February 24, 2013 By Dan Lohrmann
Yesterday, I was given the opportunity to participate as a member of a panel entitled "States and Cybersecurity" at the National Governor’s Association (NGA) Winter meeting in Washington. This Health and Homeland Security Committee session was broadcast live on CSPAN and can be viewed here.
The other panelists discussing cybersecurity were Richard A. Clark, Chairman and CEO of Good Harbor Security Risk Management, and David Hannigan, Chief Information Security Officer at Zappos. We were asked to focus our opening remarks on action steps that states could take and not elaborate on the cybersecurity threat situation, which was covered in another briefing.
[Note: Samuel Ginn, Chairman of the National Telecommunications and Information Administration First Responder Network Authority, began the session by addressing plans for FIRSTNET.]
Here is a transcript of my opening remarks, which offer seven actions for Governor’s to take on cybersecurity:
Thank you Governor O’Malley for that kind introduction. I’d like to begin by thanking Governor Sandoval, committee members and NGA staff for inviting me today. It is an honor to speak with Governors on this important topic of cybersecurity.
I want to start by emphasizing that the State of Michigan government faces a barrage of unauthorized attempts to access our networks and systems each and every day. During 2012, we removed over 31 million pieces of malware from incoming emails, stopped over 142 million website attacks and blocked over 24 million network scans. The threat is real – we see it daily in Michigan, as does every other state in the nation.
So what can be done and what is Michigan doing now? I’d like to offer 7 actions that Governors should take to mitigate cybersecurity risk - 4 in the area of cyber defense and 3 in the area of cyber response.
First, four urgent actions regarding Cyber Defense -
#1: Governors Must Make Cybersecurity a Top Priority: In Michigan, Governor Snyder has personally led this charge by establishing clear areas of accountability, authority, visibility and governance. Michigan has centralized IT for all 17 Executive Branch Agencies, encompassing over 47,000 state employees. We have now merged physical and cybersecurity into one cohesive program. The Chief Security Officer is charged with providing enterprise-wide risk management and security associated with Michigan government’s assets, property, systems and networks. This organization also leads the development and implementation of a comprehensive security strategy for all Michigan technology resources and infrastructure.
#2: Each State Needs a Strategic Plan for Cybersecurity: Following the NIST framework, industry best-practices for cybersecurity and guidance from NGA’s new Resource Center on Cybersecurity, each state must implement an effective level of cyber defense. In October 2011, Governor Snyder brought together the best and the brightest from across the nation as he launched the “Michigan Cyber Initiative” at the national kickoff for Cybersecurity Awareness Month. This plan lays out a comprehensive strategy for establishing Michigan as a secure cyber state which protects individuals, business, and government, and safeguards citizen data. The strategy includes the development of resource kits for home, business, government and schools, as well as protecting our critical infrastructure in a safe cyber ecosystem. Our plan can be found at Michigan.gov/cybersecurity.
#3: Provide “Next Generation” Training and Awareness for Cybersecurity: In every state, employees are both our greatest asset and sadly our weakest link against cyber attacks. End user mistakes are the #1 cause of data breaches, whether they click on phishing scams, fall for social engineering tricks or inadvertently provide unauthorized access to sensitive data. In the past, Michigan developed training that quickly became outdated, boring, and, quite frankly, a failure. We learned from our mistakes and now offer new online statewide Cyber Awareness Training 2.0 for all employees. Brief, interactive lessons are delivered to all employees over the web that are relevant, timely and I must say even ‘fun’ activities for the users. Feedback thus far has been overwhelmingly positive, with employees praising the new approach and even sharing the information with family members at home.
And let’s not forget technical training for our cybersecurity staff. In 2012, partnering with Merit Network, we launched the Michigan Cyber Range. This state-of-the-art training, research and testing facility provides a secure environment for cyber response training, cyber defense scenario testing, and the latest in technical training for cybersecurity staff in the public and private sectors.
#4: Monitor and Defend your Networks 7x24: In our global Internet, attacks can come from anywhere at anytime. We need qualified staff and effective tools to detect, assess and respond to threats in order to ensure the confidentiality, integrity and availability of our data, systems, and networks. Michigan is in the process of enhancing this capability with a next-generation Security Operations Center that never sleeps. We are also working to develop and report using new metrics based upon the SANS Top 20 critical security controls.
But what if there IS a major cyber incident in your state? Are you prepared? What if you experience a breach? Recommendations 5-7 address Cyber Response and Infrastructure Resilience.
