The book 1984 was written by George Orwell in the 1940s. Words and concepts such as; “Big Brother, doublethink, thoughtcrime, Newspeak and even Orwellian” come from this famous literary work.  

More than sixty years later, philosophers still argue about what Orwell would say about the Internet, technology in 2013 or our future, if Orwell were alive today. Students continue to read and learn from Orwell and debate questions about security, privacy and monitoring on the Internet today.

Taking a step back and shifting the focus to tomorrow, what are today’s futurists predicting? And for security, what is coming down the road? I believe that this is more than just a fun daydreaming exercise. Indeed, we can learn some lessons to apply today by thinking more about tomorrow.

The Future According to Kurzweil

Futurist Ray Kurzweil says we’ve only just begun to innovate. He predicts a world with in-body computers to detect and fight disease and a world dominated by artificial intelligence.

After founding several companies, Kurzweil was recently hired as director of engineering for Google, so his ideas are not just far-fetched dreams. Here’s an excerpt from a late-January 2013 interview:

You have said that by the 2030s, people will have blood cell-sized computing devices in their bloodstreams and brains that connect directly to off-site computer data servers. What makes you think that?

We already have computerized devices that are placed inside the body and even connected into the brain, such as neural implants for Parkinson’s disease and cochlear implants for the deaf. These devices can already wirelessly download new software from the cloud. Technology is shrinking at an exponential rate, which I’ve measured at about 100 in 3D volume per decade. At that rate, we will be able to introduce blood cell-sized devices that are robotic and have computers that can communicate wirelessly by the 2030s.

How would such devices be regulated to ensure that outside forces can’t manipulate people’s thoughts and actions through the Internet?

Privacy and security are already very significant issues, considering the personal and intimate things that people do with their computers. This is an issue we will never be able to cross off our “concern list,” but we’re actually not doing that badly. Relatively few people today complain that they have been significantly damaged by privacy and security breaches. ...

Near-term Predictions: AOL’s ‘Digital Prophet’ David Shing

But Google’s engineers aren’t the only ones thinking about the future. AOL has their own futurist - Digital Prophet David Shing. In a recent presentation which focused more on the next decade than twenty or thirty years out, the ‘shock-haired Australian’ described ten predictions.

Here are a few of those:

• There will be a backlash in social media as it starts to get too diluted and, dare we say it, stalker-like – e.g., allowing you to pick your seat on an airplane beside someone you spot on LinkedIn who you want to connect with. The backlash will take the form of defriending, unfollowing, culling our social networks.
• “Attention is the new currency”: the Web has become “overwhelming” so curation of niche interests will be important.
• It will be all about video calls on our phone by 2015

The Future of Marketing?

And how will this change Internet Marketing over the next few years? I found this post on the future by “Dan (@Tropical MBA)” to be fairly compelling.  While this topic of marketing trends may seem irrelevant to security and technology professionals, remember that we need to pay for our Internet content somehow. Business marketing of products is a major driver in technology innovation and service delivery.

This entire article is worth reading, but here are three of his seventeen trends:

• Your customer’s track record will become more important than yours. More than ever before, you need to have a home run answer to the question how much money do you make and what have you done? That’s just the beginning, in the coming years it’ll matter even more how your customers are faring.
• Cultivated and proctored communities will start popping up everywhere. The readers of the TMBA often cite “100 True Customers” as one of our most useful articles. There you’ll find a pretty clear plan for making $40,000 a year as a content producer. I think this approach will get utilized a lot more in the coming years
• University educations will start to look more like internet marketing training, and internet marketing training will start to look more like university educations. They’ll converge and find a middle ground in the coming decade.

The Future of Cybersecurity

So what does all this mean for the future of cybersecurity? A few months back, I articulated my views on what it will mean to be a security leader in 2020 for CSO magazine. One key message is that roles within security will only increase, as we depend more and more on technology moving forward. We are already witnessing the growth in the importance of embedded technology within critical infrastructures.

Another message: Security leaders should strive to be trusted advisors.

One perspective (which I believe is flawed) is that once we “figure out” identity management, current Internet holes and ID theft (possibly with biometrics), we will start to see a dramatic reduction in the role of cybersecurity. I disagree.

The list of future technology trends listed will mean that hacking and computer security concerns will evolve to include social media attention, imposters infiltrating trusted networks, the delivery of university education, devices implanted in the body, cars that drive themselves and much more.

