February 19, 2013 By Dan Lohrmann
Most readers of this blog already know that President Obama released an executive order last week on the topic of cybersecurity. The actual text of the executive order, along with the text of the more detailed Presidential Policy Directive / PPD-21, offer a glimpse into the future of our cybersecurity battles in America over the next few years.
I have waited almost a week to comment so that I could summarize global reaction to these new edicts. As I mentioned before the executive order came out, new guidance on cybersecurity was almost inevitable for a variety of reasons. Well now the federal government’s sector-specific agencies have their marching orders, and like it or not, it appears to be time for critical infrastructure owners and operators to get on board the ship and do more to address weaknesses and raise the bar on cyber protections.
But before I provide my opinion of the EO, let’s take a look at the full range of diverging viewpoints regarding what policy was issued. On the one end of the spectrum, several experts have strongly condemned the EO and PPD-21 as overreach and bad cyber policy. For example, here are some headlines and brief excerpts worth examining:
Obama’s Cybersecurity Executive Order Falls Short – Heritage Foundation
“… The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation.
While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO’s inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects….”
Just as negative, is a leading cyber industry expert Richard Stiennon and author over at Forbes blogs:
PPD-21: Extreme Risk Management Gone Bad - Forbes Magazine Online
“On Tuesday, February 12, 2013, President Obama issued Presidential Policy Directive 21: Critical Infrastructure Security and Resilience. PPD 21 represents my worst nightmare: the misguided mantra of management consultants writ large. How large? The entire Federal juggernaut is to be roped into a tangle of coordination, data exchange, R&D, and risk management to address ephemeral threats to critical infrastructure. It even stretches around the world to include governments that may host critical facilities and assets of the United States….”
Meanwhile, on the other extreme, there are calls for stronger regulations, more teeth and more aggressive government mandates and action.
Too Little Too Late: Obama’s Cybersecurity Executive Order is Way Under-Par - ABI Research in London
“… The U.S. President’s Executive Order on ‘Improving Critical Infrastructure Cybersecurity’ signed yesterday failed massively to address the burning requirements for securing the American nation. Although the Order proposes an information sharing platform and a cybersecurity framework, these solutions are weak and lack the bite that would make it effective….”
Cybersecurity Executive Order Short on Action, Long on Voluntary Initiatives - Dennis Fisher at Kaspersky Lab
“The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action….”
Obama's Cybersecurity Order Weaker Than Previous Proposals - Gerry Smith, Huffingtonpost.com
“President Barack Obama said during his State of the Union address Tuesday that he had signed an executive order aimed at protecting government and businesses from what he called "the rapidly growing threat from cyberattacks."
But the order he signed on Tuesday was significantly weaker than what his administration had proposed two years ago, leaving out a key provision that experts have said was needed to protect the country's most vital computer systems….”
But some sources say that the President got things right.
Obama presses Congress with cyber security executive order - Mike Hoffman, Defense Tech
“President Obama signed an executive order to increase America’s defenses against cyber security before highlighting the need for it in his State of the Union Tuesday.
The Executive Order will work together with the Presidential Policy Directive on Critical Infrastructure Security and Resilience that the White House also released today….”
Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say - Brian Prince, Dark Reading
“… The executive order requires federal agencies to provide unclassified reports regarding threats to U.S. companies being targeted in a timely manner. It also expands the Enhanced Cybersecurity Services program, with the goal of enabling near-real-time sharing of cyberthreat information to participating critical infrastructure companies, and directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce threats to critical infrastructure….”
My View on the Cyber EO?
In my role as Michigan’s Chief Security Officer (CSO), I want to reinforce the view that we need bipartisan legislation on cybersecurity which addresses the best way forward for protecting critical infrastructure as a nation. I see positive aspects to the new EO, especially the provisions on more information sharing. The State of Michigan will be working closely with the U.S. Department of Homeland Security as partners in protecting our nation from cyberattacks.
At the same time, I also understand the criticisms that many in our industry have articulated. I certainly believe that more will need to be done to safeguard our critical infrastructure. The effectiveness of these provisions will depend on the follow-on actions taken by the public and private sectors.
State and local governments are watching closely as the federal government implements this EO and PPD-21. Government officials at all levels are asking, how will this affect my government? We also have a major role in critical infrastructure protection, and we coordinate with our private sector partners in each sector.
This will be a very pivotal year for cybersecurity. I look forward to learning more about plans and gauging the pulse of the nation on cybersecurity from federal and private sector partners next week at RSA in San Francisco.
What are your views on the new cybersecurity EO and PPD-21?
