Just in case you haven’t been paying close attention to tech headlines lately or you’ve been totally distracted by Jeremy Lin’s unexpected NBA exploits (also known as Linsanity) or you’ve become turned-off by the constant barrage of bad news related to computer hackers, this has been another bad week in the headlines for cybersecurity. Perhaps, somehow, you’ve missed the latest scary cyber news.

If this describes you, here is a mini-sample of the top news stories that the security industry has been hammered with over the past week:

Wall Street Journal – Chinese Hackers Suspected In Long-Term Nortel Breach

Excerpt: “For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times.”

Telegraph (UK) - CIA website hacked in attack 'claimed' by shadowy cyber group Anonymous

Excerpt: “Jennifer Youngblood, a CIA spokeswoman, said on Friday night: "We are aware of the problems accessing our website, and are working to resolve them."

Anonymous claimed responsibility for shutting down the homepages of the Department of Justice and FBI last month in retaliation for the US government closing the controversial Megaupload filesharing websites.

Alabama state and Mexican mining company websites were also hacked on Friday. Web pages linked to Anonymous claimed responsibility for both attacks.”

I could go on, but I’m sure you see the trend. The chilling truth is that cyber headlines, often involving major breaches, are relentless. I keep thinking that things can’t get worse – but they somehow do. Over the past few years, we just kept hearing more and more frightening stories about hacker successes and sensitive data lost.

Bad FUD Defined

Competent security pros can easily keep your attention and can scare just about any audience with a well-selected sampling of these headline stories. Recent hacking incidents and the millions of dollars or reputations lost often make CNN and Fox News. Security professionals call an extensive focus on these stories “FUD,” which stands for “Fear Uncertainty and Doubt.” 

Yes, other industries use this term as well – but in the security and technology circles, regularly repeating FUD headlines is viewed as a bad thing. Why? Aren’t these just factual news headlines from reputable sources? Yes, but used too often or as the main message in speeches, FUD can escalate the negative views of the security industry by not offering cyber solutions that work over time. FUD often creates opposite extremes – either a sense of hopelessness or an unsustainable excitement that blocks out all other discussion.

Put another way, FUD might be compared to the sports crazes of Tebowmania or Linsanity - the topic gets super hot and takes over all coffeepot discussions, but after a while, people get sick of talking about it. Eventually, the pendulum swings the other way. Perhaps the tide has already turned for FUD, because like an addictive drug, it takes more and more FUD to have an impact in 2012.

Truth be told, I have long been a critic of FUD, which can contribute to reason #1 that security professionals fail. I have seen FUD offer a short-term bounce to security programs around the country which can later become a “haven’t you fixed that yet” mentality from senior executives 6-12 months later. Our cyber defense goals need to address long-term strategic answers that improve cyber defense over years and not just day or months.  A common joke in the security industry is that you want the CISO job right after a major FUD incident. You get the $$s and support – after the last person was removed.

Good FUD as a Starter

Now allow me to also offer some positive aspects to a small slice of FUD. True cyber stories that are hot off the press are great conversation starters - like as an appetizer before the main course for dinner. Remember – FUD almost always works for a brief moment. Audiences are usually intrigued by hot stories of cyber breaches or worse, especially if there is some new twist or a different channel that was used to gain unauthorized access. Advice: just don’t make the FUD the main point of your speech or end with “and your next if you don’t follow my advice.”

But while FUD usually works great to get a speech kicked-off or as an icebreaker with a person who knows very little about security, it should not be used as the main course. Just as financial advisors know what to say to clients after a bad day with big stock market losses, smart cyber pros will use that “teachable moment” to move onto what actions their company can (and needs to) take now. Advice: have that elevator speech ready for the next FUD to hit. Also, get to know “the rest of the story” so that you can keep the conversation going beyond the headline that is so popular.

One more point in the “good FUD” category: keeping track of the latest FUD is important for your career. Security pros need to be well-informed when asked “what happened” by friends and colleagues at home and work. You are the resident “expert” so a puzzled look about yesterday’s headline hack, while occasionally ok, is not an effective way to build confidence in your abilities. Advice: When this happens and you’re caught off-guard, read up on the incident quickly, because others will ask as well.