#5: Build a Cyber Disruption Response Plan: States must develop a cyber disruption response plan, containing a checklist of required actions following a catastrophic cyber incident. State governments have become very good at responding to natural disasters such as tornados, fires, floods and hurricanes. This same level of discipline must be applied to cyber incidents using an all-hazards approach. In partnership with private sector companies who own and operate Michigan’s critical infrastructure, Michigan is developing a Cyber Disruption Response Plan to map out a clear communication strategy and the necessary actions following a major cyber incident. States should align their response plans with the recently-released Presidential Executive Order on Cybersecurity and Presidential Policy Directive-21.
#6: Cyber Disruption Response Plans Must Be Tested: Following Federal Emergency Management Agency (FEMA) guidelines, all states should be testing and refining their cyber incident response plans to ensure infrastructure resilience. In partnership with other governments, Michigan has benefited by participating in all four Cyber Storm global exercises, as well as NLE 2012 which focused on cyber incident response. We are planning further public/private tabletop exercises during 2013 to test our cyber response protocols.
#7: Establish Trusted Partnerships: Cyber defense and response cannot be done on an island or it will fail. We all must work together to face the growing threat, share information, and coordinate our response. Establishing and maintaining trusted relationships is a central key to cyber defense and incident response.
Michigan has strong partnerships with (to name a few):
The National Association of State CIOs (NASCIO) and other states
The U.S. Department of Homeland Security and other Federal agencies
The FBI and the FBI InfraGard program
The Multi-State Information Sharing & Analysis Center (MS-ISAC) in Albany, NY
Michigan State Police and other state agencies
Numerous Private Sector Partners
Building and strengthening these partnerships must be a key for each state moving forward.
In conclusion, cyberspace has revolutionized government. The Internet is accelerating opportunities for good and for evil at the same time.
Each state must act now to further protect their digital investments. Our public trust in government is at stake.
I look forward to addressing your questions.
February 19, 2013 By Dan Lohrmann
Most readers of this blog already know that President Obama released an executive order last week on the topic of cybersecurity. The actual text of the executive order, along with the text of the more detailed Presidential Policy Directive / PPD-21, offer a glimpse into the future of our cybersecurity battles in America over the next few years.
I have waited almost a week to comment so that I could summarize global reaction to these new edicts. As I mentioned before the executive order came out, new guidance on cybersecurity was almost inevitable for a variety of reasons. Well now the federal government’s sector-specific agencies have their marching orders, and like it or not, it appears to be time for critical infrastructure owners and operators to get on board the ship and do more to address weaknesses and raise the bar on cyber protections.
But before I provide my opinion of the EO, let’s take a look at the full range of diverging viewpoints regarding what policy was issued. On the one end of the spectrum, several experts have strongly condemned the EO and PPD-21 as overreach and bad cyber policy. For example, here are some headlines and brief excerpts worth examining:
Obama’s Cybersecurity Executive Order Falls Short – Heritage Foundation
“… The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation.
While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO’s inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects….”
Just as negative, is a leading cyber industry expert Richard Stiennon and author over at Forbes blogs:
PPD-21: Extreme Risk Management Gone Bad - Forbes Magazine Online
“On Tuesday, February 12, 2013, President Obama issued Presidential Policy Directive 21: Critical Infrastructure Security and Resilience. PPD 21 represents my worst nightmare: the misguided mantra of management consultants writ large. How large? The entire Federal juggernaut is to be roped into a tangle of coordination, data exchange, R&D, and risk management to address ephemeral threats to critical infrastructure. It even stretches around the world to include governments that may host critical facilities and assets of the United States….”
Meanwhile, on the other extreme, there are calls for stronger regulations, more teeth and more aggressive government mandates and action.
Too Little Too Late: Obama’s Cybersecurity Executive Order is Way Under-Par - ABI Research in London
“… The U.S. President’s Executive Order on ‘Improving Critical Infrastructure Cybersecurity’ signed yesterday failed massively to address the burning requirements for securing the American nation. Although the Order proposes an information sharing platform and a cybersecurity framework, these solutions are weak and lack the bite that would make it effective….”
Cybersecurity Executive Order Short on Action, Long on Voluntary Initiatives - Dennis Fisher at Kaspersky Lab
“The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action….”
Obama's Cybersecurity Order Weaker Than Previous Proposals - Gerry Smith, Huffingtonpost.com
“President Barack Obama said during his State of the Union address Tuesday that he had signed an executive order aimed at protecting government and businesses from what he called "the rapidly growing threat from cyberattacks."
But the order he signed on Tuesday was significantly weaker than what his administration had proposed two years ago, leaving out a key provision that experts have said was needed to protect the country's most vital computer systems….”
But some sources say that the President got things right.
Obama presses Congress with cyber security executive order - Mike Hoffman, Defense Tech
“President Obama signed an executive order to increase America’s defenses against cyber security before highlighting the need for it in his State of the Union Tuesday.