February 10, 2013 By Dan Lohrmann
According to Bloomberg, President Obama plans to release an executive order on cybersecurity soon after the State of the Union address. The State of the Union address is scheduled for Tuesday, February 12.
The administration, which has been drafting the order for at least six months, plans to set up voluntary cybersecurity standards for owners and operators of critical infrastructure such as water treatment plants, electric utilities and railway systems.
Here’s an excerpt from the Bloomberg article:
“The administration is preparing the order amid recent cyber attacks including the security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other newspapers attributed to Chinese hackers, and denial-of-service attacks that disrupted websites of U.S. banks.
The order directs federal agencies to consider incorporating the cybersecurity standards into existing regulations, according to the officials. It directs the government to share more information about computer threats with the private sector and issue more security clearances allowing industry representatives to receive classified information, the officials said.”
Recent European actions on cybersecurity
Meanwhile, eWeek and Theverge.com reported on European plans to toughen cybersecurity rules for their important infrastructure. Although the rules are draft at this point, the European Commission’s proposals are coming at an interesting time – showing international concern on cyber is now at an increased level.
“The threat of cyberattacks haven't just been a concern of the United States, either. The European Union announced a plan of its own yesterday, which would require stock exchanges, banks, hospitals, and other companies to conform to more rigorous network security standards — and could even require companies that control important infrastructure to disclose any attacks publicly. The European proposal is a draft at this point, but if adopted could require US companies that do international business to conform to the standards.”
The European rules would require an audit of all critical infrastructure, and according to one source, this could be very problematic to actually implement.
The Sophos security blog called the European plans a “nice try” – adding that we need, “more clarity on objectives and more specifics on implementation….”
Rogers: America is losing the cyber war
And perhaps the biggest news event of the past week came from the opinion column written for the Detroit Free Press by U.S. Representative Mike Rogers, who articulated the view that America is losing the cyber war vs. China. This article does an excellent job of explaining our current cyber situation in clear, compelling language:
“What is currently happening to American intellectual property may be the largest transfer of wealth in the history of the world. A senior intelligence official recently stated that the amount of stolen intellectual property is equal—and now exceeding-- to that of the entire library collection at the Library of Congress. This activity can no longer just be a cost of doing business with China. China is literally attempting to steal our way of life….
The U.S. government has classified cyber threat intelligence that, if shared with private sector, could help the private sector better defend its own networks. Currently, the vast majority of private sector does not have access to this vital data. Developed in close consultation with broad range of private sector companies, trade groups, privacy and civil liberties advocates, and the executive branch, the bill enjoys the support of virtually every sector of the economy.
With simple, targeted legislation we can make a common-sense change that would take an important step to protect American computer networks from cyber theft and cyber attacks…."
What’s different this time?
Of course, this is not the first time that cyber legislation and White House executive orders have been predicted. Last year, there were many predictions, including mine, of an impending executive order and the impact of possible new laws regarding cybersecurity standards for protecting critical infrastructure.
So what is different this time?
The reelection of President Obama as well as the increasing number and scope of cyberattacks against every sector of the U.S. economy will make more action from the federal government both necessary and inevitable. In my view, we simply cannot keeping doing the same things and expect different results.
I believe that U.S. Rep Rogers has it right. Our way of life in America is at stake. As a country, we love our smartphones, cloud computing, innovation and technology in general, but we need to be prepared to do more to protect all sectors of our economy from those who would do us harm. Since Congress seems unable to pass bipartisan legislation on cybersecurity, I am not surprised by this step from the White House. Get ready for an EO on cyber.
What are your thoughts? Is February, 2013, the right time for an EO on cybersecurity?
February 5, 2013 By Dan Lohrmann
Notifications sent from social media companies. Some people love them – others want them to go away.
Is your inbox filling up with reminders for you to logon - or miss out? Has guilt or curiosity been used to get you to come back? Lately, I’ve come to discover that emails can be helpful, annoying, rude and even fake.
Do any of these social media emails look familiar?
“Priscilla tagged you in 3 photos on Facebook.”
“Your friends (insert names) are waiting to see their posts on your timeline.”
“Saralee commented on Priscilla’s photo of you.”
“You have 3 connection requests, 10 tagged photos and 2 pokes waiting on Facebook.”
Perhaps you welcome these regular notifications. But as an infrequent Facebook user, I must admit that they’ve become rather annoying to me lately. On the other hand, my wife and daughters appreciate them, so it seems that everyone views these messages differently.
But I’m not alone in wondering about the default setting for sending these notifications. In fact, you can even ‘like’ this message which proclaims - Facebook: stop sending me emails.
