Day 2 at the NASCIO annual meeting, and one hot topic is the new Cybersecurity survey results that were released this morning called

I am at the National Association of State CIOs Annual Conference in San Diego, and here are some of the first day highlights.

 The roundtable sessions over breakfast covered over a dozen topics, and I attended a session on BYOD led by the CIO from Delaware. The session was excellent with comparsions between public and private sector organizations on the use of different mobile devices. All of the topical discussion sessions seemed well attended, and it was a great way to engage professionals from around the country with different approaches to this cutting-edge issue.

 The opening keynote was called: Overhauling the Ship: Extreme Government Makeover - led by Ken Miller who is the Founder of the Change and Innovation Agency. He used a lot of analogies and his basic message was that "the house of government doesn't need another layer of paint or new carpets, but an extreme makeover." His points on process improvement were very well made.

The next session covered multi-jurisdictional collaboration with panelists from Michigan, North Carolina, Montana and Cook County, Illinois. The examples and stories made it clear that more sharing of services is coming nationwide - both within states and across state lines. Great session that was lively with a good Q/A session afterwards.

After lunch, there was a general session which covered the results of a State CIO survey by TechAmerica and NASCIO. Priorities discussed included: moble devices and applications, social media, cloud computing, big data and the public safety broadband network. The examples and overall discussion were excellent.

I also attended a breakout session called "Batten Down the Hatches on Health Data Exchange" which was a great look at the latest security and privacy actions being taken in California, Arkansas and around the country.  It is clear that progress is being made on health data, but many hurdles remain. The panelists were not as optimistic on this topic as they were a year ago, and many questions from the audience seemed to have "we'll see" answer to them.

Tonight, the NASCIO best-practice awards to states are given out at dinner.

More after Day 2.

Are you at the NASCIO conference? Any comments to share?

The National Association of State Chief Information Officers (NASCIO) is holding their annual conference in San Diego this year from October 21-24, 2012.

The agenda is packed with many interesting topics, such as an opening keynote by Ken Miller, Founder, Change & Innovation Agency. Here’s how this 90-minute session is described in the program:

“Pinnacle General Session Overhauling the Ship: Extreme Government Makeover

Government is under incredible pressure right now. The economic crisis has hit us with a double whammy: exponential increases in demand and dramatically reduced resources.  How have we responded to these new pressures? By trotting out the old ideas. We outsource, upgrade and right-size. The house of government doesn't need another layer of paint or some new carpet -- it needs an extreme makeover. And just like on the show, it needs it done fast! This presentation makes obvious the real problems plaguing government, how you can join the crew and gives you the tools to complete the makeover.”

There are several interesting sessions on topics ranging from multi-jurisdictional collaboration, to health data exchange, to data and analytics to the “choppy seas of outsourcing.”

On the cybersecurity side, there are three sessions that are of special interest to readers of this blog.  On Monday afternoon, there is a breakout session on mobile device management. That session is described this way:

“Striving to Protect: Mobile Device Management and Security

Whether the data is in your pocket, on your desktop or in your network, how do you strive to protect the information and manage the devices? … And a new generation of workforce and citizens used to being connected -- anytime, anywhere, all the time - are requiring CIOs to rethink policy and security….”

On Tuesday morning, there is a panel session discussing the results of the cybersecurity survey sent from state governments and U.S. territories. I am participating in this session, and the session is presented with the title and description:

 “State Governments at Risk

NASCIO initiated the 2012 cybersecurity study to assist state leaders in understanding the current cybersecurity environments and to provide key insights to aid state leaders in making informed decisions relative to cybersecurity threats, risks, priorities and strategy. Survey questions covered topics across information security governance, budget, use of security technologies, quality of operations and more. This special briefing will be an interactive session covering the aggregated study results.”

Last, but not least, there is an important session entitled:

“Charting the Course: Public Safety Broadband

We have all heard that Congress reallocated the 700-MHz D-Block spectrum to public safety and established the FirstNet Board to create a nationwide public safety broadband network for first responders. Come and hear what the creation of this network can mean to state government and how first responders and others will use the network….”

Other topics include data transparency, redesigning procurement and the explosion in mobile applications.

I think this agenda looks outstanding overall, and the best part is almost always the networking and side-discussions. I know we say this every two years or so, but I think we are at an important crossroad in state government support of technology and security, and I find these annual NASCIO conferences to be “must-attend” events each year.