The Executive Order will work together with the Presidential Policy Directive on Critical Infrastructure Security and Resilience that the White House also released today….”
Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say - Brian Prince, Dark Reading
“… The executive order requires federal agencies to provide unclassified reports regarding threats to U.S. companies being targeted in a timely manner. It also expands the Enhanced Cybersecurity Services program, with the goal of enabling near-real-time sharing of cyberthreat information to participating critical infrastructure companies, and directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce threats to critical infrastructure….”
My View on the Cyber EO?
In my role as Michigan’s Chief Security Officer (CSO), I want to reinforce the view that we need bipartisan legislation on cybersecurity which addresses the best way forward for protecting critical infrastructure as a nation. I see positive aspects to the new EO, especially the provisions on more information sharing. The State of Michigan will be working closely with the U.S. Department of Homeland Security as partners in protecting our nation from cyberattacks.
At the same time, I also understand the criticisms that many in our industry have articulated. I certainly believe that more will need to be done to safeguard our critical infrastructure. The effectiveness of these provisions will depend on the follow-on actions taken by the public and private sectors.
State and local governments are watching closely as the federal government implements this EO and PPD-21. Government officials at all levels are asking, how will this affect my government? We also have a major role in critical infrastructure protection, and we coordinate with our private sector partners in each sector.
This will be a very pivotal year for cybersecurity. I look forward to learning more about plans and gauging the pulse of the nation on cybersecurity from federal and private sector partners next week at RSA in San Francisco.
What are your views on the new cybersecurity EO and PPD-21?
February 10, 2013 By Dan Lohrmann
According to Bloomberg, President Obama plans to release an executive order on cybersecurity soon after the State of the Union address. The State of the Union address is scheduled for Tuesday, February 12.
The administration, which has been drafting the order for at least six months, plans to set up voluntary cybersecurity standards for owners and operators of critical infrastructure such as water treatment plants, electric utilities and railway systems.
Here’s an excerpt from the Bloomberg article:
“The administration is preparing the order amid recent cyber attacks including the security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other newspapers attributed to Chinese hackers, and denial-of-service attacks that disrupted websites of U.S. banks.
The order directs federal agencies to consider incorporating the cybersecurity standards into existing regulations, according to the officials. It directs the government to share more information about computer threats with the private sector and issue more security clearances allowing industry representatives to receive classified information, the officials said.”
Recent European actions on cybersecurity
Meanwhile, eWeek and Theverge.com reported on European plans to toughen cybersecurity rules for their important infrastructure. Although the rules are draft at this point, the European Commission’s proposals are coming at an interesting time – showing international concern on cyber is now at an increased level.
“The threat of cyberattacks haven't just been a concern of the United States, either. The European Union announced a plan of its own yesterday, which would require stock exchanges, banks, hospitals, and other companies to conform to more rigorous network security standards — and could even require companies that control important infrastructure to disclose any attacks publicly. The European proposal is a draft at this point, but if adopted could require US companies that do international business to conform to the standards.”
The European rules would require an audit of all critical infrastructure, and according to one source, this could be very problematic to actually implement.
The Sophos security blog called the European plans a “nice try” – adding that we need, “more clarity on objectives and more specifics on implementation….”
Rogers: America is losing the cyber war
And perhaps the biggest news event of the past week came from the opinion column written for the Detroit Free Press by U.S. Representative Mike Rogers, who articulated the view that America is losing the cyber war vs. China. This article does an excellent job of explaining our current cyber situation in clear, compelling language:
“What is currently happening to American intellectual property may be the largest transfer of wealth in the history of the world. A senior intelligence official recently stated that the amount of stolen intellectual property is equal—and now exceeding-- to that of the entire library collection at the Library of Congress. This activity can no longer just be a cost of doing business with China. China is literally attempting to steal our way of life….
The U.S. government has classified cyber threat intelligence that, if shared with private sector, could help the private sector better defend its own networks. Currently, the vast majority of private sector does not have access to this vital data. Developed in close consultation with broad range of private sector companies, trade groups, privacy and civil liberties advocates, and the executive branch, the bill enjoys the support of virtually every sector of the economy.
With simple, targeted legislation we can make a common-sense change that would take an important step to protect American computer networks from cyber theft and cyber attacks…."
What’s different this time?
Of course, this is not the first time that cyber legislation and White House executive orders have been predicted. Last year, there were many predictions, including mine, of an impending executive order and the impact of possible new laws regarding cybersecurity standards for protecting critical infrastructure.
So what is different this time?
