November 19, 2012 By Dan Lohrmann
Everyone is talking about the General David Petraeus scandal. No matter where I’ve turned since the day after the election, from CNN to the BBC, from cable TV news to Hollywood gossip or from the office coffeepot chatter to Drudge headlines, inquiring minds want to know more.
The stories are all over the map. The women involved, the Congressional testimony, the General’s distinguished career, warnings telling us “don’t throw stones,” Saturday Night Live (SNL) videos, the lifestyles of four-star generals and even articles proclaiming Petraeus is a scapegoat.
Like a soap opera, most answers just seem to lead to more questions. Did his affair reveal secrets? Who knew what, when? Did his relationship somehow affect military actions in Benghazi? Was information withheld prior to the election?
Personal Technology Advice: What About My Email Privacy?
But what I find most intriguing are the articles, blogs and opinions analyzing what all of this means for the rest of us who use technology – with a special emphasis on redoubling efforts to protect email privacy. There are lessons about how the General could have used his email more securely to avoid being caught, steps to avoid online detection and much more.
For example, John D. Sutter starts off his CNN commentary with this question: "When the CIA director cannot hide his activities online, what hope is there for the rest of us?"
Here are some of the articles I’ve been reading along with my reactions:
PC Week (under practical security advice): Here’s how to secure your email and avoid becoming ‘Petraeus’ – my reaction… really?
ComputerWorld: Email Lessons from the Gen. Petraeus downfall - "The best way to protect yourself is to simply realize that privacy doesn't necessarily exist in the electronic world," said Dan Ring, a spokesman for the security company Sophos. "Simply put, if you don't want it out there in the world, don't put it in the electronic world." – my reaction… I like this advice more.
Today.com: Think before hitting send: Lessons from the Petraeus scandal – my reaction… some good reminders.
Computerworld: US lawmakers ask if federal workers have email privacy – my reaction… don’t forget about e-discovery and FOIA requests.
AOL.com: The Petraeus Affair: Email Lessons For The Rest Of Us – my reaction… an interesting list of don’ts, but the real list is much longer.
Time.com: The mind of Petraeus: Why cheaters think they won’t get caught – my reaction…. I like this ending: “There would, perhaps, be something good in all this if the tragedy of these men served as teachable moments for others — and the fact is they probably do. You can’t prove a negative, and we can never know of the career-wrecking affairs that didn’t take place because successful men looked at the narcissistically fallen and made a sharp turn in the other direction. But there are more than enough — as we repeatedly learn — who who plow straight ahead, and there probably always will be. David Petraeus, the latest in a very long line, is highly unlikely to be the last.”
Vanity Affair: Tricks from Terrorists and Teenagers Alike: How to Keep the Romance of an Extramarital Affair Alive – my reaction... the steps that General Petraeus and Paula Broadwell took to conceal their activities make it very clear this one not a “one night stand,” nor does this easily fit into the category of “we all make minor mistakes sometimes.”
What’s My View?
Back in June, I listed my favorite survival tips for social media, which you may want to review. Earlier, I wrote this rebuttal called Dr. Jekyll and Mr. Hyde: Managing online indulgence for CSO Magazine, in response to a blog in the Harvard Business Review describing how we can safely hide activities online.
Still, I’d like to take this topic a bit further. Why?
Recently I ran into my editor at a state technology conference. He urged me to be more bold on current events. So here’s my view on Petraeus’ now famous emails as well as most of the follow-up articles addressing online etiquette for the rest of us.
I think all these tricks and tips and online hiding shenanigans listed in hundreds of advice columns are basically fool’s gold. Sure, some email privacy techniques or other ways to hide personal activities online may work for a while and fool most people some of the time. But they won’t fool all of the people all of the time. Sooner or later you will get sloppy or an observant hacker or coworker or friend or spouse will figure out what you’re doing.
I am actually pretty stunned that so much attention after the Petraeus situation is on email privacy at work, when most government and business networks have very clear policies which state that there is no presumption of personal privacy on work email or office networks. Even if you use Gmail or Yahoo.com on work computers, your information can generally be seen, if desired, by good cybersecurity teams.