It is easy to gain “tunnel vision” regarding the activities locally, but NASCIO always provides insights on the national picture. With the election coming up soon after the conference, the conversations always get interesting.

In addition to the topical experts who speak, I like hearing the perspectives from CIOs from around the country. There are always plenty of federal partners in attendance as well who want to talk about various interfaces and systems. Not to be outdone, our vendor partners will be available to brief us on their latest offerings.

Lastly, I will be writing a blog on my thoughts about the national cybersecurity survey as well as observations from several other sessions. I look forward to seeing many of you in San Diego next week.

Senior officials in the U.S. government believe that Iranian hackers are responsible for a new wave of significant cyberattcks. These unprecedented cyberattacks were very destructive in nature, and crippled several Persian Gulf oil and gas companies.

Last week, CBS News reported that “U.S. officials say a cyber attack against ARAMCO, has been traced to hackers inside Iran. This attack is yet another volley in an increasingly high stakes war going on in cyberspace. Defense Secretary Panetta warns that potential enemies, including Iran, are developing the capability to launch devastating attacks.”

Back in September, hackers hit 30,000 computers at the world’s biggest oil companies. Sky News reported:

“Saudi Arabia's national oil company was hit after at least one insider with high-level access allegedly assisted hackers to wreak havoc on the company's network last month.

The attack, using a computer virus known as Shamoon against Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business. Shamoon spread through the company's network and wiped computer hard drives clean."

According to the Washington Post, Defense Secretary Leon Panetta said the cyberthreat from Iran has grown, and he declared that the Pentagon is prepared to take action if American is threatened by a computer-based assault.

The Wall Street Journal gave significant front page attention to these recent cyberattacks. Here’s an excerpt:

“U.S. agencies have been assisting in the Gulf investigation and concluded that the level of resources needed to conduct the attack showed there was some degree of involvement by a nation state, said the former official. The officials spoke on condition of anonymity because the investigation is classified as secret.

‘Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for their actions that may try to harm America,’ Panetta said in a speech to the Business Executives for National Security. He later noted that Iran has ‘undertaken a concerted effort to use cyberspace to its advantage.’"

 Cyberattacks Against Banks

Back in late September, Iran was also named as the source of several cyberattacks against Bank of America, JPMorgan, Citi. According to Reuters:

“The attacks, which began in late 2011 and escalated this year, have primarily been ‘denial of service’ campaigns that disrupted the banks' websites and corporate networks by overwhelming them with incoming web traffic, said the sources.

Whether the hackers have been able to inflict more serious damage on computer networks or steal critical data is not yet known. The sources said there was evidence suggesting the hackers targeted the banks in retaliation for their enforcement of Western economic sanctions against Iran.”

It should be noted that Iranian officials have denied hacking U.S. banks. Instead, Iran accused U.S. officials of “demonizing Iran in cyberspace to portray the country as a global threat to cyber security and justify the U.S. and Israeli cyber attacks on Iran."

How Effective Are These Cyberattacks?

Meanwhile, Yahoo News reported that “Iran has a growing legion of low-grade hackers that are quickly becoming a pain in the side of the Obama Administration, and financial companies….

The potential danger of Iran, or anyone causing havoc digitally is something the administration knows they have to consider, which is why the government spends $3 billion annually on digital defense.”

What is clear is that both business and government leaders around the world are very concerned about this escalation of attacks in cyberspace. Many are now thinking that we are entering a new cyber Cold War, with cyberhacking threats taking the place of 20th century nuclear weapons.

What makes this situation so much more complicated is that we have many different nation-states now entering and/or already participating in this cyber Cold War. Besides Iran and China, dozens of countries are thought to be boosting their cyberwar capabilities – whether that focuses solely of cyberdefense or includes more cyberattack capabilities remains to be seen.

What is not in doubt is that Stuxnet and Flame have recently cleared the way for a new chapter for nation-state sponsored or approved cyberattacks. Nations are scrambling to stay ahead of others and/or to gain advanced cybersecurity capabilities.

Where is this heading? Check out this video interview with Eugene Kaspersky from back in June, 2012. Kaspersky is recognized as a global expert on a variety of cybersecurity topics, and he helped launch the now famous company that bears his name. He describes “the end of the world as we know it” in this video piece with a new era of “cyberweapons, cyberwar and cyberterrorism.” Scary stuff.

