Cyber Security Awareness Month 2014: The Best and Worst of Times

The 11th annual National Cyber Security Awareness Month kicked off on Oct. 1, with perhaps the biggest set of activities ever planned. But on day two of the festivities, a huge JPMorgan Chase security breach stole the headlines.

by / October 5, 2014

NASCIO 2014 Annual Meeting

Phyllis Schneck, deputy under secretary for cybersecurity and communications within the U.S. Department of Homeland Security, at NASCIO Annual meeting in Nashville, TN.   photo credit: Dan Lohrmann

Another Cyber Security Awareness Month launched this week in new and exciting ways. The 2014 kick-off event in Nashville, Tenn., included a large audience full of state government chief information officers (CIOs) and chief information security officers (CISOs) from across the nation. The National Association of State CIOs (NASCIO) and Multi-State Information Sharing & Analysis Center (MS-ISAC) joined forces with federal agencies, private-sector companies and the National Cyber Security Alliance in an unprecedented joint meeting to highlight the importance of actions to protect data in cyberspace.

The theme this year is: Our Shared Responsibility. Presidential Proclamations, nationwide events, newsletters, public service announcements and more have begun in earnest at businesses and government offices all across the nation.

Here’s one public service announcement that was just released:

The keynote speeches, predictions and warnings given on the last day of the NASCIO Annual Conference were eye-catching. Here are some quotes that were highlighted by one local newspaper:

"We've become entrenched in an ever-escalating battle to secure our systems from a determined and increasingly capable enemy," Mark Bengel, state chief information officer, told hundreds of experts gathered in Nashville….

"We will get attacked," said Phyllis Schneck, deputy under secretary for cybersecurity and communications within the U.S. Department of Homeland Security. "You will turn on the news every morning and see probably another big name (company) assessing a data breach. It will happen, like having a rainy day."

You can watch Phyllis Schneck's speech, along with the other opening speeches from technology and political leaders in the following video. (Note that a public service announcement runs first.)

Later in the morning, a panel discussed the recently released results of the 2014 Deloitte-NASCIO Cybersecurity Study, which surveyed state CISOs. This is the third such report, with previous versions in 2010 and 2012.

The highlights of the study included:

  •     Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. In 2014, 98% of respondents state they have a CISO role, and 90% of these roles report to the CIO. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
  •     Continuing budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small, in budgets. 48% of respondents noted an increase in budget; however, budget is still the No. 1 barrier. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs.
  •    Cyber complexity challenge: CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. Sophistication of cyber threats is the No. 2 top barrier. 74.5% of respondents cited malicious code as the top external threat. CISOs need to stay abreast of existing and developing threats and increasing regulations to establish and maintain the security of an information environment that now increasingly extends from internal networks to cloud and mobile devices.
  •     Talent Crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. 59% of CISO respondents choose Talent as one of the top barriers. State CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career growth paths and find creative ways to build their cybersecurity teams.

The panel discussion on the new Deloitte-NASCIO Study can be seen here:

The morning concluded with a speech by Michael Daniel, special assistant to the president and cyber security coordinator. He highlighted how the work that we need to be doing is getting harder in numerous ways – from the Internet of Things to teaching cyber etiquette to everyone in society. He also described the need to review network defenses using a risk management framework, just as other business risks are assessed.
 
Mr. Daniel concluded by explaining the Council of Governors Joint Action Plan for State-Federal Unity of Effort on Cybersecurity. This plan refines authorities, roles and responsibilities for state and federal entities, along with identifying capabilities available in identifying, responding to, recovering from and mitigating the effects of cyberattacks.

Finally, Mr. Daniel described the National Initiative on Cyber Education (NICE) to train and attract the right talent to work on cyber projects in the public and private sectors. You can see his entire speech here:

 

JP Morgan Chase Steals The Attention

But just as Cyber Security Awareness Month was getting started, the announcement came out on Thursday that more than 80 million records at JP Morgan Chase were accessed illegally. While it appears that no credit card data was stolen (for now), the scary story underlined the stakes in this cyber battle.

On Friday, it became clear that the hackers cracked ten financial firms in the major assault. Here’s an excerpt from NYTimes.com:

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.

Indeed, a deeper look at the surge in major security breaches involving tens of millions of customers from Target to Home Depot to our most well-funded banks can lead to sense of panic by consumers regarding digital safety. Thankfully, there has not been a major pull-back of Internet banking or online shopping – yet.

The scale of scope of these breaches are unprecedented in 2014, and they lead many cyber experts in non-banking industries to wonder whether the hackers can indeed be stopped at all within organizations that spend even less than banks on cybersecurity.

Michael Daniel at NASCIO 2014

Michael Daniel, Special Assistant to the President and Cyber Security Coordinator - credit: Dan Lohrmann

Final Thoughts

As we head into 2014 midterm elections, technology and security leaders are doing more to protect data than ever before, but sleeping less. The cyberattacks seem to be relentless. Insider threats are also growing. 

And yet, like most cyber leaders who gave speeches this week, I remain an optimist regarding cybersecurity. The attention and support given to cyberdefense efforts continues to grow, and that is a good thing.

There are many cyber summits all across America this month, like the Wisconsin Cyber Security Summit that I will be speaking at this week along with leaders from all over the world.

I urge readers to take personal action right now. This U.S. Department of Homeland Security (DHS) cybersecurity awareness website offers some good suggestions: http://www.dhs.gov/national-cyber-security-awareness-month-2014.

In conclusion, as I take a step back and examine our overall situation regarding cybersecurity in October 2014, my thoughts go to the famous words written by Charles Dickens at the beginning of A Tale of Two Cities:

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair….” 

And, it was the autumn of awareness.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso