with autism, a much broader effort will be required. We need a national strategy, coordinating the efforts of public agencies, companies, and organizations, to bring these valuable minds into the work­force. Such an initiative should focus first on providing meaningful job opportunities for adults who are cognitively able and eventually branch out to more of the autism spectrum.

This effort needn’t start from scratch. Let’s begin by convening those working on the issue in Los Angeles, New York, San Francisco, Seattle, and Washington, DC—areas where strong research and clinical programs are up and running and where tech industry jobs are readily available. By capitalizing on this existing network, we can seed job hubs around the country for adults with autism.

These hubs would create programs to cultivate expertise in cybersecurity and would teach workplace social skills and independent living skills. They’d also work with industry partners to develop a talent pipeline and help them under­stand how best to integrate autistic employees.

Half a century ago, Turing’s extraordinary abilities helped us win a war and launched the technology that is still reshaping our world. Today we’re facing a new threat, and we must once again band together. This is a tremendous opportunity—to use one social challenge to solve another—and a potentially transformative moment.

Let’s take full advantage of it.

SOURCE: WIRED, November 26, 2016

Year in Review 2016

JANUARY

Data Privacy Day 2016

CyberTECH joined with the Ponemon Institute to co-host “Securing the Internet of Things: Data Privacy Day 2016” (Jan. 28) in Sacramento. The event addressed a wide range of cyber privacy concerns and the importance safeguarding private information about individuals and organizations.

Mobile Solutions for U.S. Navy

CyberTECH co-sponsored a two-day forum (Jan. 26-27) in San Diego themed on “Mobile Solutions for the U.S. Navy.” The event was held in cooperation with SPAWAR (Space and Naval Warfare Systems Command), which oversees the sophisticated cyber network of mobile devices that monitor Naval sea, air and land operations.

FEBRUARY:

A collaborative space

CyberTECH soft-opened NEST (Feb. 1), a co-working, incubator and startup collaboration space within the Manpower building in Bankers Hill.  Perched with amazing views overlooking downtown and the San Diego Bay, NEST is 5,000 square feet of CoWork space, part of a 15,000 square feet network of work spaces.

MARCH

NEST on Park Opens

CyberTECH NEST further expanded its incubator and co-working operations by opening NEST on Park, located in the newly refurbished Park6 Building at 6th Avenue and Fir Street, a few blocks from NEST.

APRIL

NEST CoWork officially opens

Mayor Kevin Faulconer and other civic leaders presided over the official ribbon-cutting ceremony (April 6) for the opening of NEST, downtown San Diego’s largest co-working space for tech startups. Covering more than 36,000 square feet, the opening of NEST reflects San Diego’s fast-growing leadership position in the hi-tech/cyber sector.

A tech future for real estate

CyberTECH’s Darin Andersen took part in a panel discussion (April 14) about the shared economy presented by SIOR (Society of Industrial and Office Realtors), a leading commercial real estate association. CoWork spaces such as NEST, CyberHive, xHive, and iHive are prime examples of innovative real estate products that have changed commercial real estate and the brokerage sector.

MAY

CNBC comes to CyberHive

CNBC correspondent Kate Rogers filed a series of reports (May 23) from CyberHive, including one-on-one interviews with CyberTECH’s Darin Andersen and Citadel Drone Management Solutions’ Daniel Magy. The profile was based on San Diego’s national ascent in the fields of cyber security, biotech, life sciences, mobile technology and aerospace research.

JUNE

A seat at the Startup table

As part of San Diego Startup Week (June 13-17), CyberTECH co-hosted Cyber+IoT Startup Table Breakfast (June 14), themed on moving a company from idea, to seed, through investment, and growth. On hand were entrepreneurs, growth specialists, technologists, investors, and experience design specialists.

JULY

CyberTECH receives $40,000 grant

As part of Mayor Kevin Faulconer’s commitment to grow San Diego’s tech innovation sector within the “Smart and Safe Cities” campaign, the City of San Diego awarded a $40,000 grant (Sept. 6) to CyberTECH’s NEST CoWork space to help generate the creation of more startups and jobs across the region.

iHive’s Grand Opening

CyberTECH members and special guests were on hand for the official Grand Opening of iHive (July 28). Covering more than 16,000 square feet, iHive at NEST reflects San Diego’s fast-growing leadership role in the hi-tech and cybersecurity sectors. The space is fully leased with more than 50 resident members.

