Check out my latest InfoSec Island blog - it details the bill that passed the House a little over a week ago - the Cyber Intelligence Sharing and Protection Act. People are very divided over this bill. I break down what the bill really says and what the two key issues of contention are that Congress needs to get its act together and find a compromise on.
CISPA: The Devil is in the Details
So where to go from here
Random thoughts about technology, cyber security, current news, and just life now that I have it back
Tuesday, May 8, 2012
Monday, April 30, 2012
New Blog on InfoSec Island
I have some very exciting news as I now have another blog on InfoSecIsland.com. My first blog was published today and is entitled "Procrastination in Legislation". I hope you will check it out!
http://www.infosecisland.com/blogview/21135-Procrastination-in-Cybersecurity-Legislation.html
I will continue to blog here as well but the topics will be more diverse than just technology. I will always let you know when I have a new one posted on InfoSec Island too!
http://www.infosecisland.com/blogview/21135-Procrastination-in-Cybersecurity-Legislation.html
I will continue to blog here as well but the topics will be more diverse than just technology. I will always let you know when I have a new one posted on InfoSec Island too!
Wednesday, March 21, 2012
Cut out your scar tissue obstacles.
It is amazing to me the impact an obstacle can have on someone's effort towards something they really want to achieve. So many people give up and see the goal as just unachievable or too hard. I am here to tell you, it is worth fighting to find a way around or through or removing that obstacle. You have to be stubborn - don't take NO for an answer. You will fight through some extremely frustrating and maybe even painful times but in the end, when you achieve that goal, trust me, it will all be worth it.
You may wonder why the heck am I yammering on about "don't let go of your goals" or "don't let an obstacle get in your way"...I hear ya...yeah, yeah, yeah Oprah, sing those optimist psalms. So why have I all of a sudden gone into the business of positive thinking blogging? No, don't worry, I have no intention of quitting my day job but I have had some time to THINK about my day job recently and reflect upon obstacles.
Some of you may know that I had my knee replaced 2 years ago. Please do not tell me I am too young because I have to hold myself back from punching people who say that - see, not a "self-help speaker" do I make. I mean really...I am too young...you don't say. I digress. Some may also know that I have had a bit of a rough go of it with this new knee of mine. Let me tell you. It is really hard to convince people how much pain you are in. Trust me, I am fighting the VA Board of Appeals right now on that very issue. How to score how bad your pain is. We all know that stupid "from 1 to 10...how bad is your pain"scale is right?!...um, I don't know, 15? I mean really, I just may be a whole lot tougher than you big whimpy VA claim reader and think my pain is a 5 when you would think it is a 9 but those damn numbers matter when it comes to a lot things it appears.
So, back to my knee. Over the last year, I have been in an incredible amount of pain and losing flexion as each day went by. You don't really appreciate how important it is that your knee bends until it doesn't. I went to my surgeon who said it was part of the process, but I just knew something was not right. I had to get a second opinion. I went back to physical therapy - more like physical torture - sessions but still, that stupid knee would not budge past 90 degrees no matter how many people tried to bend it (while others had to hold me down because the pain was so extreme).
There was a definite obstacle. Some would have just decided that was how it was going to be and lived with all that pain and lack of motion. Heck, even my new doctor told me that the last thing they would want to do to someone my age (yep, there it is again) would be a REVISION of a total knee replacement, but I would not take no for an answer. I knew something was wrong, and dammit, I wanted it fixed. My doctor ran the tests and decided, yep, better do the revision. He figured some part had to have come loose and would have to be replaced. So though things were crazy at work and not exactly the best time for me to take a hiatus from the office and leading my team, I decided to have the surgery. Now trust me, this is not an easy decision for me since I cannot take pain killers. I knew life was about to totally suck for a while.
Fast forward to after the surgery. I am in recovery, and my doctor comes to try and have a coherent conversation with me. What he said though popped me right out of the anesthesia. He said the replacement was fine but there was a "wall" of scar tissue that was blocking the knee. He said they had never seen anything like it - he wished he had a camera to video it (yeah, so do I - yes, I am one of those gross fascination people who gets pictures for her medical records of surgeries). As soon as this obstacle was removed, the knee worked perfectly - bending to 120 degrees after closed up. I almost leapt from the bed and hugged the man (people would likely have looked at me strangely at that point...my gown not exactly all secure in the rear ya know). I was immediately put in a machine bending my knee 90 degrees for the first almost 24 hours. Seriously!! I had not bent it that much without excruciating pain for almost a year, and it was working with hardly any pain at all. Here I am, 1 week after surgery, and bending 105 degrees. I could almost dance if I did not want to go and screw up this miracle.
<exhale> I know...long story short but one I wanted to share because it speaks volumes about obstacles. Here I had this high tech knee that just would not work at all and not because of something wrong with the knee but rather an obstacle my body had created for some Murphy's Law reason. Now that it is removed, I just know my goal of getting back to having a normal life (until my left knee has to be done) can be achieved. I am so thrilled I am like a kid at Christmas.
All this made me think about work. There are SOOOOOO many obstacles to information sharing - especially between the government and industry. It is what I work on every day. It is what I am PASSIONATE about! I truly believe that building a trusted community of knowledge is what we need in order to get ahead of this ever present cyber threat that is draining industry and government alike of precious resources every day.
There are so many obstacles to just getting things done in the government, with DHS being a special case in and of themselves. So many people give up and say it is too hard (hence the recent parading of leadership out the door). They say, "I am going to go at this myself," or go to industry or find greener pastures. I am here to tell you, as I have shared the wise words of one of my mentors before...the grass is not always greener, it is sometimes just green.