And frustration is not only about Facebook’s email notifications. Google+, Twitter and LinkedIn have their own share of both helpful reminders and pushy messages. For example, this article discusses the Google+ birthday reminder feature:
“Many find Facebook's birthday reminders silly. Either they're overlooked entirely or lead to a post attack that clutters up someone's Wall (or Timeline). The folks behind Google+, on the other hand, might've just figured out how to make birthday reminders better (or less annoying, at least).”
On the negative side, this article points to the downside of Google+ suggestions to friends:
I understand that your goal is to get everybody using Google+ and I know your reasons behind it. But I’m pretty put off by being asked on EVERY SINGLE SEARCH QUERY whether or not I’d like to ask my friends about something. It’s like the Facebook share button on a porn site. There are things that I don’t ever want to talk to my friends about, even if they’re not embarrassing, so please stop asking me.
Whether these messages annoy you or not, you’d better make sure that they are, in fact, genuine. There are true stories of fake social media messages which deliver malware. This article about a Facebook photo notification tells of one phony message.
“Be careful about opening emails that claim you have been tagged in a Facebook photo, because they may actually be malware, according to a security expert.
Sophos's NakedSecurity blog outlined the threat on Wednesday. The company's SophosLabs intercepted a "spammed-out email campaign" which was designed to spread malware.”
Can you tell real messages apart from fake ones? This blog test your ability to spot real Facebook messages from fake ones that download malware.
“Unfortunately, phishers are getting better at what they do, and spotting a fake isn't as easy as you might think. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)”
Turning Off Notifications
Yes, you can trim down or turn off these notifications in Facebook, Google+ and Twitter.
This link can help you turn off notifications for your Google+ calendar.
Or, this Business Insider article covers turning off (or cutting back on) Facebook notifications.
There’s even a service to turn off the notifications across multiple platforms. For example, the Notifymenot service, which is described here, turns off notifications for multiple social media sites.
Turning Off Social Media Entirely?
But some are going much further. They are asking if it is even time to quit social media altogether? I’m not going that far, but here’s an excerpt from a thought-provoking article I read recently:
“…Almost a quarter of Americans say that they’ve missed out on important life moments in their quest to capture and memorialize them for social media. Think about that the next time you’re Instagraming your anniversary dinner at P.F. Chang’s. With the ubiquity of communications technology in our daily lives, it’s easy to convince ourselves that the digital world is where all the action is and that the effort we put into building our online empire directly correlates to IRL benefits such as scoring a new job or landing a new mate. In fact, over 90% of job hunters of all ages look for work online, but less than 5% are conducting offline job hunting activities such as attending networking events or setting up information interviews. And guess what? A full 70 – 80% of job vacancies are never posted, so all that job board scouring is likely for naught….”
I’m not going that far, but as I mentioned last year about this time, I know people who are giving up much of their online life, at least for a season such as Lent.
As for me, I’m just cutting back on the notices a bit. I like using social media, but my inbox is filling up with too many notifications. Now that the Super Bowl is over, I think it’s time to go on a notifications diet.
How about you? Do you like social media notifications?
January 22, 2013 By Dan Lohrmann
Is it time to change the way we think about work - life balance? I’m not sure, but I’ve become more open-minded on this issue. Allow me to explain.
Last week, I was speaking at an ISACA Detroit meeting, and an interesting debate came up at dinner. This conversation ensued after my presentation on: Why Security Professionals Fail – And Pragmatic Solutions to Help Succeed. The fun, yet challenging, discussion revolved around strategies for dealing with career burnout.
One person at the table said something to the effect, “We’ve stopped trying to promote work-life balance at my (private sector) company. We now encourage “career-life fit.”
My response was: “Huh? What’s the difference?” Little did I know, I just opened up “Pandora’s Box.”
It turns out that there is quite a bit of difference, and the potential need for change comes from work situations such as:
- Emergencies: when you need to work long hours for many days in a row? (For example: malware outbreaks, emergency management incidents, etc.)
- Education: you go for that graduate degree or special certification to get ahead.
- Career path choices: dealing with seasons in your career when you need to work long hours for extended periods (for example: doctor’s going through internship.)
- Promotional considerations: you “go the extra mile” in your office to gain a positive edge on the competition.
- Seasonal changes that meet your life needs. (For example, you are very busy working long hours for part of the year like tax season, to gain fewer hours in other seasons.)
- Job changes: your new job requires you to always carry a pager – but you like the extra ‘on call’ pay and/or overtime pay when you are called in.