For the foreseeable future, we will have what Kurzweil calls, “Personal and intimate things that people do with their computers.” Thus the need for continued security and privacy protections.

Or as Orwell once wrote, “We sleep safe in our beds because rough men stand ready in the night to visit violence on those who would do us harm.”
 

There has been a lot of discussion over the past few months regarding an article entitled: Why you shouldn’t train employees for security awareness.  This viral article from last summer is still very popular. It was written by Mr. Dave Aitel, who is the founder and CEO of Immunity. If you’re not familiar with this debate on the value of cyber awareness training, I recommend taking ten minutes to check out Mr. Aitel’s views and the corresponding comments.

After reading this article as well as many rebuttals, I believe a few common themes emerge:

1)      The majority of cyber experts and technology leaders disagree with Mr. Aitel for a variety of reasons. The verdict seems to be that we need an “all of the above” approach when it comes to training as well as other activities, policies, tools and cybersecurity actions. The conventional wisdom says we need answers relating to people, process and technology – and awareness training helps the people and process part.

One of my favorite rebuttals was written by Boris Sverdlik at Infosec Island. For the most part, I agree with Mr. Sverdlik’s perspective on this topic.

2)      Mr. Aitel is not alone in his views on awareness training. Bruce Schneier, a well-known security blogger and industry expert, wrote this piece on the topic. Similar articles were written last year. Read this response to dropping security awareness from Spiceworks, written last July.

3)      There is no doubt that Mr. Aitel makes many good points that need to be taken seriously.  Who can argue with any of the these seven actions (described in more detail in his article):

• Audit Your Periphery
• Perimeter Defense/Monitoring
• Isolate & Protect Critical Data
• Segment the Network
• Access Creep
• Incident Response
• Strong Security Leadership

The Good, the Bad and the Ugly with this ‘Shock Marketing’ Approach

But rather than just echo other rebuttals, I’d like to address a broader set of implicit questions that this article raises. Specifically, what are the positive and negative ramifications to throwing end user awareness training (or for that matter, any other training, technology, policy or approach) under the bus? Why do we instinctively react negatively to Win/Lose articles and blogs like this?

Perhaps most important: Does this article make CISOs and other security leaders want to implement his seven actions or buy his product more?  I think not.

I basically view this piece to be a form of “shock” marketing or advertising to get our attention. Why shock advertising? Because the words are carefully chosen to force a strong reaction. Notice that the headline is not: “How to follow an offensive security program,” or, “Seven essential security steps for organizations,” or even, “Why Immunity offers the best … whatever.” Those titles would not have received the same level of viral attention and would yield minimal page views. No, the approach seeks to grab our attention with something we inherently want to argue or defend or discuss.   

Lest I be accused of not practicing what I preach, I want to present my response in a respectful manner to this particular author and training issue. Nevertheless, I think my concerns are relevant for other topics that use a similar marketing approach. We’ve all seen similar techniques used for various products and services.

I don’t know Mr. Aitel or his company, but he seems to be an articulate security executive with a positive reputation and a good set of credentials. I have nothing for or against him or his company. Rather, I think this is a good example of an author trying to get noticed in a very crowded social media market vying for our attention. What’s the result?

The Good

What are the good aspects of this article? First and foremost, shock marketing gets you noticed. There’s no doubt that I now know who Dave Aitel is. Before I read this article, I didn’t know anything about him or his company. I’m even writing a blog about his article, along with dozens of other bloggers.

A Google search on this headline, gets big results. Immunity has more people going to the company’s website. I’m sure Dave also has more LinkedIn requests for connections. These are all sales leads.

No doubt, many people have emailed him and unloaded all of the things that they think are wrong with their company’s awareness training program(s). He may even be attracting a few hackers with talent to join his company.

Second, this article also draws attention to his points regarding other cyber priorities. It shines a light on other important aspects of cybersecurity.

The Bad

One bad aspect of shock marketing is that it can turn people off. Yes, you get your name out there to make a point, but are you changing people’s minds? Are you getting noticed for the wrong reasons?

More important, he might be associated with a negative image that is hard to undo. What stuck in my mind a few days after reading the article is that he thinks awareness training is a waste, and not his other seven points. 

The Ugly

But the ugly part of this article is a perception it leaves regarding a potential lack of integrity. Now I must say up front that the author may indeed believe what he is saying about awareness training. I don’t know his true motives or beliefs. Perhaps he really thinks that end user awareness training activities are a total waste of time and money.