We cannot give up when these obstacles pop up or when people say it cannot be done. Don't let the "NO" people determine the future of your goals. Be one of those people who pushes back and says, "NO person, either you help find a way that we can or get the heck out of my way." If you work hard enough, and try to find ways to remove or go around an obstacle, you will find those very painful efforts on the other side to be so rewarding. Now, they may not be finally being able to walk downstairs like a grown-up again, like in my case. I mean, that one is really hard to beat. It will be worth it - and when you really start digging to find what that obstacle actually is, you may find it has nothing to do with the problem at all - it may be something that is only there because you are allowing it to be there.
Cut out that scar tissue and get your knee bending again. Okay, we now return to my regularly, non-inspriational, blog programming. :o)
--Michelle Valdez
You may wonder why the heck am I yammering on about "don't let go of your goals" or "don't let an obstacle get in your way"...I hear ya...yeah, yeah, yeah Oprah, sing those optimist psalms. So why have I all of a sudden gone into the business of positive thinking blogging? No, don't worry, I have no intention of quitting my day job but I have had some time to THINK about my day job recently and reflect upon obstacles.
Some of you may know that I had my knee replaced 2 years ago. Please do not tell me I am too young because I have to hold myself back from punching people who say that - see, not a "self-help speaker" do I make. I mean really...I am too young...you don't say. I digress. Some may also know that I have had a bit of a rough go of it with this new knee of mine. Let me tell you. It is really hard to convince people how much pain you are in. Trust me, I am fighting the VA Board of Appeals right now on that very issue. How to score how bad your pain is. We all know that stupid "from 1 to 10...how bad is your pain"scale is right?!...um, I don't know, 15? I mean really, I just may be a whole lot tougher than you big whimpy VA claim reader and think my pain is a 5 when you would think it is a 9 but those damn numbers matter when it comes to a lot things it appears.
So, back to my knee. Over the last year, I have been in an incredible amount of pain and losing flexion as each day went by. You don't really appreciate how important it is that your knee bends until it doesn't. I went to my surgeon who said it was part of the process, but I just knew something was not right. I had to get a second opinion. I went back to physical therapy - more like physical torture - sessions but still, that stupid knee would not budge past 90 degrees no matter how many people tried to bend it (while others had to hold me down because the pain was so extreme).
There was a definite obstacle. Some would have just decided that was how it was going to be and lived with all that pain and lack of motion. Heck, even my new doctor told me that the last thing they would want to do to someone my age (yep, there it is again) would be a REVISION of a total knee replacement, but I would not take no for an answer. I knew something was wrong, and dammit, I wanted it fixed. My doctor ran the tests and decided, yep, better do the revision. He figured some part had to have come loose and would have to be replaced. So though things were crazy at work and not exactly the best time for me to take a hiatus from the office and leading my team, I decided to have the surgery. Now trust me, this is not an easy decision for me since I cannot take pain killers. I knew life was about to totally suck for a while.
Fast forward to after the surgery. I am in recovery, and my doctor comes to try and have a coherent conversation with me. What he said though popped me right out of the anesthesia. He said the replacement was fine but there was a "wall" of scar tissue that was blocking the knee. He said they had never seen anything like it - he wished he had a camera to video it (yeah, so do I - yes, I am one of those gross fascination people who gets pictures for her medical records of surgeries). As soon as this obstacle was removed, the knee worked perfectly - bending to 120 degrees after closed up. I almost leapt from the bed and hugged the man (people would likely have looked at me strangely at that point...my gown not exactly all secure in the rear ya know). I was immediately put in a machine bending my knee 90 degrees for the first almost 24 hours. Seriously!! I had not bent it that much without excruciating pain for almost a year, and it was working with hardly any pain at all. Here I am, 1 week after surgery, and bending 105 degrees. I could almost dance if I did not want to go and screw up this miracle.
<exhale> I know...long story short but one I wanted to share because it speaks volumes about obstacles. Here I had this high tech knee that just would not work at all and not because of something wrong with the knee but rather an obstacle my body had created for some Murphy's Law reason. Now that it is removed, I just know my goal of getting back to having a normal life (until my left knee has to be done) can be achieved. I am so thrilled I am like a kid at Christmas.
All this made me think about work. There are SOOOOOO many obstacles to information sharing - especially between the government and industry. It is what I work on every day. It is what I am PASSIONATE about! I truly believe that building a trusted community of knowledge is what we need in order to get ahead of this ever present cyber threat that is draining industry and government alike of precious resources every day.
There are so many obstacles to just getting things done in the government, with DHS being a special case in and of themselves. So many people give up and say it is too hard (hence the recent parading of leadership out the door). They say, "I am going to go at this myself," or go to industry or find greener pastures. I am here to tell you, as I have shared the wise words of one of my mentors before...the grass is not always greener, it is sometimes just green.
We cannot give up when these obstacles pop up or when people say it cannot be done. Don't let the "NO" people determine the future of your goals. Be one of those people who pushes back and says, "NO person, either you help find a way that we can or get the heck out of my way." If you work hard enough, and try to find ways to remove or go around an obstacle, you will find those very painful efforts on the other side to be so rewarding. Now, they may not be finally being able to walk downstairs like a grown-up again, like in my case. I mean, that one is really hard to beat. It will be worth it - and when you really start digging to find what that obstacle actually is, you may find it has nothing to do with the problem at all - it may be something that is only there because you are allowing it to be there.