There are plenty of other examples and situations that don’t reflect “balance” of time at home and work. What is fairly obvious is that all of us go through various seasons of our lives and have different needs. In addition, different employees have very different views on what gives them satisfaction and enjoyment in life.
New Name - Or Not?
There is a formal movement to change the way we think about these topics. This article on Work-Life Balance vs. Work-Life Fitness explains some of the questions to ask in this different work/life fitness approach.
“To achieve work/life fitness, consider the things that you need to do and the things you want to do. What are your professional goals? Do you want to get married and have kids? Do you want to travel? If you have an important deadline coming up or are striving for a promotion, then you may find work/life fitness despite devoting more time to work. Remember, the ratio of work to life that you can take on while maintaining work-life fitness may shift as you progress into different life phases.”
This dialogue also brings up another question: What about the difference needs of men and women? An article from Forbes entitled: Real Men Don't Need Work Life Balance, addresses this question:
“In organizations, while it is acceptable for women to demand flexible work or plan their maternity leave, men seeking similar arrangements or paternity leave is still rare. When it comes to gender neutral programs, such as job sharing, men experience a higher level stigma in the use of such arrangements. Research shows that 48% of men felt that using the arrangements was not a real option. So creation of policy does not equal its utilization.”
How relevant is this topic to the 2013 workforce? Very important! In fact, this issue is often listed as more important than pay to most employees. The Glass Hammer went further with this discussion, while moving to new terms that address employee “fit” within their organizational needs for everyone.
“Women were more likely than men to cite work life fit as their reason for staying with their employer – but both ranked it as the highest reason (72 percent of women compared with 62 percent of men). In fact, women and men prioritized similarly when it came to why they stayed in their jobs on the next most popular reasons as well: benefits (61 percent of women and 59 percent of men) and money (57 percent of women and 62 percent of men).
But, what may surprise you is that people without children were more likely than people with children to cite work life fit as a key reason for staying in their jobs (67 percent compared to 65 percent).”
What’s The Answer?
So where is this trend heading? How do we deal with unequal scales for men and women or for parents and singles? The New York Times ran this piece that recommended moving away from questions about “where you are going” and to “how will I get my work done” discussions with your boss.
I also think that most of the government employees that I know, who are in either security or technology professional fields, take this work/life issue very seriously. They value their family time and they sacrifice higher pay in the private sector for a government jobs that may better meet their personal situations and commitments.
Still, the new millennial generation is now demanding this same level of attention to work-life fit in both the public and private sectors. I expect that topic will become even more heated over time.
So What Is Work - Life Balance Called Going Forward?
Back to that dinner conversation, and I was beginning to understand the new way of thinking after about fifteen minutes of discussion. That night, I went home and did some research. I found this article which offers Work-Life Balance - By Any Other Name. Here’s an excerpt:
“When a 2008 Sloan Network poll asked readers to choose their favorite term, 46% preferred "work-life balance." Twenty-five percent picked "work-life integration," and 8% liked "work-life juggle" best.
But alternatives have sprouted up everywhere: Cali Williams Yost, author and work-life consultant, promotes "work-life fit"; Cathy Benko, former chief talent officer at Deloitte, opts for the similar term "career-life fit;" Catalyst, a research organization working for the advancement of women, advocates for "work-life effectiveness;" Jodie Benveniste, director of Parent Wellbeing and author, created the phrase "work family flow;" and Paul Nyhan, Seattle Post-Intelligencer family reporter, favors "work-family rhythm."
We each have an important set of metrics in our heads, and we are keeping score. We have an unseen (virtual) time clock that we’re punching. We want fair treatment. We want a boss and coworkers who understand. And we want the flexibility to change our minds, given different life situations and work roles.
I hope your management agrees – no matter what you call it.
January 7, 2013 By Dan Lohrmann
Just when I thought I was turning the corner on Internet security awareness & cyber safety, along comes an eye-opening situation that hits so close to home that I am forced to rethink the road ahead - again.
The key questions that I’m reassessing as we head into 2013: Am I saying the right things about cybersecurity? Are the most important messages getting through? Are people (even the ones who know and like us) hearing what we say? Am I genuinely listening to them – first? Allow me to explain with a personal story.
My daughter Katherine and my wife Priscilla received new smartphones as gifts over the past few months. Without a doubt, they both love their new white, light-weight iPhone 5s. They had seemingly never-ending holiday conversations about their new devices - with Katherine showing her mom all of the wonderful features, functions and helpful apps. But that conversation is for another day.
This tale is about mobile device security – or lack thereof.