AUGUST

Securing the Internet of Things

CyberTECH hosted three invitation-only events (Aug. 2-4) at the 4th annual Securing the Internet of Things (SIOT) conference in Las Vegas. Known as Black Hat, the event featured global thought leaders, industry experts and luminaries exploring the IoT phenomenon from the private, government and academic perspectives.

SEPTEMBER

A starter program for startups

CyberTECH proudly launched Entrepreneur in Residence (EIR) — a six-month, low-rent program designed to build strategic relationships between early-stage companies and CyberTECH’s growing ecosystem of partners and stakeholders. EIR Cohort #100 was welcomed.

OCTOBER

EIR Cohort #200 announced

Nine startup companies were named to CyberTECH’s EIR Cohort #200. The list of wide-ranging startups includes an amino acid-based sports drink, a drone-operator alliance, and a cyber-protection monitoring firm.

A meeting of cyber minds

CyberTECH joined with Securing Our eCity Foundation to present the 8th edition of CyberFest (Oct. 27), featuring keynotes from former CIA director James Woolsey and former FBI agent Eric O’Neill. Hot topics included machine interface, nation-state attacks, the Internet of Things, and the need for business continuity.

NOVEMBER

A very neighborly event

The 3rd annual Good Neighbor Taste of San Diego (Nov. 10), presented by CyberTECH, welcomed hundreds of attendees who enjoyed locally-sourced restaurant samples, brew, and wine along with a Startup Pitch Session and an expert panel on “Building the Good Neighbor Economy.”

DECEMBER

Grind Coffee Shop Opens

Located in iHive (Dec. 14) and open five days a week for the convenience of members, guests and nearby neighbors, Grind provides traditional high-quality coffee selections, including a range of European-style specialties such as Espresso, Cappuccino, Caffe Macchiato, Caffe Latte, and Americanos.

 

U.S. says cybersecurity skills shortage is a myth

U.S. says cybersecurity skills shortage is a myth

Nov. 21, 2016

The U.S. government has released what it claims is myth-busting data about the shortage of cybersecurity professionals. The data points to its own hiring experience.

READ MORE

In October 2015, the U.S. launched a plan to hire 6,500 people with cybersecurity skills by January 2017, according to White House officials. It had hired 3,000 by the first half of this year. As part the ongoing hiring effort, it held a job fair in July.

At the Department of Homeland Security (DHS), “We set out to dispel certain myths regarding cybersecurity hiring,” wrote Angela Bailey, chief human capital officer at DHS in a blog post Monday.

One myth is this: “There is not a lot of cyber talent available for hire,” said Bailey. “Actually, over 14,000 people applied for our positions, with over 2,000 walking in the door. And while not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event.

“The amount of talent available to hire was so great, we stayed well into the night interviewing potential employees,” said Bailey.

However, the experience of the U.S. government seems counter to what industry studies say is actually going on.

For instance, a report released one day before the government’s job fair in July, Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), pointed to a “talent shortage crisis” of cybersecurity skills.

David Foote, co-founder and chief analyst at Foote Partners, is skeptical of the government’s findings, and says there’s really no unemployment among people with cybersecurity skills, “so why would they go to a job fair?”

Why would someone take a government job that will pay less than a beltway consulting firm?

The salary for a senior cyber security specialist, with five or more years of experience, in the Washington D.C. metro area is $132,837, said Foote.

The salary range for an IT specialist in cybersecurity ranges from about $65,000 to to $120,000, depending on skills, experience and educational attainment.

Foote said the appeal of getting a security clearance may have motivated some to apply for a government job. A security clearance can open to subsequent private sector jobs.

But Foote suspects that the U.S. is focusing on hiring people it can train, and not on hiring someone with experience and who would command much higher salaries than can government offer.

In cybersecurity, experience is critical, said Foote. “Cybersecurity is something you have to do, you have a develop an instinct and you only do that with hands on,” he said.

SOURCE: Computerworld, Nov. 21, 2016

,

Urgent: The first 100 days of cybersecurity in the Trump Administration

Commission urges better cybersecurity

Urgent: The first 100 days of cybersecurity in the Trump Administration

The Associated Press, December 3, 2016

A presidential commission has made 16 urgent recommendations to improve the nation’s cybersecurity, including creating a nutritional-type label to help consumers shop wisely and appointing a new international ambassador on the subject — weeks before President-elect Donald Trump takes office.

The release of the 100-page report follows the worst hacking of U.S. government systems in history and accusations by the Obama administration that Russia meddled in the U.S. presidential election by hacking Democrats.