I am not saying that reading employee emails is a frequent occurrence on workplace networks, because it isn’t. In fact, most Chief Security Officers (CSO) will tell you that their teams don’t have the time or desire to read employees’ email. Nevertheless, if you are doing something that you shouldn’t, don’t be surprised when you eventually get caught. The reduction of insider threats is part of our security job, and that means uncovering hidden things when asked by human resources to check on certain staff or when inappropriate activities are suspected.
And My Best Advice Is?
But the best personal advice that I can provide you on this topic is not new or original. In fact, it comes from a very old book that still applies just as much to our 21st Century online world as it did thousands of years ago. “Whoever walks in integrity walks securely, but whoever takes crooked paths will be found out.”
Yes, we all make mistakes. Surely, there can be forgiveness, mercy, second chances and the rebuilding of trust. But the main lesson to learn from the Petraeus story is that inappropriate behavior has consequences – and NOT that the Director of the CIA needed better email processes or technology.
Ultimately, honesty, accountability and forgiveness are still the only approaches that work.
November 12, 2012 By Dan Lohrmann
I’d like to introduce our new Michigan Cyber Range which was formally launched on Friday, November 9, 2012. But before I do, I’d like you to reflect on a few questions that we have been thinking long and hard about in Michigan over the past eighteen months.
With the “bad guys” getting better and America probably outgunned in cyber, where can business and government cybersecurity teams go to learn how to defend against complex cyber attacks?
Knowing that over 80% of critical infrastructure is owned and operated by the private sector, who is working to answer important cyberdefense questions across all layers of government, business and academia?
How do private sector utilities apply best practices to prevent critical infrastructure like our new smart grid from being manipulated inappropriately?
What test & research facilities are quipped and available to simulate different advanced malware attack scenarios – without impacting operational networks? Is there a way to bring together world-class training, virtual connectivity, public/private partnerships, available expertise and computer software/hardware reuse into a state-of-the-art cyber lab in order to allow all sectors of the economy to work together and achieve common security goals?
Can these stories about major security breaches lead to new career opportunities for our young people regarding cyberdefense in a wide variety of industries? Assuming yes, how can we make it happen?
What skills and real-world experience is needed for future cyber jobs? How can we assist our K-12 schools, community colleges, universities and continuing education programs in building these competencies?
Many of the roads that lead to the answers to the above questions converge at our Michigan Cyber Range that is being run by Merit Network, Inc. in Ann Arbor. To get a sense for the concept, check out this video that we highlighted at the beginning of the cyber range launch on Friday.
What is a Cyber Range?
Almost everyone has heard of a gun range, where people can practice shooting targets under a variety of conditions. Similarly, a “proving ground” has long been established to test and train on military equipment. One example is Aberdeen Proving Ground.
In the same way, a cyber range is a facility that can be used to test and train as individuals and teams on a variety of computer security equipment. A National Cyber Range was set up by the Defense Advanced Research Projects Agency (DARPA) as a national defense testbed for critical security research. But these facilities are classified and used for military personnel at classified levels. What about the businesses and governments around the country that must defend their networks from attack without secret networks?
As stated by the Governor, DTMB Director John Nixon, CIO David Behen and others at our launch, the Michigan Cyber Range enables individuals and organizations to develop detection and reaction skills through simulations and exercises. The program offers students and Internet technology professionals a full curriculum of meetings and workshops as well as critical cybersecurity training and awareness tools.
Critical areas that will benefit from the creation of the Michigan Cyber Range include: Infrastructure defense, Homeland Security, criminal justice and law enforcement, academic and educational programs, and small and medium businesses.
Michigan Cyber Range Development
In the late spring and summer of 2011, Michigan Governor Rick Snyder brought together a diverse group of technology, security and business experts from across multiple sectors in Michigan to answer the questions listed above as a part of a formal Michigan Cyber Initiative. The answers to the opening questions started to take shape last October at our 2011 Michigan Cyber Summit. At the same time we launched a new consolidated security team that brought together physical and cybersecurity within Michigan State Government.
Side note: many details of these broader Michigan security efforts are chronicled in this National Association of Chief Information Officers (NASCIO) award submission under the category of security and privacy. As a follow-up to the Cyber Summit last year, we also completed our statewide 2012 Cyber Breakfast Series this past week. For these security leadership efforts, Governor Snyder was recently recognized by Symantec with this national award.