Cut out that scar tissue and get your knee bending again. Okay, we now return to my regularly, non-inspriational, blog programming. :o)
--Michelle Valdez
Saturday, March 3, 2012
Incredibly Keynotes from Final Day at RSAC
The first keynote yesterday was with Hugh Thompson, Chief Security Strategist, People Security, and a couple of guests, Dan Gardner, author; and Frank Luntz, President and CEO of Luntz Reseach and Pollster/Political Consultant. Hugh's focus was all about how we make decisions. As he put it, "we confess to the web," so it knows more about us than even our best friends do. So how and why do we make the decisions we do on what to post, what to buy, what not to buy? He talked about the targeting marketing when you do Google searches and whether that has an impact on our decisions.
His first guest was Dan Gardner who writes about the different biases and unconscious thoughts that go into our decision making processes.
The next guest was Frank Luntz. First of all, this guy is frickin' hilarious!! No doubt you have to be to work any where near politicians. He had some incredibly insightful ways of capturing the same concepts we talk about everyday but in different terms. Below are some of the key soundbites that I felt were worth passing on:
When asked about how can we do a better job of communicating to our customers what IT security is really about, Frank suggested, "we sell security but should really be providing Peace of Mind...the literature doesn't show that. Security means there is a threat and [that is what the literature addresses]. Peace of mind means that we have solved those threat so they can breathe easier now."..."We save people their jobs or if you screw up, you cost them their jobs. They don't have to be afraid because they have someone 'protecting' them now."
Hugh Thompson said that ultimately, what the marketing is trying to say is, "we sell stuff to stop you from getting hacked badly and/or getting fired," but how can that be said more effectively?
Frank suggested, "I get the challenge" - describe the nightmare without going too far.
"We've done it before and here is how we have done it"
He talked about the importance of protection - how do you know when you turn on the computer, your company is protected.
Hugh asked Frank what horrific name should we keep for the next super virus for an extreme emergency. Frank said that is not the right approach. We should rather take the opposite approach. "The loudest sound that I can make is when I bring my voice down and speak quietly... the loudest sound is silence. With everyone shouting, the quieter approach is the competant approach. You shout if you have nothing to say. You are quiet if your work speaks for itself."
Finally, he talked about how he wished there was a way to communicate to kids in the 10th, 11th, 12th grade to teach them about the professions and ideas out there and the things that they could do to be successful. If you have been reading my previous blogs, you know this is a recurring theme. It really has me thinking about what possible solutions could there be to this. I believe there are some real potential opportunities here not just at the high school and college level but with those in the work force who are looking for the right opportunity to break into this field but just do not know how to do it. The closing video for Sal Khan's presentation about the Khan Academy was a gentleman who I believe was in his 30s and because of the Khan Academy, was going back to college to become an Engineer. He used to be a saxophone player. It goes to show that anyone can learn something if they are motivated, passionate, and have the right opportunities to do so.
Now on to the second keynote. As you can see from the picture below, it was the Former Prime Minister of Great Britain and Northern Ireland, Tony Blair. He is sitting here below with Art Coviello EVP of EMC. They have not yet posted his presentation - I really do hope they do as it is well worth the watch.
His first guest was Dan Gardner who writes about the different biases and unconscious thoughts that go into our decision making processes.
The next guest was Frank Luntz. First of all, this guy is frickin' hilarious!! No doubt you have to be to work any where near politicians. He had some incredibly insightful ways of capturing the same concepts we talk about everyday but in different terms. Below are some of the key soundbites that I felt were worth passing on:
When asked about how can we do a better job of communicating to our customers what IT security is really about, Frank suggested, "we sell security but should really be providing Peace of Mind...the literature doesn't show that. Security means there is a threat and [that is what the literature addresses]. Peace of mind means that we have solved those threat so they can breathe easier now."..."We save people their jobs or if you screw up, you cost them their jobs. They don't have to be afraid because they have someone 'protecting' them now."
Hugh Thompson said that ultimately, what the marketing is trying to say is, "we sell stuff to stop you from getting hacked badly and/or getting fired," but how can that be said more effectively?
Frank suggested, "I get the challenge" - describe the nightmare without going too far.
"We've done it before and here is how we have done it"
He talked about the importance of protection - how do you know when you turn on the computer, your company is protected.
Hugh asked Frank what horrific name should we keep for the next super virus for an extreme emergency. Frank said that is not the right approach. We should rather take the opposite approach. "The loudest sound that I can make is when I bring my voice down and speak quietly... the loudest sound is silence. With everyone shouting, the quieter approach is the competant approach. You shout if you have nothing to say. You are quiet if your work speaks for itself."
Finally, he talked about how he wished there was a way to communicate to kids in the 10th, 11th, 12th grade to teach them about the professions and ideas out there and the things that they could do to be successful. If you have been reading my previous blogs, you know this is a recurring theme. It really has me thinking about what possible solutions could there be to this. I believe there are some real potential opportunities here not just at the high school and college level but with those in the work force who are looking for the right opportunity to break into this field but just do not know how to do it. The closing video for Sal Khan's presentation about the Khan Academy was a gentleman who I believe was in his 30s and because of the Khan Academy, was going back to college to become an Engineer. He used to be a saxophone player. It goes to show that anyone can learn something if they are motivated, passionate, and have the right opportunities to do so.
Now on to the second keynote. As you can see from the picture below, it was the Former Prime Minister of Great Britain and Northern Ireland, Tony Blair. He is sitting here below with Art Coviello EVP of EMC. They have not yet posted his presentation - I really do hope they do as it is well worth the watch.
