In a shift of policy, US government indicates a willingness to approach cooperate in a United Nations forum to reduce the risk of cyberwar. In this item from the Washington Post, the US joins China, Russian, Brazil, and others. Witht he big actors in the field agreeing to talk, it is an interesting development. Problems of attribution, civilian vs. military use, and technological change persist, but moving from solely a cybercrime approach is interesting.
Definetely something to watch in the months to come.
Showing posts with label cybersecurity. Show all posts
Showing posts with label cybersecurity. Show all posts
Monday, July 19, 2010
Tuesday, November 10, 2009
Open Source Software and Security
Many of the issues in cyber security, malware, viruses, etc centers on the vulnerability of proprietary software (e.g. Windows and its family of programs) to code flaws that bad guys can exploit. Proprietary software uses a closed development model where the source code (the inner workings) is guarded by the designer. Open Source (see Linux) on the other hand lets anyone see and add to the code. The theory being that the collective intelligence is greater than any one individual and the potential flaws can be detected and corrected by the forum of users. And the code is made available for free!
What then is the drawback? Mostly it is perception. If it is free it can't be as good or as secure as the one I paid a lot of money to get. A recent memorandum from the US Department of Defense's Chief Information Officer is an effort to debunk that idea. The memo implies that software that has undergone a peer review process is often more secure than proprietary models. It encourages agencies to consider open source in future procurements. It goes on to state that open source software may be modified at will as the need changes in the future.
For more info check out this article at Nextgov.com
What then is the drawback? Mostly it is perception. If it is free it can't be as good or as secure as the one I paid a lot of money to get. A recent memorandum from the US Department of Defense's Chief Information Officer is an effort to debunk that idea. The memo implies that software that has undergone a peer review process is often more secure than proprietary models. It encourages agencies to consider open source in future procurements. It goes on to state that open source software may be modified at will as the need changes in the future.
For more info check out this article at Nextgov.com
Friday, October 23, 2009
Georgetown University: Cyber Security, Law, and Policy
Georgetown University: Cyber Security, Law, and Policy
Posted using ShareThis
Excellent panel discussion on policy isssues surrounding cybersecurity in the US. Discusses the problem in getting Congress and the public to see cybersecurity as a risk and threat to national security.
Policy efforts have lagged in recent months as the White House and Congress are focused on healthcare and other issues.
Factual vice inflamatory. Pentagon leads the way as others stand and wait.
Posted using ShareThis
Excellent panel discussion on policy isssues surrounding cybersecurity in the US. Discusses the problem in getting Congress and the public to see cybersecurity as a risk and threat to national security.
Policy efforts have lagged in recent months as the White House and Congress are focused on healthcare and other issues.
Factual vice inflamatory. Pentagon leads the way as others stand and wait.
Healthcare info at risk
A recent survey of US Healthcare Industry ICT professionals conducted by the Ponemon Institute again points out that electronic information is a target for criminals. The operators know the risks but cite lack of management support as the major impediment to security.
The benefits of electronic records are many. The ability to quickly inform providers of a patient's medical history, medications, and family risk factors is essential to providing proper treatment (and at lower cost and risk!) This explains the recent emphasis on electronic medical records in economic stimulus efforts and the health care insurance reform debate on going in the US.
Policy makers and industry leaders must kept patient confidence if the savings are to be realized.
The benefits of electronic records are many. The ability to quickly inform providers of a patient's medical history, medications, and family risk factors is essential to providing proper treatment (and at lower cost and risk!) This explains the recent emphasis on electronic medical records in economic stimulus efforts and the health care insurance reform debate on going in the US.
Policy makers and industry leaders must kept patient confidence if the savings are to be realized.
Thursday, October 15, 2009
Lessons to be learned from the private sector
In an article on Risk Center author Tami Casey reports on a survey of computer professionals for large companies about how difficult it can be to convince executive management of the need to invest in security of web based applications.
The keys to laying out the case have applications in the government world as well. Lets look at the recommendations:
- Effectively communicate the issue and build application security awareness. Executive management might not understand the impact or urgency of fixing security defects. Explain the importance of preventing a data breach, identity theft, unauthorized access and downed websites. Be sure to stay clear of jargon and use real world examples highlighting damages to companies. It's important to provide training on Web security issues to all functions and not just developers. For Governments this translates to teaching your leadership and explaining the political implications of failure.
- Align your security strategy with business objectives. Discuss specific management goals and point out how a security breach could stand in the way of meeting these objectives, be they revenue or corporate reputation goals. Government version: focus on political risk and failure to meet citizens' needs
- Calculate the ROI. The cost of a breach can be $500K or more per incident. For example the Heartland Payment Systems breach is estimated to have cost the company $12.6 million along with damage to their reputation and a dramatic drop in the company's stock price. For government it is not ROI but rather cost avoidance and funds that can be used for more productive work/services. When governments fail to protect citizen information direct costs can also be incurred.
- Cite laws and compliance issues. Be sure to point out penalties for non-compliance with regulatory standards, which can pile up quickly. It is bad form for government officials to fail to obey their own regulations!
- Emphasize Web app security as part of the software development process. Include stakeholders from the development team through QA and production. This is the key. Government is a very large player in the IT services and procurement industry. It must demand quality products for its investments.
Thursday, September 3, 2009
Insider threat and cyber security
A well known vulnerability in cyber security is the threat posed by an insider, i.e. an employee/former employee who for some reason decides to turn to the dark side. Using knowledge gained on the job, and access often not terminated at departure, the isider is able to steal data, divert funds, or manipulate systems to cause damage/loss. There can be severe financial losses as in the Société Générale case. A recent Foreign Policy article discusses the case of a California contractor who was not offered a full time position taking control of an offshore oil rig via its communication link. As more systems move to automated and unmanned control systems, the risk increases.
Sobering thought as Brazil moves to expolit its newly discovered deep water reserves. Automations saves signfigant costs but its not a free lunch.
Sobering thought as Brazil moves to expolit its newly discovered deep water reserves. Automations saves signfigant costs but its not a free lunch.
Monday, August 31, 2009
Cyber Storm III, practicing the policy
The US Dept of Homeland Security recently announced the date for Cyber Storm III. This third in the series event will be the first chance to test the Obama Adminstration's cyber security strategy.
As pointed out in the linked article it is a chance to test the policy issues of coordination between Federal and State/local government and between the public and private sectors.
An old dictum states that the the scene of a disaster is not the place to exchange business cards for the first time.
This will be an interesting project to follow, especially if the open it to international players.
As pointed out in the linked article it is a chance to test the policy issues of coordination between Federal and State/local government and between the public and private sectors.
An old dictum states that the the scene of a disaster is not the place to exchange business cards for the first time.
This will be an interesting project to follow, especially if the open it to international players.
Subscribe to:
Posts (Atom)
Posts