It all started when Katherine was in our kitchen trying to help her friend Carli with her new iPhone 5 that she also got for Christmas. Carli’s WiFi was not working properly.
(Note: Katherine has unofficially become the resident “expert” because she received her while iPhone 5 back in November as a birthday present.) She now knows everything there is to know about smartphones - kinda.
Katherine to Carli: “You turned off the 4-digit security PIN that I configured for you!”
(Dad, who was in an adjacent room, suddenly became interested in this unexpected security conversation and puts the magazine down.)
Carli to Katherine: “The screen lock is such a pain. And if I lose my iPhone, whoever finds it won’t be able to call me and return it.”
Katherine to Carli: “Yes, they can. There’s an app to find it. I showed you….”
Carli to Katherine: “But…, Mrs. Lohrmann, help – you told me you haven’t enabled a PIN for your iPhone either…. ”
Priscilla to Carli and Katherine: “You’re right. I haven’t enabled the PIN…. Yet. I’m not sure if it’s really needed or not. But don’t tell your dad, I’m still deciding….”
(Dad – who is listening in the other room – now enters the kitchen….)
Dad to all: “What did you just say?”
I’ll stop the rewind of this conversation at this point. I can tell you that, although everyone was in a good mood, laughing and polite, the “passionate discussion” continued for the next 10-minutes before Katherine and Carli were late and headed out the door. We all decided to continue the dialogue “later.”
But over the past week, I’ve been thinking quite a bit about that holiday interaction. My guess is that most readers can probably relate to a similar situation in their lives at either home or work.
After that conversation, I’ve started to reconsidered the effectiveness of what I personally say to family members about personal online security as well as what our enterprise messages are working (or not) for state employees.
Not that we haven’t been through this discussion before. Priscilla and I talk about online safety quite often as it relates to our children. We agree on the vast majority of steps we take with security on PCs, Internet access controls and filtering. It’s just that the conversation and examples keeps changing as technology evolves and the kids get older.
And my thoughts often move towards work, where the same concerns and questions apply. Yes, we’ve already reinvented awareness training for employees in the past year to focus on the new online challenges and mobile situations. We did listen to employees and heard that the old training was out of date, boring and irrelevant. But now I’m worried that we’re still not doing enough. Or, perhaps, we’re falling behind in our messaging – again.
Christmas Presents Showing Up at Work
It’s that time of year when technology Christmas presents start showing up at the office. With the advent of BYOD, telework, and mobile computing, our enterprises must once again pass the test of new “stuff” show showing up all over the place. This means our infrastructure and security teams rebuild architectures to ensure enough available Internet bandwidth and having hotspots to handle the load.
Meanwhile, we must think through, again, how staff will access data, keep personal information private and a host of other topics. Once we figure out what the IT organization will do and what the employees will do, we communicate with staff.
What Do We Do – and Say?
In response, we offer revised policies, compliance regulations, new awareness training and new approaches like testing whether employees click on bad links. Every little bit helps, but can we do more?
Stacy Collett, a writer for Computerworld, recently wrote an excellent piece with five techniques on: How to talk security so people will listen (and comply!) Here’s an excerpt:
“To be sure, employees are not involved in every type of corporate security breach (see Top 10 threat action types), but user behavior and non-compliance are implicated in many, including mobile malware, social network schemes and advanced target attacks. These are increasingly aimed not at CEOs and senior staffers, but at people in other job functions such as sales, HR, administration and media/public relations, as criminals try for ‘lower-hanging fruit,’ the Symantec report says.
Against such an onslaught, the stereotypical wall poster of security tips hanging in the breakroom is useless, says Julie Peeler, foundation director at the International Information Systems Security Certification Consortium -- also known as (ISC)² -- a global, non-profit organization that educates and certifies information security professionals. ‘Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top,’ she says.”
Veteran security pros will, of course, agree with Julie Peeler. For decades, we’ve been saying that good security encompasses everyone, everywhere, all the time. You never know where the next threat or incident or major attack is coming from.
So how do I plan to address this - today? My gut tells me that I need to start by looking in the mirror. Lead by my example. So what are my 2013 security resolutions?
- To keep watching and analyzing our state government culture
- To learn the new ways our people are using technology
- To listen to the business more
- To keep refining the security and privacy messages we are delivering to employees
- To offer enabling security that truly helps
Back at home, my daughter Katherine has enabled complex security on her smartphone. She’s become an ambassador to her friends and an ally in marketing key personal security messages.
Meanwhile, my wife Priscilla has agreed to hear again what Apple recommends for security, to discuss available options for her iPhone 5 and to do what’s best.
And I’ve agreed to listen - first.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.