The reelection of President Obama as well as the increasing number and scope of cyberattacks against every sector of the U.S. economy will make more action from the federal government both necessary and inevitable. In my view, we simply cannot keeping doing the same things and expect different results.
I believe that U.S. Rep Rogers has it right. Our way of life in America is at stake. As a country, we love our smartphones, cloud computing, innovation and technology in general, but we need to be prepared to do more to protect all sectors of our economy from those who would do us harm. Since Congress seems unable to pass bipartisan legislation on cybersecurity, I am not surprised by this step from the White House. Get ready for an EO on cyber.
What are your thoughts? Is February, 2013, the right time for an EO on cybersecurity?
February 5, 2013 By Dan Lohrmann
Notifications sent from social media companies. Some people love them – others want them to go away.
Is your inbox filling up with reminders for you to logon - or miss out? Has guilt or curiosity been used to get you to come back? Lately, I’ve come to discover that emails can be helpful, annoying, rude and even fake.
Do any of these social media emails look familiar?
“Priscilla tagged you in 3 photos on Facebook.”
“Your friends (insert names) are waiting to see their posts on your timeline.”
“Saralee commented on Priscilla’s photo of you.”
“You have 3 connection requests, 10 tagged photos and 2 pokes waiting on Facebook.”
Perhaps you welcome these regular notifications. But as an infrequent Facebook user, I must admit that they’ve become rather annoying to me lately. On the other hand, my wife and daughters appreciate them, so it seems that everyone views these messages differently.
But I’m not alone in wondering about the default setting for sending these notifications. In fact, you can even ‘like’ this message which proclaims - Facebook: stop sending me emails.
And frustration is not only about Facebook’s email notifications. Google+, Twitter and LinkedIn have their own share of both helpful reminders and pushy messages. For example, this article discusses the Google+ birthday reminder feature:
“Many find Facebook's birthday reminders silly. Either they're overlooked entirely or lead to a post attack that clutters up someone's Wall (or Timeline). The folks behind Google+, on the other hand, might've just figured out how to make birthday reminders better (or less annoying, at least).”
On the negative side, this article points to the downside of Google+ suggestions to friends:
I understand that your goal is to get everybody using Google+ and I know your reasons behind it. But I’m pretty put off by being asked on EVERY SINGLE SEARCH QUERY whether or not I’d like to ask my friends about something. It’s like the Facebook share button on a porn site. There are things that I don’t ever want to talk to my friends about, even if they’re not embarrassing, so please stop asking me.
Whether these messages annoy you or not, you’d better make sure that they are, in fact, genuine. There are true stories of fake social media messages which deliver malware. This article about a Facebook photo notification tells of one phony message.
“Be careful about opening emails that claim you have been tagged in a Facebook photo, because they may actually be malware, according to a security expert.
Sophos's NakedSecurity blog outlined the threat on Wednesday. The company's SophosLabs intercepted a "spammed-out email campaign" which was designed to spread malware.”
Can you tell real messages apart from fake ones? This blog test your ability to spot real Facebook messages from fake ones that download malware.
“Unfortunately, phishers are getting better at what they do, and spotting a fake isn't as easy as you might think. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)”
Turning Off Notifications
Yes, you can trim down or turn off these notifications in Facebook, Google+ and Twitter.
This link can help you turn off notifications for your Google+ calendar.
Or, this Business Insider article covers turning off (or cutting back on) Facebook notifications.
There’s even a service to turn off the notifications across multiple platforms. For example, the Notifymenot service, which is described here, turns off notifications for multiple social media sites.
Turning Off Social Media Entirely?
But some are going much further. They are asking if it is even time to quit social media altogether? I’m not going that far, but here’s an excerpt from a thought-provoking article I read recently:
“…Almost a quarter of Americans say that they’ve missed out on important life moments in their quest to capture and memorialize them for social media. Think about that the next time you’re Instagraming your anniversary dinner at P.F. Chang’s. With the ubiquity of communications technology in our daily lives, it’s easy to convince ourselves that the digital world is where all the action is and that the effort we put into building our online empire directly correlates to IRL benefits such as scoring a new job or landing a new mate. In fact, over 90% of job hunters of all ages look for work online, but less than 5% are conducting offline job hunting activities such as attending networking events or setting up information interviews. And guess what? A full 70 – 80% of job vacancies are never posted, so all that job board scouring is likely for naught….”
I’m not going that far, but as I mentioned last year about this time, I know people who are giving up much of their online life, at least for a season such as Lent.
As for me, I’m just cutting back on the notices a bit. I like using social media, but my inbox is filling up with too many notifications. Now that the Super Bowl is over, I think it’s time to go on a notifications diet.
How about you? Do you like social media notifications?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.