I was rather impressed with how genuine he came across throughout the presentation. He actually seemed nervous to start out, an emotion I completely related to as speaking in front a room full of incredibly intelligent and talented security professional is definitely intimidating - obviously to no matter who you are. I was also quite moved by how emotionally passionate he is about the Middle East peace process. He has been to the Israel/Palestine area 75 times since leaving office, 8 of which have been in the past couple months.
He opened by admitting he is technically challenged to say the least. Quite a thing to admit to this audience, especially right out of the gate, but I really admired that he did not get up there and read some speech a techie staffer put together about technology that he knew nothing about just to pander to the crowd. Instead, he spoke of those things that he was well versed in, passionate about, and which DO have a major impact on all of our lives, and definitely on the technology world. I was disappointed to see a lot of tweets after criticizing the fact that he was not technical and did not speak about technical stuff. I think they missed an opportunity to really hear from a brilliant politician who even after leaving office, is committed to the stability of this world's economy and security.
He discussed the economic crisis and how we need to bring people together - government and industry - and refashion the way we work and live. Government will need to play a role in this but industry will ultimately need to lead the change. I got a text from one of my friends at this point saying he is preaching my issue...and he was. He, like so many other speakers this past week, talked about the criticality of industry and the government coming together and working to solve the issues of the economy and security because neither can do it on their own.
I was hoping to watch this again as I know I did not quite capture the quote correctly but he was talking about the role of social media has played in the revolutions in the Middle East and how it in and of itself is a revolution. It is a tremendous instrument of protest but not one that government has learned how to properly leverage, to their detriment. He said he believes that democracy will eventually reach the entire world - quipping that no democracy has ever decided not to be democratic. He said that democracy is not just the freedom to vote but the freedom of expression.
After his individual presentation, Art Coviello asked him a bunch of questions. The one I felt really worth capturing was when he asked Tony Blair what would be the one piece of advice he would have for the members of the audience, understanding that we are professional responsible for securing the information and technical infrastructures from cyber criminals, terrorists and cyber espionage, and fraud. His advice was simply - "Be Successful!" It was succinct and simple yet, I felt, rather powerful advice.
This was truly an amazing conference. I had the opportunity to listen to some unbelievably talented professionals who are committed to ensuring that we do everything possible every day to secure our networks. I met some great security professionals that I hope I have the opportunity to work with and collaborate with going forward in our shared endeavor to protect critical infrastructure. I left inspired that I am making a difference and with new ideas of ways I can do even more. Thank you for all those who inspired me and for being a part of a community that I consider myself incredibly blessed to be a part of. I wish everyone safe travels home. My prayers are with all those families who were in any way impacted by those storms yesterday.
RSAC has come to an end on an amazing note
RSAC has ended, and I am now on the LONG flight back to the east coast from San Francisco. I was just plain exhausted yesterday so decided to put off this blog to today since I knew I would be stuck in this barely 12x12 seat for a over 4 hours. They announced when we first got on board that the wifi was not working...that would have totally sucked. Luckily, they seem not to know what they were talking about as mine is working just fine. Let's hope it stays that way!
Yesterday was by far one of the best days of the entire conference. Now, part of that may be that I was actually able to take in several of the sessions and both of the keynotes were excellent! I also was able to see a presentation from one of my favorite hackers, Jeremiah Grossman. I really think his mission to try to teach as many people as possible the skill he has is admirable. I thoroughly enjoyed his presentation and hope that he continues on his goal to include the possibility of partnering with the Khan Academy (see previous blog on Day 3 -- Amazing non-profit organization!!). If you are on Twitter, strongly recommend following him at @jeremiahg. I am always impressed that he takes the time to answer questions that are sent to him. I am glad I had the opportunity to meet him.
Speaking of Jeremiah's presentation, he made some very interesting points. In relation to all these sensationalized reports about the Internet being brought down by hackers, he said he is more concerned about the Internet staying up than going down. The bad guys need the Internet to do whatever attack they are planning to do. If does go down, he believes that would be a prelude to a physical/kinetic attack. I am most impressed by his "Hack Yourself First" concept. He briefed this at the TedxMaui event in January. I am looking forward to that video becoming available to watch. Big companies like Google, Mozilla, and Facebook pay hackers for cross-scripting bugs. It is far better for you find the vulnerabilities and fix them before the bad guys have the opportunity to exploit them. This is why he is so dedicated to teaching people how to hack.
We need far more trained people in the computer security fields than we currently have. The numbers are factors of ten below what is needed. Several presentations this past week talked about the need to train more people and the need to grow this community. I think it is not just targeting schools and training young people in the these fields but also reaching into the current market and target other skills that would be useful. Art Coviello's example I discussed in my day 1 blog is a perfect example. Our job market is being flooded with young troops leaving the military with great strategic skills but not tactical skills that translate to anything in the civilian world. They are great targets of opportunity. There are just not many resources for them to learn the right the skill to break into this field. I did not start in this field and still strive to grow my technical skills in any way possible. Unfortunately, my Masters program did not provide the training I had hoped it would so now I am looking for any and all opportunities to do that. I believe that people like Sal Khan and Jeremiah could team up to come up with programs for military members to learn these technical skills (and people like me - I left the military and was fortunate enough to find an opportunity to break into the cyber security community and have been so passionate about it ever since). It is a serious gap that no one has really found a great way to fill without charging an astronomical cost which most of these young troops could never afford to pay.