But if this is so, why does he end the article the way he does? Here’s an excerpt:

“By following an offensive security program, companies can keep their networks, and employees, protected.

Dave Aitel, CEO of Immunity Inc.... His firm specializes in offensive security and consults for large financial institutions….”

Notice that the answer given is to “Follow an offensive security program.” This is a classic “Win-Lose” example from Covey. Or in other terms, don’t spend your company or government dollars on awareness training, but buy my products and/or services instead.  

On the other hand, a similar article by Bruce Schneier looks at the arguments for and against awareness training, without trying to sell me his products in the process.

Improve, don’t remove, security awareness

 In conclusion, there are a long list of reasons that security awareness training makes sense, as described in other rebuttals. Businesses have audit findings to address, processes that need refining and pragmatic compliance reasons to train employees.

And yes, there is plenty of poor and meaningless awareness training out there. I agree that awareness training must be improved and results measured. Over the past year, I have advocated new approaches that offer more intriguing awareness training that is brief, relevant, timely, fun and changes behavior.

And yes, cost is a factor. I suspect that some organizations spend too much on awareness training. However, most state governments spend less than 1% of their security budgets on awareness training.

Most important, if you really want to change my mind and convince me to stop offering awareness training – let the arguments stand alone.

And if you want me to buy your product – try a different marking approach based on WIN-WIN principles. Please don’t trash awareness training in the process.

The day after President Obama released the “Improving Critical Infrastructure Cybersecurity Executive Order,” the National Institute of Standards and Technology (NIST) issued this press release announcing the development of a new framework to reduce cyber risk.

What do they need right now? Your input by April 8.

Here’s an excerpt from the February 13, 2013, press release:

The National Institute of Standards and Technology (NIST) today announced the first step in the development of a Cybersecurity Framework, which will be a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that are vital to the nation’s economy, security and daily life.

… In accordance with the Executive Order, the Secretary of Commerce has directed the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, such as power plants and financial, transportation and communications systems. NIST will issue a Request for Information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders….

Stakeholder meetings are also a part of the framework process. The first meeting will be held April 3 at NIST headquarters in Gaithersburg, Md. For more information on this workshop or to register, go to this NIST website.

Many public and private sector organizations are talking about this new framework and the corresponding development process now, as demonstrated by this blog by Rodney Petersen from EDUCAUSE. Rodney points out that: “EDUCAUSE and Internet2 are working with the Higher Education Information Security Council to review the Questions in the RFI to develop a higher education response.”

In addition, I am aware of efforts by the National Association of Chief Information Officers (NASCIO) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) to gather input to this request by NIST. Whether these organizations compile a combined RFI response from states or just encourage state and local governments to respond individually is not clear at this time.

The Request for Information (RFI) can be seen here, and related comments should be e-mailed to cyberframework@nist.gov by April 8, 2013 with the subject line: "Developing a Framework to Improve Critical Infrastructure Cybersecurity."

I urge you and your organization or government to engage in this overall process. It is far too easy to complain about what is or what is not happening in Washington D.C. regarding cybersecurity. It is another matter entirely to be a part of the solution. This framework will provide an important piece to our roadmap over the next four-plus years, and we all need to get involved.

Related Congressional Developments on Cybersecurity

In a related development, DHS Secretary Janet Napolitano recently testified on the cybersecurity executive order. Here’s an excerpt from the Homeland Security Newswire article:

 “Cybersecurity has become a hot topic recently, as information emerged about a series of cyber attacks by on U.S. Banks, Microsoft, the New York Times, the Wall Street Journal, Bloomberg, and many other companies. A detailed expert report confirmed that these attacks, and others, were the work of operatives working for china’s military intelligence services (see “Chinese government orchestrates cyberattacks on U.S.: experts,” HSNW, 19 February 2013).

The Hill reports that these attacks now have lawmakers concerned about a more destructive attacks on water systems, financial institutions, transportation, utilities, and other critical infrastructure….

Senate Commerce Committee chairman Jay Rockefeller (D-West Virginia) said in a statement that the threat of a cyber attack is higher than ever, especially since the Congress failed to pass any cybersecurity legislation last year. “We simply cannot afford to wait any longer to adequately protect ourselves.” Rockefeller said in his statement….”

Just yesterday, the news came out that the McCaul-Lipinski Cybersecurity Enhancement Act advances to House floor. This legislation passed the House in 2012 and 2010 with overwhelming bipartisan support. The bill:

• Improves coordination in government, providing for a strategic plan to assess the cybersecurity risk and guide the overall direction of federal cyber research and development.