Why Release This Information Now?

There is no doubt in my mind that the events of the past week have ratcheted-up the pressure even further on cybersecurity, if that is possible.

So why did Defense Secretary Panetta give this speech now? Are these attacks getting worse? Given that we are in the middle of an election campaign, what is the significance of naming Iran. Yes, I think Iran is being warned, but could an executive order on cyber still be coming soon?

I suspect there still may be an executive order coming on cybersecurity, and these Iranian cyberattack realities may be named as a big part of the reason why. As I have said before, I think that the time for government action, hopefully with bipartisan legislation, is now.

I’d love to hear your thoughts.

Steven Spielberg is known as one of the best movie directors ever. Spielberg once said that his primary motivation for making movies was his fears and anxieties. “I had no way to sublime or channel those fears until I began telling stories to my younger sisters. This removed the fear from my soul and transferred it right into theirs.”

In the ABC Family Movie Cyberbully, Taylor Hillridge is a teenage girl who finds herself the victim of cyberbullying when she becomes a member of a social website. As the movie progresses, the significant damage that cyberbullying can cause becomes clear when Taylor tries to overdose on medication pills. Through therapy and a healing process, she learns that she is not alone.  

Common Sense Media, gave the film a positive review, stating:

 "Cyberbully is a great jumping-off point for talking to teens about the very real dangers that exist online. The movie does a good job of working in most of the hot-button issues related to this topic, including the anonymity that exists online, the legal loopholes that enable cyberbullying, the social pressure on teens to partake in digital relationships, and the emotional devastation that bullying inflicts on its victims and their families."

Last time, I left you with the question: What actions steps can we take to improve cyberethics at home and work? In my final blog on this cyberethics topic, let’s look at what’s happening around the world with some potential examples to emulate.

Hot Example: Cyberbullying

Family examples that grab a lot of attention include cyberbullying and sexting. Parents, teachers, legislators and criminal justice agencies quickly take notice when these topics come up. To give you a sense of how significant these problems have become, just take a quick peek at this Google list of links to national and international conferences on cyberbullying.

For example, the June 2012 International Conference on Cyberbullying in Paris was their 8^th meeting on the topic. The lists of members, groups, committees (and management committees), meetings, topics, newsletters, posters, presentations, upcoming events, books and training schools is enough to clearly illustrate that this problem is not going away anytime soon.

From the tragic international statistics, to the new cyberbullying bills written after teen suicides to local school board arguments, cyberbullying has become a front-line societal issue. Parents are asking: Should schools be held responsible for cyberbullying?  New websites and even companies have been created to address training in cyberbullying avoidance.

Cyberbullying and sexting are just two societal examples of the wider ethical issues we are facing in cyberspace. From plagiarism to cheating on tests and from the insider threat at work to illegal hacking of identities, there is a growing body of evidence to suggest that more action is needed. 

Meanwhile, cyberethics challenges at work continue to cause concerns for state, local and federal governments. As described in the first blog in this series, the intentions of employees may be good, but what is actually happening on the ground (on the networks?) How are staff truly behaving and how are policies being enforced?

So what’s being done right now regarding cyber awareness around the country?

October Cybersecurity Awareness Month

We’re in October, which means that Cyber Security Awareness Month has begun. This year, the kickoff event occurred in Omaha, Nebraska, on October 1.

A quick glance at the Department of Homeland Security’s website on National Cyber Security Awareness Month (NCASM) reveals a few themes with helpful links and information under each. Those areas include:

          - Cybersecurity is one of our country’s most important national security priorities. 

          - Our shared responsibility online

          - Do your part

But DHS is not alone. The Indiana University’s Cybersecurity center offered practical tips for awareness month, and the SANS Institute took their show on the road to Chicago to highlight important training courses. Stay Safe Online launched a helpful new website. Dark Reading also offered a list of ways to protect users online.

The Stop Think Connect campaign also celebrated their second anniversary on Thursday, with plenty of support from numerous organizations around the globe.

Despite these excellent events, websites and press announcements, Security Week proclaimed that this year’s Cyber Security Awareness Month Kicks-Off on a Blue Note. Here’s an excerpt:

“First there was the attack on the White House Military Office (which was overhyped by some media outlets), followed by the National Cyber Security Alliance’s report that 90% of Americans do not feel completely safe online.