The next session I attended was Mark Russinvich's session about Zero Day Attacks. His new book is out and the premise of his presentation was is it viable, feasible, and desirable for a terrorist to conduct a mass zero day attack with the goal of major destruction. He walked through the entire scenario - which quite frankly is pretty scary - and basically the conclusion is it is in the realm of the possibility. These exploits are sold and with the right motivations, the vulnerabilities to exploit are definitely out there within our most critical systems. Pretty damn sobering if you ask me. All the more reason I believe we need more people in this field. Starting to see my theme here...I definitely am adding his book to my list to read.
I am going to save my write-ups on the keynotes to later as I actually want to watch both of them again...they were really that good. I took copious notes and there were just some excellent soundbites that I want to ensure I correctly captured so stay tuned.
Thursday, March 1, 2012
Day 4 of RSA...Almost at the End
So, first of all, I did not miss a day yesterday for those who are keeping track...I just did not make it to any sessions so I had nothing to write about. I was in meetings all day which of course is half the reason people come to these conferences...well, in some people's cases, the only reason. I had some great meetings with critical infrastructure companies about information sharing.
Today was definitely a different day. No meetings (no complaints about that either) so I was able to take in some sessions. There are a few that I will highlight here. I will say I am about to fall over. It is amazing how much walking you do for these things. The expo closed today - it was definitely the most insane one I have ever seen. I did not win the Ferrari...dammit!!
So the first session I want to summarize was about Cyber Incident Centers and information sharing. Obviously, you are seeing a trend here. Information sharing was definitely a major theme of this conference though not every session that was supposed to be about that ended up being so. This one was actually excellent. I think that Lee Rock did an amazing job talking about how this is not just a US issue but rather a global one. Pete Cordero with the FBI talked a lot about how the NCI-JTF is working with both the government and industry to improve their sharing of information as they are receiving.
The panel was moderated by retired Adm Mike Brown. He did an excellent job of moderating as he asked some very relevant questions and made sure the audience too had the opportunity to ask some as well. He opened with asking each of the panel members (Ms. Robideaux from NSA; MGen Lacquement from US CYBERCOMMAND; Pete Cordero from FBI; and last but certainly not least, Lee Rock from US-CERT) to give a quick overview of issues that are important to them. NSA said the evolution of the threat to a more disruptive and possibly destructive threat is what they are concerned about. FBI talked about some of the recent investigations that they had been involved with. Lee talked about how cyber threats are a global problem which require a global response. US-CERT is engaged with the international CERTs and law enforcement agencies. He also discussed briefly how they are facilitating information sharing across multiple sectors. Finally, he said the government agencies need to ensure they are always working together so that when industry "calls one, they all of us." MGen Lacquement discussed US CYBERCOMMAND's mission and their planned development of the joint operations center (JOC) in FY14.
NSA was asked about how they are connecting and working with other agencies. Ms. Robideaux talked about the NTOC's "team cyber" and the several different collaboration opportunities they facilitate regularly. She also discussed the "cyber alliance portal" where actionable indicators and warning information is available (yet only on classified systems which begs the question, how actionable is the information then...). FBI was asked the same and discussed the Infraguard program and collaboration with the National Cyber Forensic Training Alliance (NCFTA).
A question was asked by the audience about suggestions for creating a small information sharing and analysis center (ISAC). Lee stated there does not need to be a heavy investment in a formal ISAC. He talked about how there are many informal sharing groups across industry which have been the kernels to the more formal relationships. The key is trust and that "you have to give to get" - so bilateral sharing means just that.
The last question that was asked by Adm Brown was "what will success look like to you?" US CYBERCOMMAND stated moving the ball down the court with regard to sharing relationships within the government along with the FY14 completion of the JOC. Lee Rock said that success means bridging the gap between the public and private sectors - building trust to increase sharing so that actions can be taken. FBI said success would mean them taking more actions on intrusions and moving from a reactive to a preventive mode. NSA said changing from reporting victims of attack to using SIGINT and intelligence authorities to create proactive actionable plans to go after the threats.
There were two keynote speakers from today that I felt were excellent - the other three were like putting needles in my eyeballs, but I am so glad that I did not leave as I would have missed the last one which to me was the best of the day! The first keynote was Robert Mueller, Director of the FBI. I don't have as many notes on him as I actually sat Tweeting soundbites the entire time as I felt they were worthy of that. So below are the tweets I sent out:
- Terrorists, state-sponsored intruders, "for profit" hackers, insiders, and activists are the most dangerous to cybersecurity today.
- Terrorism is still the FBI's number 1 priority, but he believes in the not so distant future, that will be replaced by cyber threats.
- We need to break down the walls for sharing the same way as was done for counterterrorism data across industry, government and law enforcement.
- FBI does not want industry to feel victimized again because they reported an intrusion to the them.
- There are only two types of companies - those that have been hacked and those that will be.
Finally, and last but not least, was the closing keynote for the day. Sal Khan, the Founder of the Khan Academy, gave the background on how the not-for-profit program came to be. Let me tell you - this is one inspirational story that I in no way could properly do justice. If there is one keynote that I would say is WELL worth watching, especially if you do not know about the amazing things that this new approach to teaching our young people and adults alike are accomplishing. This will definitely be on my list of annual charities from now on. Please take the 30 minutes if you have the time and be inspired by the change that this man is bringing to the world. It is not often that you sit and listen to someone and just know, you are listening to someone who will truly make a global change. It was awesome!
http://365.rsaconference.com/community/archive/usa/blog/2012/03/01/video-rsac-us-2012-keynote-focus-on-innovation-putting-breakthrough-thinking-into-action--sal-khan
Today was definitely a different day. No meetings (no complaints about that either) so I was able to take in some sessions. There are a few that I will highlight here. I will say I am about to fall over. It is amazing how much walking you do for these things. The expo closed today - it was definitely the most insane one I have ever seen. I did not win the Ferrari...dammit!!