• Updates the National Institutes of Standards and Technology (NIST) responsibilities to develop security standards to harden our federal networks and processes for agencies to follow.

• Establishes a federal-university-private-sector task force to coordinate research and development, improve training of cyber professionals.

• Continues much-needed cybersecurity research and development programs at the National Science Foundation and NIST.

Presidential Actions On Cyber This Week

Meanwhile, President Obama hosted an unprecedented meeting with CEOs this past week on cybersecurity threats facing our nation. The New York Times reported on the meeting that, “Mr. Obama wanted to hear directly from industry leaders about how vulnerable their companies were to computer attacks. The president also wanted to discuss efforts the government was taking to address threats.”

In an interview with ABC News, the President also answered questions on cyber threats. Here’s that exchange:

PRESIDENT BARACK OBAMA:
Well, I think– you al– always have to be careful war analogies. Because, you know, there’s a big difference between– them engaging in cyber espionage or cyber attacks and– obviously– a hot war. What– is absolutely true– is that we have seen– a steady ramping up of cyber security threats. Some are state sponsored. Some are just sponsored by criminals. The–

GEORGE STEPHANOPOULOS:
But some are state sponsored?

PRESIDENT BARACK OBAMA:
Absolutely. And– and billions of dollars are lost to the consequences. You know, industrial secrets are stolen. Our companies are put into competitive disadvantage. You know, there are disruptions to our systems– that, you know, involve everything from our financial systems to some of our infrastructure.

And this is why I’ve taken some very aggressive executive actions. But we need Congress to act. We’ve put before Congress what exactly we need that will protect people’s privacy and civil liberties, but will also make sure that our overall system, both public and private, are protected from these kinds of attacks.

In conclusion, there is definitely a new sense of urgency to these cybersecurity matters. The topic of cyberdefense has now been elevated to the highest executive levels in the public and private sectors, even entering the conversation alongside such topics as the national debt, the economy and North Korean concerns.

State and local governments need to have this same sense of urgency on policies related to cyber. Get involved.

What are your thoughts on recent developments?

   The largest cybersecurity conference in the world was held this past week - RSA in San Francisco. The 2013 show was as big and, in reality, overwhelming as ever. There are literally thousands of articles and press releases that come out each year about the companies, products, awards, people and the hottest global security topics related to the greatest IT security show on earth.

There are so many conference sessions, side-meetings, receptions, demonstrations, bake-offs, dinners (and lunches and breakfasts), separate conference running concurrently and more that it is hopeless to think that attendees can participate in even a small fraction of the available activities. The vendors know that most security leaders with influence are somewhere in San Francisco during the week, and they all want to have “face-to-face” time over a meal or coffee.

When I told one vendor friend that I was just too busy for another introduction with a new company, he tried the guilt-trip approach, “Dan. Everyone knows that you have at least three dinners at RSA.” (I politely told him that I’m an early to bed, early to rise, Midwestern guy who eats one dinner – especially after a few receptions with food and drink.)

 Last year, I didn’t attend the RSA Conference, but heard about questions from many people around the globe. This blog covers that experience from last year and the emails received before, during and after the events. The sentiment was: Are you ok?

So this year, it is only fair to provide some feedback regarding what I heard and saw in San Francisco.

But before sharing a few of takeaways, I'd like to mention the the session entitled, “Cybersecurity and the States.” The session was summarized in this Forbes blog by Elise Ackerman. While we had over a hundred people attend our panel session, many more went across the hall to hear about the latest hacker tricks, tips and techniques.

Three Top Takeaways

 One theme that kept coming up was dealing with “big data.” There were many twists on this, such as this one from Darlene Storm’s Computerworld blog. She wrote:

“The big topic was big data, including how it can bring big security problems…

Regarding big data vulnerabilities, Coviello warned, ‘Our attack surface and risk will be magnified in the coming years as a result. We have all have the ability to access large data stores because of cloud, but we're not the only ones that can access these data stores. Our adversaries will, as well.’"

  One session that I attended was facilitated by Richard Stiennon called: I Was Blind, but Now I See: CISOs Discuss Visibility with Big Data Security. This was an excellent session in which four CISOs discussed how they are dealing with the huge amount of data that is being collected from all over their networks. The theme was that preventive-based technologies often bring a false sense of security. All of the CISOs addressed the need to go through Gigabytes of data – sifting through events and triggers to find real incidents and required actions.