FUD Can Also Get Ugly and Personal

I remember a major breach that occurred back in the 90s that taught me a lesson. I was at a training conference on how to configure network firewalls and security controls. As I was eating breakfast before class and reading a front-page Washington Post article about a major breach to a colleague, he turned to me and said, ”Oh my gosh, that’s my website! I was sent here to this class to make sure we weren’t hacked.”

 My two-day friendship ended when he was called away and never came back. I later heard he was fired.

The lesson – scary FUD headlines are real and can become very personal. I know several security pros – both leaders and analysts – that were “overcome by events” that were probably outside of their direct control. Nevertheless, we ignore FUD at our own peril.

All of us in the security industry are aware of the unexpected challenges that a career in cyber can contain. If management is looking for a scapegoat after a major incident, FUD can lead to changes that may not be well thought out or even helpful to defending the enterprise. Still, these cyber headlines can derail impressive careers if “perception becomes reality.” After the cleanup, management may say you should have known or stopped the incident from happening. Advice: develop a good relationship with your government agency’s Public Information Officer (PIO) who is trained to deal with the press. Work together as a team during cyber incidents. Sure, we want to stay out of the news, but prepare for the worst.

Bottom line, FUD is a complicated topic. FUD can be your friend or your worst enemy.  It can light a fire under cyber initiatives, or end a career. It can influence decisions in the middle of a crisis. Regardless of the story, FUD is important to master – and that’s not just hype.

Any FUD stories to share?

   It’s that time of year when my email in-box starts filling up with invitations to events surrounding the RSA conference in San Francisco. Whether from vendors, current friends, former colleagues or other security pros who just want to connect, the new offers seem to get more creative every year. There are huge parties, forums, get-togethers, breakfasts and even totally separate conferences (or one-day workshops) running at the same time or before the event.

Of course, the assumption – no, the strong expectation – is that you’ll be in San Fran that week. If you write back that you’re not going this year, the surprised response is always some rendition of “Is everything ok?”  Some of you are probably wondering that about me now – no, I'm not going in 2012 and yes, everything is fine.

Now, before I go on, I need to say that this is not a promo for RSA. Yes, I’ve been, and it’s an excellent conference with an unparalleled number of industry exhibitors, training seminars, exciting keynotes, new announcements of products, award ceremonies, etc. More than that, it is almost like “reunion time” where you can get together with friends from around the world from the Department of Homeland Security (DHS) to leading companies in Europe. Speaking at RSA is a huge honor. If you’ve never been – it’s worth going at least once, if at all possible.     

Which is where I’m heading with this piece - it’s not possible for the vast majority of state and local government employees to attend RSA or other large conferences like Black Hat.

Most state and local government cyber pros are forbidden from traveling out of state on business, unless given a “special exception.” In the majority of government cases, training conferences don’t qualify for this exception – unless you are presenting and the conference is paying the travel expenses.  Of course, government employees cannot accept gifts or trips from vendors, which means that many of the best security conferences are out-of-reach for many government security staff who could often benefit from the training.

(Side note: this same training problem exists for other government professionals in many different fields when the economy is bad and revenues down.) Every state is different, and there are a variety of variations on this theme. Nevertheless, online training, web conferences and local training are now the norm.

What’s to be done locally?

There’s an age-old phrase that I learned way back when I started my career at NSA in the mid-80s. It starts with the question: Who’s the expert?

Answer: The guy from out of town.

Since perception is often reality, there’s an element of truth to that popular statement. But what about cybersecurity conferences?  Are all of the good security conferences out of town (or out-of-state)? I think not.

So what’s the solution? If you can’t bring the people to the conferences … bring the conferences to the people. This is what’s being done all over the nation. Here are a few examples:

SecureWorld Expo Events: These 2-day security conferences have been going on in major US cities for almost a decade. I always look forward to the Detroit event (which is close to Lansing). We’ve been able to get 50+ state employees to that event each year, and we can often get discounted (or free) tickets for government employees.  I know the great professional team running these events, and I’ve had the opportunity to speak at SecureWorld events around the USA. I highly recommend attending and encourage active participation in your part of the country.