So the first session I want to summarize was about Cyber Incident Centers and information sharing. Obviously, you are seeing a trend here. Information sharing was definitely a major theme of this conference though not every session that was supposed to be about that ended up being so. This one was actually excellent. I think that Lee Rock did an amazing job talking about how this is not just a US issue but rather a global one. Pete Cordero with the FBI talked a lot about how the NCI-JTF is working with both the government and industry to improve their sharing of information as they are receiving.
The panel was moderated by retired Adm Mike Brown. He did an excellent job of moderating as he asked some very relevant questions and made sure the audience too had the opportunity to ask some as well. He opened with asking each of the panel members (Ms. Robideaux from NSA; MGen Lacquement from US CYBERCOMMAND; Pete Cordero from FBI; and last but certainly not least, Lee Rock from US-CERT) to give a quick overview of issues that are important to them. NSA said the evolution of the threat to a more disruptive and possibly destructive threat is what they are concerned about. FBI talked about some of the recent investigations that they had been involved with. Lee talked about how cyber threats are a global problem which require a global response. US-CERT is engaged with the international CERTs and law enforcement agencies. He also discussed briefly how they are facilitating information sharing across multiple sectors. Finally, he said the government agencies need to ensure they are always working together so that when industry "calls one, they all of us." MGen Lacquement discussed US CYBERCOMMAND's mission and their planned development of the joint operations center (JOC) in FY14.
NSA was asked about how they are connecting and working with other agencies. Ms. Robideaux talked about the NTOC's "team cyber" and the several different collaboration opportunities they facilitate regularly. She also discussed the "cyber alliance portal" where actionable indicators and warning information is available (yet only on classified systems which begs the question, how actionable is the information then...). FBI was asked the same and discussed the Infraguard program and collaboration with the National Cyber Forensic Training Alliance (NCFTA).
A question was asked by the audience about suggestions for creating a small information sharing and analysis center (ISAC). Lee stated there does not need to be a heavy investment in a formal ISAC. He talked about how there are many informal sharing groups across industry which have been the kernels to the more formal relationships. The key is trust and that "you have to give to get" - so bilateral sharing means just that.
The last question that was asked by Adm Brown was "what will success look like to you?" US CYBERCOMMAND stated moving the ball down the court with regard to sharing relationships within the government along with the FY14 completion of the JOC. Lee Rock said that success means bridging the gap between the public and private sectors - building trust to increase sharing so that actions can be taken. FBI said success would mean them taking more actions on intrusions and moving from a reactive to a preventive mode. NSA said changing from reporting victims of attack to using SIGINT and intelligence authorities to create proactive actionable plans to go after the threats.
There were two keynote speakers from today that I felt were excellent - the other three were like putting needles in my eyeballs, but I am so glad that I did not leave as I would have missed the last one which to me was the best of the day! The first keynote was Robert Mueller, Director of the FBI. I don't have as many notes on him as I actually sat Tweeting soundbites the entire time as I felt they were worthy of that. So below are the tweets I sent out:
- Terrorists, state-sponsored intruders, "for profit" hackers, insiders, and activists are the most dangerous to cybersecurity today.
- Terrorism is still the FBI's number 1 priority, but he believes in the not so distant future, that will be replaced by cyber threats.
- We need to break down the walls for sharing the same way as was done for counterterrorism data across industry, government and law enforcement.
- FBI does not want industry to feel victimized again because they reported an intrusion to the them.
- There are only two types of companies - those that have been hacked and those that will be.
Finally, and last but not least, was the closing keynote for the day. Sal Khan, the Founder of the Khan Academy, gave the background on how the not-for-profit program came to be. Let me tell you - this is one inspirational story that I in no way could properly do justice. If there is one keynote that I would say is WELL worth watching, especially if you do not know about the amazing things that this new approach to teaching our young people and adults alike are accomplishing. This will definitely be on my list of annual charities from now on. Please take the 30 minutes if you have the time and be inspired by the change that this man is bringing to the world. It is not often that you sit and listen to someone and just know, you are listening to someone who will truly make a global change. It was awesome!
http://365.rsaconference.com/community/archive/usa/blog/2012/03/01/video-rsac-us-2012-keynote-focus-on-innovation-putting-breakthrough-thinking-into-action--sal-khan
Tuesday, February 28, 2012
Day 2 - Opening Ceremonies and Public/Private Sharing
So far, so good, in keeping my plan to blog each day...I mean, hey, it is just day two but two days in a row is better than missing my goal on day two. It was a ridiculously long day and here I am all ready to crash for the night, and it is barely 8pm. There are people who stay out all night every night....don't know how they do it other then they must be missing out on some of these presentations and sleeping.
This morning included the opening ceremonies and keynote speakers to kick things off and who better to do that than Art Corviello from RSA with some mea culpa on the events from last year. There are some good sound bites here though that I think are definitely worth sharing, and if anyone in the audience was paying attention, then hopefully they will heed some of the call to action. All the keynotes are up on the RSA website (http://365.rsaconference.com/community/archive/usa) so if you have the time to check them out, definitely do...otherwise, I will summarize those that I sat through...of course, duty called and I had to step away and missed the last couple of them so you are on your own there.