The panel expressed positive reviews for the vendor Splunk’s products and ability to do event correlation. (Side note: Splunk offered my favorite T-shirt with the words “You can’t always blame Canada.”)

There was also a suggestion that in the future we will be incorporating even more data from the business side and physical security side of things. This will allow better detection of fraud and a more intelligent response to security events.

The second theme was a push towards a network of sensors that work together to report back to a central “brain” – almost like the human body central nervous system. To some extent, this is just an extension of the traditional “defense in depth” concept and correlating netflow data and logs from a variety of network devices. However, there is an even bigger push towards more network and system intelligence coming together to stop attacks.

So what vendors themes were at RSA? Every part of the business and technology organizations in enterprises play roles in protecting data and information. While this has always been true, there is a bigger push in this area, along with more integrated tools, this year. In fact, the stated theme of this year’s conference was “security is knowledge.” The Gutenberg printing press was offered as a model.

For a specific example, McAfee CTO Michael Fey encouraged getting more parts of the business and system administrators involved in helping enforce security policy. He said,

 “Additionally, Fey said that firms should make sure that responsibilities and duties are spread out, rather than relying on one group or department to handle all security operations.

In doing so, Fey said that companies will not only be better equipped to respond to threats and utilise current security platforms, but also make use of emerging platforms which could offer far greater intelligence and response capabilities….”

A third lesson learned at RSA this year was perhaps the most obvious. Cybersecurity is really hot right now, with more companies, products and attention than ever before.

 Perhaps the recent headlines regarding China, President Obama’s executive order on cybersecurity and Presidential Policy Directive (PPD-21) and other hacking news stories make this obvious. But nothing makes the point stronger than walking around the RSA show floor or the hotels surrounding the event.

For deeper dive on this topic, see this extensive set of interesting interviews with industry thought leaders at the IT-Harvest website. Richard Stiennon called this: “The most vibrant and productive RSA conference of the decade has come to a close. The astounding attendance numbers were probably fueled by Mandiant’s ground breaking report on cyber espionage activity and even, perhaps, by President Obama’s reference to cyber security in his State of the Union Address.

This long list of vendor interviews shows why. All I can say is: Wow!

So yes, if you’ve never been to the RSA Conference, start making plans to attend next year or at some point in your professional security career. There is nothing quite like it regarding security in cyberspace.

Were you there? Any thoughts to share?

Yesterday, I was given the opportunity to participate as a member of a panel entitled "States and Cybersecurity" at the National Governor’s Association (NGA) Winter meeting in Washington. This Health and Homeland Security Committee session was broadcast live on CSPAN and can be viewed here.

The other panelists discussing cybersecurity were Richard A. Clark, Chairman and CEO of Good Harbor Security Risk Management, and David Hannigan, Chief Information Security Officer at Zappos. We were asked to focus our opening remarks on action steps that states could take and not elaborate on the cybersecurity threat situation, which was covered in another briefing.

[Note: Samuel Ginn, Chairman of the National Telecommunications and Information Administration First Responder Network Authority, began the session by addressing plans for FIRSTNET.]

Here is a transcript of my opening remarks, which offer seven actions for Governor’s to take on cybersecurity:

Thank you Governor O’Malley for that kind introduction.  I’d like to begin by thanking Governor Sandoval, committee members and NGA staff for inviting me today.  It is an honor to speak with Governors on this important topic of cybersecurity.

I want to start by emphasizing that the State of Michigan government faces a barrage of unauthorized attempts to access our networks and systems each and every day. During 2012, we removed over 31 million pieces of malware from incoming emails, stopped over 142 million website attacks and blocked over 24 million network scans.  The threat is real – we see it daily in Michigan, as does every other state in the nation.

So what can be done and what is Michigan doing now? I’d like to offer 7 actions that Governors should take to mitigate cybersecurity risk - 4 in the area of cyber defense and 3 in the area of cyber response.

First, four urgent actions regarding Cyber Defense -

#1:  Governors Must Make Cybersecurity a Top Priority:  In Michigan, Governor Snyder has personally led this charge by establishing clear areas of accountability, authority, visibility and governance.  Michigan has centralized IT for all 17 Executive Branch Agencies, encompassing over 47,000 state employees.  We have now merged physical and cybersecurity into one cohesive program.  The Chief Security Officer is charged with providing enterprise-wide risk management and security associated with Michigan government’s assets, property, systems and networks.  This organization also leads the development and implementation of a comprehensive security strategy for all Michigan technology resources and infrastructure.

