December 22, 2024

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Microsoft Shutting Down Trustworthy Computing Unit

Posted on September 23, 2014 by in Security

As part of its reorganization efforts, Microsoft has decided to shut down its Trustworthy Computing (TwC) unit that has been focusing on improving customers’ trust in the company’s commercial products.

While TwC will no longer function as a standalone business unit, its general manager, John Lambert, noted on Twitter that they’re just moving to a new home and that “SDL [Security Development Lifecycle], operational security, pentest, MSRC [Microsoft Security Response Center], Bluehat are just under a new roof.”

Some members of the TwC team are among the 2,100 employees laid off by Microsoft last week. However, most of the team will join the company’s Cloud and Enterprise Division or the Legal and Corporate Affairs group.

“I will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA),” Scott Charney, corporate vice president of Trustworthy Computing said in a blog post on Monday. “But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations.”

“I was the architect of these changes. This is not about the company’s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,” Charney added.

Microsoft’s Trustworthy Computing initiative was announced back in 2002 by Bill Gates, who emphasized at the time the need for such a platform.

“Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched – but as an industry leader we can and must do better,” Gates said in a memo to employees.

Brad Hill, Web security technologist at eBay, explained in a post on Google+ the importance of TwC and its impact on the security landscape over the past years.

“That Trustworthy Computing diaspora today constitutes a big part of the core of the modern information security industry.  Veterans of TwC are security leaders in at Yahoo, Google, PayPal, Facebook, Adobe, VMWare and dozens of other companies,” Hill said. “From the hapless, hopeless position the industry found ourselves in a dozen years ago, we’re today starting to stand up credible defenses against nation-state level attackers. And while the heavyweight SDL processes of five years ago have been streamlined even at Microsoft, every security program today has some of the DNA of Trustworthy Computing in it and thinks about the job it exists to do in a different way because of it.”

 In addition to shutting down the Trustworthy Computing, Microsoft is closing down its research facility in Silicon Valley.

The organization plans on cutting a total of 18,000 jobs, representing 14% of its workforce. Roughly 12,500 of the job cuts are related to the recently acquired mobile device manufacturer Nokia.

 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

High Demand Pushes Average Cyber Security Salary Over $93,000

Posted on March 12, 2014 by in Security

Despite concerns over unemployment and the challenging job market, the IT job market has been fairly healthy, and demand for cyber-security professionals remained high in 2013, according to a new jobs study.

The number of job postings for cyber-security positions grew twice as fast as the number for overall IT job postings in 2013, Burning Glass Technologies found in its latest installment of the Job Market Intelligence report. There were 209,749 national postings for cyber-security jobs in 2013, and the average salary for a cyber-security posting was $ 93,028, according to the report, which is compiled by reviewing job postings across 32,000 online sites daily. In comparison, the average salary for all IT job postings was $ 77,642.

“These postings are growing twice as fast as IT jobs overall, and now represent 10 percent of all IT job postings,” the report said.

Cyber Security Salary When considered against the backdrop of increased number of data breaches, distributed denial-of-service attacks, online fraud, and cyber-espionage being reported each day, it’s no surprise the cyber-security job market is booming. Over 17 major retailers and financial institutions were targeted in 2013 alone, and according to the FBI, nearly 300,000 cyber-crimes were reported in the past year, resulting in losses of over $ 525 million.

Security is no longer restricted to just technology companies or financial institutions, as retailers such as Target and organizations in charge of critical infrastructure such as the electric grid grapple with skilled adversaries who take advantage of holes in the network defenses to cause damage. “If you have sensitive data, you are a security company,” David Lindsay, a senior product manager at Coverity, said in an earlier interview.

Burning Glass released the report last week, hours after the Labor Department reported the U.S. Economy added 175,000 jobs in February. The Labor Department said the biggest growth nationwide was in the professional services sector, which includes technology jobs. According to the Burning Glass report, 38 percent of those technology jobs are cyber-security positions. Manufacturing, defense, finance, insurance, and health care sectors also had high demand for cyber-security jobs, Burning Glass found.

While there are many jobs, Burning Glass said they are concentrated in three major hubs: Washington, D.C., New York, and San Francisco/Bay Area. The Washington, D.C. metropolitan area had the most cybersecurity job postings in 2013, with more than 23,000 listings, followed by New York City with just over 15,000, Burning Glass said in its report. The San Francisco-San Jose corridor, which includes the Silicon Valley, had more than 12,000 listings. Chicago and Dallas rounded out the top 5.

The demand for skilled cyber-security professionals in the federal government and for the contracting firms that work on government contractors explains the high numbers for the D.C.-area. In a state-by-state analysis, Burning Glass found that Virginia ranked second in the number of cybersecurity job listings, and Maryland ranked sixth. As would be expected considering its concentration of technology companies, California ranked first in the number of open jobs.

The report highlighted the oft-discussed skills gap, as well. The demand is there for cyber-security professionals, but cyber-security jobs took 24 percent longer—45 days as opposed to 36 days for other IT jobs—to fill, Burning Glass found. Cyber-security jobs also took 36 percent longer than all job postings.

“The demand for cybersecurity talent appears to be outstripping supply,” said Matt Sigelman, CEO of Burning Glass.

One reason for the gap may be because employers are looking for significant educational background and experience, with two-third of postings requiring at least four years of experience and 84 percent looking for applicants with at least a bachelor’s degree. About half of all cyber-security positions requested at least one professional certification, such as Certified Information System Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Security Manager (Security+), and Certified Information Security Manager (CISM).

Sigelman noted that 50,000 job postings in 2013 required applicants to have the Certified Information Systems Security Professional (CISSP) credential, but there were only 60,000 such certified professionals at the moment. And considering that CISSP requires four years of full-time cyber-security experience, it’s not possible to “fast track” professionals to meet the demand.

“This is a huge gap between supply and demand,” Sigelman said.

The difficulty in finding cyber-security professionals to fill positions was part of the conversation at last month’s RSA Conference in San Francisco, as well.

Andy Ellis, CSO of Akamai, noted on the security gaps panel that the problem wasn’t a dearth of skilled individuals, but rather that “We’re writing job descriptions that are unrealistic.” The panel emphasized that cyber-security professionals need to be able to communicate with business stakeholders and be able to show how security affects the business bottom line.

With the jobs market booming for cyber-security professionals, it seems there are plenty of opportunities for them to show off what they can do.

Related: Report Shows Extreme Demand for Skilled Security Professionals

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.

Previous Columns by Fahmida Y. Rashid:


SecurityWeek RSS Feed