Government Technology Magazine Events – These events are run by the Center for Digital Government (CDG), and they are very well done – often with a local flavor and great nationally-known keynote speakers.  In Michigan, we’ve been holding an annual Michigan Government Summit for years, in partnership with GovTech.  What sets these events apart is the state-local collaboration that occurs before, during and after the annual events. The process of building the agenda with state/local IT leaders is almost as helpful as the event itself at fostering cooperation.

Many of these events have a track or even an entire day on cybersecurity. In 2009, we held a one-off cyber summit in partnership with CDG. And the second afternoon of the GovTech conference focused on cybersecurity in 2010.

Which leads to my last idea on this conference topic and starting home-grown technology events. If there is nothing going on in your area, build it yourself. Last year, we launched Cyber Security Awareness Month for the nation at the Michigan Cyber Summit. Each year, our Michigan State Police partners hold a great event in Grand Rapids called the Great Lakes Homeland Security Conference.

My point is that there are plenty of excellent opportunities to learn and be trained right where you are. Look around. Google it.

Sure, RSA is fun and unique. If you really want to go, brush up on your Toastmasters skills and try to become a speaker at a breakout session (but submit a proposal early - it's tough to get accepted). It is always fun to travel, and I’ve been blessed to speak at events around the world. Nevertheless, some of my best experiences have been at security and technology conferences near home. Best of all, you get to sleep in your own bed and stay near family.

I'd love to hear about your experiences or ideas for cyber or technology training. Feel free to leave a comment.

Major technology vendors announced the formation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) system today. This new email authentication framework should reduce the number of phishing scams that try to trick users into thinking emails are from someone else. Participating vendors, many of which provide free email services, aim to make spoofed domains in messages a thing of the past.

Leading technology companies like Google, Microsoft, AOL and Facebook are participating in the system – which is explained and can be examined in detail at DMARC.org. Here is a quote from the new website:

“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.”

Coverage of the press announcement was widespread today with numerous headlines all over the Internet  such as:

USA Today – Tech companies team up to combat e-mail scams

Information Week - Google, Microsoft Say DMARC Spec Stops Phishing and

Tech Crunch - DMARC Promises a World Of Less Phishing

Here’s an excerpt from the Tech Crunch article:

“The move follows an announcement in November that Google, Microsoft, Yahoo, AOL, and Agari were authenticating emails from Facebook, YouSendIt, and other e-commerce companies and social networks.

DMARC said the anti-phishing initiative has actually been going on for the last 18 months.

According to Google, about 15 percent of all e-mail comes from members of DMARC, but by published their DMARC records, these records can not be domain spoofed. This makes the anti-phising group much more effective at stopping criminal gangs from using phasing to dupe unsuspecting users.”

Are there any downsides to DMARC? Not really, in my opinion.

However, as many at Slashdot pointed out in their comments today, this system still doesn’t stop unwanted spam from within gmail or yahoo (or wherever) – it only ensures that the email is not from a fake domain. The benefit is tied to ensuring that the domain is genuine – which is a huge step forward – but not a complete solution. So as the critics point out, we still need to be careful to esnure that you are reading a message from the correct user. For example: there are mutiple people with the same name in Yahoo mail.

Nevertheless, I agree with the major vendors that this is an important step forward in fighting phishing attacks.

What are your thoughts on this announcement?

The Federal Trade Commission’s website at www.onguardonline.gov remained down for a second day after it had suffered a security breach. According to Government Computer News (GCN.com), the group Anonymous hacked the site in protest over proposed anti-piracy laws and recent anti-piracy arrests.

Here’s a quote from GCN's story:

"The OnGuardOnline.gov site, intended to give people cybersecurity advice, was hacked early Jan. 24, with the home page replaced by the Anonymous logo, a rap song and a message threatening more attacks if anti-piracy legislation in Congress — which has stalled after a massive online protest Jan. 18 — were to pass.