Meanwhile, much more was going on behind the scenes. While we alluded to the benefits of a cyber range as well as a need for these new cybersecurity resources at a variety of events over the past year, we were quietly working behind the scenes to build the Michigan Cyber Range with support from the public and private sector. We were encouraged by our meetings in Washington D.C. with representatives from the National Institute of Standards & Technology (NIST), the U.S. Department of Homeland Security (DHS), the U.S. Department of Energy and others. We worked with others as we examined the case for a new enterprise cyber range.
Teams of technology leaders from within government, the private sector and academia met with companies from around the state and country over the past year to encourage support of these cybersecurity efforts, and the response was very positive.
The State of Michigan issued a Request for Proposal through the Michigan Economic and Development Corporation (MEDC) to determine who should run this critical public/private effort, and Merit Network, Inc. was chosen. Merit is a nonprofit, member-owned organization formed in 1966 to design and implement a computer network between public universities in Michigan.
The founding members of the Michigan Cyber Range, along with many other companies that hope to support the range in the near future, are excited that the necessary support was achieved in about one year.
What Happened at the Launch?
Friday’s launch event in Ann Arbor, which was attended by government, business and academic leaders from all over Michigan, included speeches from Governor Snyder, Merit President & CEO Don Welch and U.S. Department of Homeland Security Acting Director of Acting Director Critical Infrastructure Cyber Protection & Awareness, Carlos Kizzee. Introductions and recognition of key sponsors were offered by DTMB Director John Nixon and State CIO David Behen. Also attending, but not speaking, was U.S. Department of Energy CISO, Gil Vega.
After the opening comments and ceremonies, the Governor cut the ribbon on the cyber range, with the sponsors participating in photos and short presentations by students and experts on the cyber range plans and capabilities.
The launch of our new Michigan Cyber Range was covered by numerous media outlets around the Great lakes region and the country. Here is a small sampling of the media coverage we received on the cyber range launch:
Detroit TV 20 video: Protecting Our Networks
Emergency Management Magazine: Michigan Launches 'Cyber Range' to Enhance Cybersecurity
Ann Arbor Journal: Gov. Rick Snyder attends opening of Michigan Cyber Range
Oklahoma News: Gov. launches cyber security training facility
The Republic, Columbus, Indiana: Mich. governor launches opening of Michigan Cyber Range to detect, prevent electronic threats
Wish TV.com: Gov. launches cyber security training facility
So What’s Next?
The reality is that this is just the beginning of a long cyber journey. This new capability and resource will enable an entirely new set of answers and more questions regarding cyberdefense. While we believe that this cyber range is unique and essential to fight and win current and future cybersecurity battles, we plan to partner with other cyber ranges such as the DETER Project. Could this become the “Great Lakes” Cyber Range? Only time will tell.
But for now, it is enough to say: “Welcome, come in and explore the new Michigan Cyber Range.” Students will interact on the range through classes and programs at many Michigan Universities. Companies and government teams will connect through virtual private networks (VPNs) that will connect to the range and by visiting range facilities in person.
If you’d like more information or want to know how get involved, please contact Merit Networks at: http://www.merit.edu/cyberrange/contact.php.
November 4, 2012 By Dan Lohrmann
We currently have several important security stories and not much public attention.
As America prepares to vote in a pivotal presidential election on Tuesday, there have been several significant security stories recently. However, they are receiving minimal national attention. Between the coverage of Tropical Storm Sandy, pre-election rallies and the latest unemployment rate coverage, almost all security news has taken a back seat – unless you are talking about the September 11, 2012, Benghazi attack.
South Carolina Data Breach Reactions
Nevertheless, state and local government leaders have been quietly been scurrying around after South Carolina recently revealed the vast scope of their security breach.
From my perspective on the S.C. breach, I have never seen such a wide number of questions and urgent security checks from the business side of the house in many states. Tax officials across state and local governments nationwide seem worried as never before. Everyone is asking some variation of the questions: “Could this happen to us? Has it happened to us?”
For those who have not heard about or followed this story, more data came out mid-week with the announcement that businesses were affected:
“As many as 657,000 S.C. businesses had their tax information stolen in the massive security breach at the state Department of Revenue that also claimed the records of up to 3.6 million people, Gov. Nikki Haley said Wednesday….