First off, they opened with a cyber geek version of "You Can't Always Get What You Want". I am sure they have the changed lyrics out on the web already...it was pretty amusing though with a church choir and two lead singers singing away about things that I know they likely had no idea about. Made me chuckle first thing in the morning. Then Art Corviello came out to talk about expanding trust and confidence in the digital world. He stated consumers are adopting technology faster than government and IT can absorb. We are well past the "tipping point" where the physical and technical world can be separated and where personal and professional lives are kept apart. He said that he has never sold on a basis of fear and never intends to but acknowledged that the industry has been going through hell in the last 12 months and that RSA personally feels responsible for that. They want to apply the lessons that were learned from last year's events first hand to drive strategic and technology roadmaps.
Some key quotes from his presentation were:
"An attack on one of us is an attack on all of us." These attacks are being used as stepping stones to gain access from one victim to another.
"Accepting the inevitability of compromise does not mean accepting the inevitability of loss." Just because they can get in does to mean you have to allow them to take anything out. You need to understand your internal assets and environment along with leveraging external intelligence sources. Using the "big data model" (a common theme throughout this conference thus far by the way) allows you to shrink the window of vulnerability.
"We need to champion and develop a new breed of cyber security analysts ... who are offensive in mindset." He stated that we need to leverage the talent in the military - not just cyber expertise but intelligence and other strategic fields where their knowledge can be applied to cyber. I applaud him for encouraging this idea as I am a huge supporter of finding jobs for our Veterans who are leaving service and having trouble translating their skills to the civilian world. He offered a way to do just that - looking at what they do on active duty and how very applicable it can be to this career field.
"People are refusing to wait for a top-down approach from government or industry to start sharing." Grassroot organizations are forming to share actionable data. Those organizations are starting to not just share within their groups but across other groups. He stated we need to encourage and participate in these efforts along with the ISACs to share with DHS who can serve as the clearing house across industry and the public sector. RSA is taking this challenge and revealing this week new technologies for sharing within trusted circles.
He closed with a quote of Justice Oliver Wendall Holmes to Franklin D. Roosevelt - "In a war, there is one thing to do - form your battalions and fight." He used that as the call to action to the audience that we all need to come together as a community to fight the common enemies. "The knowledge gained by any one of us can become power for all of us."
The next keynote was Scott Charney with Microsoft. I only caught the first part of this presentation but again, there were some key takeaway points worth sharing. "Strategy is just thought. Proof you are implementing that strategy is your products and services." This really resonated with me as I am a strategist but always need to remember that no matter what strategy I may develop, if it is not implemented, then it is nothing. He too talked about big data - this is definitely a common theme of this conference.
The last session that I feel is worth capturing notes on was the Public/Private Sharing panel discussion which opened with Howard Schmidt and included Mark Weatherford, DHS; Richard Hale, DoD; Patrick Gallagher, NIST; and Deborah Plunkett, NSA. First of all, I may be a little more critical of this panel because it happens to touch right on what I do. The biggest disappointment, I think, was there was very little discussion really about public/private sharing. Sure, each of these had the opportunity to summarize what their priorities are and current initiatives but there was no time for questions to allow time for the private sector to have any input into the session. Also, it was four separate agencies talking about their four separate programs, and though they tried to say they are all working together, it certainly was not presented as a united front - what it should have been was, "here we are, the public sector, doing the following things together with private sector...any questions?" Instead, it was an informercial for what each of them are doing and in some cases (<cough...NSA...cough>), what they think should be done which competes with what everyone else is doing.
Mark Weatherford really plugged the National Cybersecurity and Communications Integration Center (NCCIC) which is great except he did not really plug what ICS-CERT and US-CERT are doing which is really where the sharing is beginning to take hold (in ICS-CERT's case, has been there for quite some time). Lots of talk about continuous monitoring of government systems...and this matters to the public/private sharing initiatives why??? Richard Hale said, and I quote, "we share data from the DIB pilot out to the other government agencies and are trying to figure out a way to share that data out to critical infrastructure." He is on the record. Then he later said it again - the expansion of the DIB program with the Federal Rule coming out for public comment will be done "in partnership with DHS." Gallagher discussed their new initiatives to include a new cyber center that will be focused on technology R&D around use case. Honestly, I did not capture any take away points from Plunkett but that may be because I felt she was trying to get the jabs in there about how it should be NSA's mission - subtly but still there for sure.
The other sessions I attended today were not really worth summarizing. Interesting but no real takeaways. I also spent quite a bit of time, as my poor feet can tell you, walking around the unbelievably overwhelming expo hall. It is just sensory overload. I mean, there are companies giving away race cars, Ferrari's, all expense paid vacations, iPads, computers, TVs, you name it and someone on that floor is giving it away. It is just insane. Me, I got a couple free t-shirts and learned about some pretty darn amazing technologies that have been developed.
So if you are still awake, and quite frankly, cannot believe that I am, hope the summary and soundbites were of some interest. Lots of common themes going on - big data; the community must come together and share; automation is required; and the cloud. At least I have really felt like what we are working so hard on every day - painfully sometimes due to all the politics - is on track with what these attendees see as what is necessary. Now, if we could only just get them to put up the data they all think needs to be shared...that is going to be a longer process. One step at a time though. To coin one of the quotes above....we are still putting together our battalions.
This morning included the opening ceremonies and keynote speakers to kick things off and who better to do that than Art Corviello from RSA with some mea culpa on the events from last year. There are some good sound bites here though that I think are definitely worth sharing, and if anyone in the audience was paying attention, then hopefully they will heed some of the call to action. All the keynotes are up on the RSA website (http://365.rsaconference.com/community/archive/usa) so if you have the time to check them out, definitely do...otherwise, I will summarize those that I sat through...of course, duty called and I had to step away and missed the last couple of them so you are on your own there.