FTC, which operates the site with several other agencies, took it offline after the hack...."

Since the protest last week, many legislators have backed away from Stop Online Piracy Act (SOPA) because of the public outcry and pushback from many technology companies.

Meanwhile Computerworld ran an article that said the European Union’s proposed privacy rules could hinder the Internet. Here's an excerpt:

“The rules, proposed by E.U. Justice Commissioner Viviane Reding, include the so-called "right to be forgotten," allowing Internet users to have data about them deleted if there are no legitimate reasons for retaining it. The proposal would require companies with more than 250 employees to appoint data protection officers, and it would require companies to report data breaches within 24 hours.”

This new hacking trend is not slowing down, and ushers in a new cyber chapter in my view. If “hacktivists” can manipulate public opinion and get the results that they desire (like stopping new legislation), we will surely see more of this behavior in the years ahead when developments don't match the goals of various online groups.

What is your view on these developments?

This is turning into a wild week for headline-grabbing cyber activity. Immediately following Internet protests of proposed new legislation to crack down on Internet piracy, the Department of Justice (DOJ) moved quickly to shut down one of the most popular websites known for illegal downloads called Magaupload.

 According to the Washington Post:

“Federal authorities Thursday indicted two firms and shut down one of the Web’s most popular sites for sharing illegally pirated material, triggering a quick response from hackers who claimed credit for taking down the Web sites of the Justice Department, Recording Industry Association of America and other media companies in retaliation.”

This story was making headlines across the tech world, with Computerworld Magazine reporting that: Anonymous retaliates for Megaupload shutdown, attacks DOJ, others.  Here’s an excerpt from that article:

“The hacker group Anonymous is claiming responsibility for attacks that have taken down websites run by Universal Music, the U.S. Department of Justice and the Recording Industry Association of America in retaliation for the government's removal of the Megaupload websites.

‘The government takes down Megaupload? 15 minutes later Anonymous takes down government and record label sites,’ the Anonymous Twitter feed read.

That note was followed shortly by this one: "Megaupload was taken down w/out SOPA being law. Now imagine what will happen if it passes. The Internet as we know it will end. FIGHT BACK." The tweet referred to the Stop Online Piracy Act, an Internet piracy bill being considered in the U.S. Congress.”

Other details were also available over at USA Today:

 “An indictment accused Megaupload.com of costing copyright holders at least $500 million in lost revenue. The indictment was unsealed one day after websites including Wikipedia and Craigslist shut down in protest of two congressional proposals intended to make it easier for authorities to go after websites with pirated material, especially those with headquarters and servers overseas.

Megaupload is based in Hong Kong, but some of the alleged pirated content was hosted on leased servers in Ashburn, Va., which gave federal authorities jurisdiction, the indictment said.”

Coverage of yesterday's events streteched over to the United Kingdom. The Guardian newspaper reported that: "The US government has closed down one of the world's largest filesharing websites, accusing its founders of racketeering, money laundering and presiding over 'massive' online piracy."

Meanwhile, a more detailed list of activity and timelines was seen over at Gizmodo.com. The bold headline read: THEY ARE BACK with a long list of websites that were attacked (including the FBI and EMI Records) and more than eleven updates.  

This flurry of activity is revealing a new face in the global Internet battle over online laws and content controls in cyberspace. Some online are even calling it the long-awaited cyber war - but not me. However, the war of words and company protests are showing up in real-life indictments and the shutting down of popular sites offering illegal copies of copyright material.

Many commentators (including myself) have been saying that the virtual world (Internet) today often resembles the wild west of bygone years or like the 1930s with mobs in Chicago. This week’s events are showing these analogies to be fairly accurate.

One more thing - in a related development, all four Republican candidates for President stood together to oppose the proposed SOPA Internet piracy legislation in last night's debate. The White House has already stated that the legislation has flaws. I wrote about this topic earlier in my previous blog post this week.

What do you think? Where is this cyber battle heading? Will the global Internet police be able to stop Anonymous anytime soon? Or, will the global protesting grow with hackers outgunning law enforcement in cyberspace? Are these protests a good thing or not?