In a survey conducted with McAfee, the NCSA’s study said that 90% of the surveyed American consumers reported that they don’t feel completely safe online. Moreover, 59% say their job is dependent on a safe and secure Internet; and 78% say losing Internet access for 48 consecutive hours would be disruptive with 33% saying it would be extremely disruptive.”

Other Cyberethics Programs

And yet, almost all of these sessions focus on security topics like changing your passwords, not reusing your passwords, phishing attacks, stopping malware and the like.  So how do we practice cyberethics? Microsoft offers this “Practice Cyberethics” Website which offers a long list of do’s and don’ts.

The Socrates Institute, an independent developer and evaluator of educational programs, offers lessons on cyberethics for students. They make the case for the importance of training and list some of the reasons a cyberethics program is recommended for young people. “Activities such as hacking, cutting and pasting web text, spreading viruses, downloading music and videos, copying CDs and software are considered harmless pranks or sharing by most students. In fact, though, many of these are federal crimes, punishable by high fines, banishment from the Internet, and prison time.”

Other cyberethics websites and programs include: The National Crime Prevention Council and Cybercitizenship.org.

The University of Alabama offers several case studies and discussion questions for students on various aspects of cyberethics.

Back as early as 2008, some parts of California offered K-12 training that went beyond cyber safety and covered cyberethics. 

The Massachusetts Government offers online cyberethics training for employees, parents and teachers which “Is designed to teach students an appropriate way to approach the difficult ethical dilemmas that arise from using the modern Internet.”

The Texas CISO also offered this newsletter on cyberethics to state employees and others, with links to a variety of resources.

Some people even believe that public schools should mandate teaching of cyberethics. Ikeepsafe.org addresses this topic by stating, “The ethical behavior of students without training or education is suspect. Students are not receiving the appropriate cyber ethics training leaving them to chance cyberspace. Today, many teachers have not received the proper training necessary to educate current cyber responsibilities to stay safe online.”

What Are We Missing? What Can Be Done?

Back in January 2007, I wrote a CSO Magazine blog entitled: Why Security Staff Struggle Implementing Cyber Ethics. The piece offered a long list of reasons why this is a very hard topic to tackle in government workplaces. One nationally-recognized security colleague even warned me before that post, “Don’t go there Dan. You can discuss cyberethics for kids but not for adults. People don’t want you to preach at them.”  

The sad truth is that our cyberethics problems are much worse today than five years ago. The introduction of social media, smartphones, BYOD, cloud computing and more into the workplace have lead to a business environment where personal ethics has become the main firewall for many staff. Our new online possibilities are almost limitless, but the number of opportunities to get into trouble is accelerating in new ways as well.

 The general reaction from the security industry has been to focus on “just the data stupid” without regard for the many other online ethical pitfalls. While few would disagree with the reality that better cyber awareness training is certainly needed on a wide array of corporate and personal cybersecurity topics, the identity theft headlines continue to overshadow online productivity, personal and company reputation and other cyberethics issues within enterprises.

So what actions do I recommend regarding cyberethics and cultivating an environment which encourages our staff to act responsibly and even be online ambassadors for good?

1)      Incorporate cyberethics training into government and business awareness programs.

2)      Discuss cyberethics with your family members. Use movies like Cyberbully to get the conversation started.

3)      Review ethics policies, security policies and related computer policies at work to ensure that they are updated for our new always connected world.

4)       Hold a discussion with staff regarding online ethical issues that come up at work. Discuss what they are accountable for. Talk with staff at meetings about their use of social media sites like Facebook and appropriate use of the Internet. Ask: How can we be ambassadors for good?

5)      Communicate the importance of cyberethics. Use project discussions on roles regarding “people, process and technology” to ensure that everyone understands expectations and accepts responsibility for their online actions.

In conclusion, our workplace culture forms the foundation for our cybersecurity processes, procedures and controls. From the insider threat to using social media to surfing the cloud, employee actions online will inform and transform the workplace – one way or the other. Our goal should be to both enable responsible cybercitizens and challenge ourselves and our government teams to go the extra mile.

Let’s make cyberethics our ally and not our enemy. Become a cyber ambassador for good.