First off, they opened with a cyber geek version of "You Can't Always Get What You Want". I am sure they have the changed lyrics out on the web already...it was pretty amusing though with a church choir and two lead singers singing away about things that I know they likely had no idea about. Made me chuckle first thing in the morning. Then Art Corviello came out to talk about expanding trust and confidence in the digital world. He stated consumers are adopting technology faster than government and IT can absorb. We are well past the "tipping point" where the physical and technical world can be separated and where personal and professional lives are kept apart. He said that he has never sold on a basis of fear and never intends to but acknowledged that the industry has been going through hell in the last 12 months and that RSA personally feels responsible for that. They want to apply the lessons that were learned from last year's events first hand to drive strategic and technology roadmaps.
Some key quotes from his presentation were:
"An attack on one of us is an attack on all of us." These attacks are being used as stepping stones to gain access from one victim to another.
"Accepting the inevitability of compromise does not mean accepting the inevitability of loss." Just because they can get in does to mean you have to allow them to take anything out. You need to understand your internal assets and environment along with leveraging external intelligence sources. Using the "big data model" (a common theme throughout this conference thus far by the way) allows you to shrink the window of vulnerability.
"We need to champion and develop a new breed of cyber security analysts ... who are offensive in mindset." He stated that we need to leverage the talent in the military - not just cyber expertise but intelligence and other strategic fields where their knowledge can be applied to cyber. I applaud him for encouraging this idea as I am a huge supporter of finding jobs for our Veterans who are leaving service and having trouble translating their skills to the civilian world. He offered a way to do just that - looking at what they do on active duty and how very applicable it can be to this career field.
"People are refusing to wait for a top-down approach from government or industry to start sharing." Grassroot organizations are forming to share actionable data. Those organizations are starting to not just share within their groups but across other groups. He stated we need to encourage and participate in these efforts along with the ISACs to share with DHS who can serve as the clearing house across industry and the public sector. RSA is taking this challenge and revealing this week new technologies for sharing within trusted circles.
He closed with a quote of Justice Oliver Wendall Holmes to Franklin D. Roosevelt - "In a war, there is one thing to do - form your battalions and fight." He used that as the call to action to the audience that we all need to come together as a community to fight the common enemies. "The knowledge gained by any one of us can become power for all of us."
The next keynote was Scott Charney with Microsoft. I only caught the first part of this presentation but again, there were some key takeaway points worth sharing. "Strategy is just thought. Proof you are implementing that strategy is your products and services." This really resonated with me as I am a strategist but always need to remember that no matter what strategy I may develop, if it is not implemented, then it is nothing. He too talked about big data - this is definitely a common theme of this conference.
The last session that I feel is worth capturing notes on was the Public/Private Sharing panel discussion which opened with Howard Schmidt and included Mark Weatherford, DHS; Richard Hale, DoD; Patrick Gallagher, NIST; and Deborah Plunkett, NSA. First of all, I may be a little more critical of this panel because it happens to touch right on what I do. The biggest disappointment, I think, was there was very little discussion really about public/private sharing. Sure, each of these had the opportunity to summarize what their priorities are and current initiatives but there was no time for questions to allow time for the private sector to have any input into the session. Also, it was four separate agencies talking about their four separate programs, and though they tried to say they are all working together, it certainly was not presented as a united front - what it should have been was, "here we are, the public sector, doing the following things together with private sector...any questions?" Instead, it was an informercial for what each of them are doing and in some cases (<cough...NSA...cough>), what they think should be done which competes with what everyone else is doing.
Mark Weatherford really plugged the National Cybersecurity and Communications Integration Center (NCCIC) which is great except he did not really plug what ICS-CERT and US-CERT are doing which is really where the sharing is beginning to take hold (in ICS-CERT's case, has been there for quite some time). Lots of talk about continuous monitoring of government systems...and this matters to the public/private sharing initiatives why??? Richard Hale said, and I quote, "we share data from the DIB pilot out to the other government agencies and are trying to figure out a way to share that data out to critical infrastructure." He is on the record. Then he later said it again - the expansion of the DIB program with the Federal Rule coming out for public comment will be done "in partnership with DHS." Gallagher discussed their new initiatives to include a new cyber center that will be focused on technology R&D around use case. Honestly, I did not capture any take away points from Plunkett but that may be because I felt she was trying to get the jabs in there about how it should be NSA's mission - subtly but still there for sure.
The other sessions I attended today were not really worth summarizing. Interesting but no real takeaways. I also spent quite a bit of time, as my poor feet can tell you, walking around the unbelievably overwhelming expo hall. It is just sensory overload. I mean, there are companies giving away race cars, Ferrari's, all expense paid vacations, iPads, computers, TVs, you name it and someone on that floor is giving it away. It is just insane. Me, I got a couple free t-shirts and learned about some pretty darn amazing technologies that have been developed.
So if you are still awake, and quite frankly, cannot believe that I am, hope the summary and soundbites were of some interest. Lots of common themes going on - big data; the community must come together and share; automation is required; and the cloud. At least I have really felt like what we are working so hard on every day - painfully sometimes due to all the politics - is on track with what these attendees see as what is necessary. Now, if we could only just get them to put up the data they all think needs to be shared...that is going to be a longer process. One step at a time though. To coin one of the quotes above....we are still putting together our battalions.
Subscribe to:
Posts (Atom)