#2:  Each State Needs a Strategic Plan for Cybersecurity:  Following the NIST framework, industry best-practices for cybersecurity and guidance from NGA’s new Resource Center on Cybersecurity, each state must implement an effective level of cyber defense.  In October 2011, Governor Snyder brought together the best and the brightest from across the nation as he launched the “Michigan Cyber Initiative” at the national kickoff for Cybersecurity Awareness Month. This plan lays out a comprehensive strategy for establishing Michigan as a secure cyber state which protects individuals, business, and government, and safeguards citizen data.  The strategy includes the development of resource kits for home, business, government and schools, as well as protecting our critical infrastructure in a safe cyber ecosystem. Our plan can be found at Michigan.gov/cybersecurity.

#3:  Provide “Next Generation” Training and Awareness for Cybersecurity:  In every state, employees are both our greatest asset and sadly our weakest link against cyber attacks.  End user mistakes are the #1 cause of data breaches, whether they click on phishing scams, fall for social engineering tricks or inadvertently provide unauthorized access to sensitive data.  In the past, Michigan developed training that quickly became outdated, boring, and, quite frankly, a failure.  We learned from our mistakes and now offer new online statewide Cyber Awareness Training 2.0 for all employees.  Brief, interactive lessons are delivered to all employees over the web that are relevant, timely and I must say even ‘fun’ activities for the users.  Feedback thus far has been overwhelmingly positive, with employees praising the new approach and even sharing the information with family members at home.

And let’s not forget technical training for our cybersecurity staff.  In 2012, partnering with Merit Network, we launched the Michigan Cyber Range.  This state-of-the-art training, research and testing facility provides a secure environment for cyber response training, cyber defense scenario testing, and the latest in technical training for cybersecurity staff in the public and private sectors. 

#4:  Monitor and Defend your Networks 7x24:  In our global Internet, attacks can come from anywhere at anytime.  We need qualified staff and effective tools to detect, assess and respond to threats in order to ensure the confidentiality, integrity and availability of our data, systems, and networks.  Michigan is in the process of enhancing this capability with a next-generation Security Operations Center that never sleeps.  We are also working to develop and report using new metrics based upon the SANS Top 20 critical security controls.

But what if there IS a major cyber incident in your state?  Are you prepared? What if you experience a breach? Recommendations 5-7 address Cyber Response and Infrastructure Resilience.

#5:  Build a Cyber Disruption Response Plan:   States must develop a cyber disruption response plan, containing a checklist of required actions following a catastrophic cyber incident.  State governments have become very good at responding to natural disasters such as tornados, fires, floods and hurricanes.  This same level of discipline must be applied to cyber incidents using an all-hazards approach.  In partnership with private sector companies who own and operate Michigan’s critical infrastructure, Michigan is developing a Cyber Disruption Response Plan to map out a clear communication strategy and the necessary actions following a major cyber incident.  States should align their response plans with the recently-released Presidential Executive Order on Cybersecurity and Presidential Policy Directive-21.

#6:  Cyber Disruption Response Plans Must Be Tested:  Following Federal Emergency Management Agency (FEMA) guidelines, all states should be testing and refining their cyber incident response plans to ensure infrastructure resilience.  In partnership with other governments, Michigan has benefited by participating in all four Cyber Storm global exercises, as well as NLE 2012 which focused on cyber incident response.  We are planning further public/private tabletop exercises during 2013 to test our cyber response protocols.

#7:  Establish Trusted Partnerships:  Cyber defense and response cannot be done on an island or it will fail.  We all must work together to face the growing threat, share information, and coordinate our response.  Establishing and maintaining trusted relationships is a central key to cyber defense and incident response.

Michigan has strong partnerships with (to name a few):

          The National Association of State CIOs (NASCIO) and other states

          The U.S. Department of Homeland Security and other Federal agencies

          The FBI and the FBI InfraGard program

          The Multi-State Information Sharing & Analysis Center (MS-ISAC) in Albany, NY

          Michigan State Police and other state agencies

          Numerous Private Sector Partners

Building and strengthening these partnerships must be a key for each state moving forward.

In conclusion, cyberspace has revolutionized government.  The Internet is accelerating opportunities for good and for evil at the same time.

Each state must act now to further protect their digital investments.  Our public trust in government is at stake.

I look forward to addressing your questions.