The discovery came after a two-hour Senate Finance Committee hearing, where Revenue Department director James Etter pointedly was asked whether business records also had been taken by the hackers. State officials still are learning more about the data theft, which is affecting four times as many people as all previous breaches combined in the state over the past seven years.”
State governments across the U.S. reacted in a variety of ways following the announcement of what one paper called: “The mother of all security breaches,” and “The largest breach against a state tax agency in the nation.”
But while there were plenty of articles, phone calls and online discussions about what exactly happened and who is (or isn’t) to blame, the exact breach details are still not clear to those outside the sensitive Secret Service investigation in South Carolina. I am confident that we will be hearing much more on this story in the weeks and months to come.
What is clear to me is that this is a big wake-up call for government officials – even more so than after the Utah data breach earlier this year. More and more, government executives are realizing that we face serious global cyberdefense challenges that affect governments at all levels. As I said in April, there are dark clouds over technology, and we are all vulnerable and being targeted. Action cannot wait. I’ll be back with more on this story in a few weeks.
Is An Executive Order on Cybersecurity Still Coming?
There continues to be a strong chance that an executive order is coming on cybersecurity is coming soon – perhaps in the upcoming lame duck session of Congress.
“[Homeland Security Secretary Janet Napolitano] said that "when" President Obama is reelected, "I think he will have to consider an executive order that covers many of the areas that legislation would cover."
But a Heritage Foundation blog thinks this is still a bad idea as they pronounced that the more regulation is coming.
“This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.”
A similar view is shared by some of my friends over at CIO Magazine.
Still, the Chicago Tribune reported that the Senate likely to revisit cyber bill when Congress returns.
As I hinted back in March while discussing cybersecurity legislation, my guess is that some type of executive order or legislation on cybersecurity may still come in November or December after the election. I continue to hope that a bipartisan compromise can be reached.
A Treaty on Cyber?
Meanwhile, Thehill reports that the United Nations (UN) wants cybersecurity mandates to be in a new telecommunications treaty. Many countries are:
“Pushing to include cybersecurity proposals in the treaty that could lead to online censorship or put one regulatory body in charge of cybersecurity mandates….
The U.S. submitted a baseline set of proposals for the telecom treaty in August. The latest tranche of proposals it's sending to the U.N.'s International Telecommunications Union are more concrete positions that are in response to proposals discussed by other countries and trade groups.
The treaty will be reviewed for the first time since 1988 at the World Conference on International Telecommunications (WCIT) in Dubai this December....”
I find the timing of this and a variety of other cybersecurity topics to be interesting, in that new proposals are being sent the day after the election. This may just be a coincidence, but one thing is clear: whether for political reasons or more likely because other topics have a higher priority during the election season, quite a few cybersecurity issues are lining up for the November/ December 2012 timeframe.
Tropical Storm Sandy Scams
One more story to point out in this security news roundup. As can now be expected after almost every major global news event, and especially with natural disasters, there are many Tropical Storm Sandy scams being revealed.
“State attorneys general, business and consumer groups and the Justice Department are among those cautioning consumers to be wary as requests for donations start arriving via email, text message, telephone and Twitter.
‘’Fraud is an unfortunate reality in post-disaster environments,’ said Joe Wehrle, president of the National Insurance Crime Bureau, a nonprofit group which deals with vehicle sales and repairs fraud. ‘As the initial recovery from Hurricane Sandy begins, there are people right now who are planning to converge on the affected areas in order to scam disaster victims out of their money.’”
USA Today reported: Beware: Time is ripe for Hurricane Sandy scams
“A decade ago fraudsters had to rely on phone calls to deliver their high-pressure sales pitches. Then they were able to use e-mail. Now social media adds an entirely new weapon to their arsenal.”
What’s my advice as we head past election day and into the holiday season? No matter who wins the election on Tuesday, watch out for post-election scams to match or exceed the Tropical Storm Sandy scams - beginning this Weds morning. The bad guys will do anything to "tempt the click."
Also, stay informed on the security threats in your corner of cyberspace. We need to be ready – because these hot security stories won’t go away even after the election and the Tropical Storm Sandy cleanup move off of the front pages.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.