The Presidential Commission on Enhancing National Cybersecurity urged immediate action within two to five years and suggested the Trump administration consider acting on some proposals within its first 100 days.

The commission recommended that Trump create an assistant to the president for cybersecurity, who would report through the national security adviser, and establish an ambassador for cybersecurity, who would lead efforts to create international rules.

It urged steps, such as getting rid of traditional passwords, to end the threat of identity theft by 2021 and said Trump’s administration should train 100,000 new cybersecurity workers by 2020.

Other ideas included helping consumers to judge products using an independent nutritional-type label for technology products and services.

“What we’ve been doing over the last 15 to 20 years simply isn’t working, and the problem isn’t going to be fixed simply by adding more money,” said Steven Chabinsky, a commission member and the global chair of the data, privacy and cybersecurity practice for White & Case LLP, an international law firm.

He said the group wanted the burden of cybersecurity “moved away from every computer user and handled at higher levels,” including internet providers and product developers who could ensure security by default and design “for everyone’s benefit.”

The White House requested the report in February and intended it to serve as a transition memo for the next president. The commission included 12 of what the White House described as the brightest minds in business, academia, technology and security. It was led by Tom Donilon, Obama’s former national security adviser.

It was not immediately clear whether Trump would accept the group’s recommendations. Trump won the election on promises to reduce government regulations, although decades of relying on market pressure or asking businesses to voluntarily make their products and services safer have been largely ineffective.

Trump’s presidential campaign benefited from embarrassing disclosures in hacked emails stolen from the Democratic National Committee, Hillary Clinton’s campaign staff and others.

Plus, Trump openly invited Russian hackers to find and release tens of thousands of personal emails that Clinton had deleted from the private server she had used to conduct government business as secretary of state. He also disputed the Obama administration’s conclusion that Russia was responsible for the Democratic hackings.

Under Obama, hackers stole personal data from the U.S. Office of Personnel Management on more than 21 million current, former and prospective government employees, including details of security-clearance background investigations for federal agents, intelligence employees and others.

SOURCE: THE ASSOCIATED PRESS, December 3, 2016

,

Cylance® Proves Voting Machine Vulnerabilities

Cylance® Inc, a CyberTECH member, has announced the successful exploitation of critical vulnerabilities in a common model of voting machine. The exploitation of these vulnerabilities was previously thought to only be theoretical in nature prior to this revelation by Cylance researchers

The compromise techniques are relatively simple to undertake, but do require physical access to the voting machine.

To help understand the risk to election integrity, Cylance produced a demonstration video of the techniques used to compromise the Sequoia AVC Edge Mk1 voting machine.

The video shows how Cylance researchers were able to re-flash the firmware with a PCMCIA card, directly manipulate the voting tallies in memory, and cause a vote for one candidate to be credited to another by altering elements of the device’s screen display.

For mitigation in the long term, Cylance recommends phasing out and replacing deprecated, insecure machines — namely those without robust, hardware-based firmware and data verification mechanisms.

Also, additional due diligence of polling place volunteers, workers, officers may help mitigate possible collusion for tampering by these groups.

The units in question were known to be in use in hundreds of thousands of polling locations across the country in the recent election.

SOURCE: CYLANCE INC.

,

What if the Internet crashed for one day … or longer?

During a one-day outage we would see dramatic slowdown – possibly a total breakdown – of our ability to communicate with one another.

Many of us will be trapped in our homes without the ability to operate our electronic devices and so many other conveniences we take for granted.

What if? We’d be virtually helpless.

If the cyber attack is aimed at power supplies, many of us won’t be able to open our garage doors. Smart phones will be dead, iPads useless. Phone lines will be down. No media coverage. Accurate information about what has happened – and why — will be extremely limited at this point.

If people did manage toget out of their homes and into their cars,traffic control systems will be dark. First responders will start to mobilize, with law enforcement becoming increasingly visible as the day progresses.

Businesses of all kinds –banks, supermarkets, gas stations, the stock market — with cease. Everything will be “cash only” — but ATMs will be inoperable. Supply chains of all sorts will be disrupted. Most companies wouldn’t be able to remain open.

In a word, chaos.

Bottom line: In a society where disenfranchised members begin betting against the regime, cyber strikes to disrupt the political system and infrastructure are a powerful 1-2 punch to create widespread panic and civil unrest.

The “fallout” from one day will last for months, likely years. Cracks in our everyday lives – indeed, our very way of life — will be severely threatened.

Armageddon? Maybe.

Those are my thoughts. I welcome yours.

By Darin Andersen