CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Bob Gourley

Bob Gourley

List of Cyber Threat “Wake-Up Calls” Growing: Policy makers have been hitting the snooze button since 1970

The list below is an update to our reference of “Cyber Security Wake-Up Calls.”  What does it take to be on the list? Generally each of the events below was so significant policy makers were loudly proclaiming to all who would listen that they were a wake-up call. This means there are reflections in public policy documents, speeches and the press that cite leaders using the phrase.

The list below is not all cyber incidents. And the list does not capture the full lessons or nuances of the event. But it should make a clear point: there is something about human nature that causes people to forget the cyber threat. We call this situation Cyber Threat Amnesia.

I believe there are cures for Cyber Threat Amnesia, and I think those cures might come with education, training and awareness (helping address Cyber Threat Amnesia is a key reason we wrote The Cyber Threat). Unfortunately recent events like the deep penetration of U.S. government systems and theft of records on almost every government employee make it clear that more needs to be done in raising awareness in the minds of senior executives.

For now, resolve yourself to this observable fact: Our history indicates cyber security events frequently cause action and remediation and get widespread attention. But soon after the attempt to remediate, organizations collectively forget about the threat.

Here is an updated list of major events. This is not all major events, just those widely reported to be “wake-up calls” for the nation.

Cyber Threat Wake Up Calls

  • 1970 and 1971 – The Defense Science Board publishes what will be known as the “Ware Report” highlighting the potential dangers to department information in the coming age of connected computing. This report was widely seen as a “wake-up call” for computer security and caused changes at institutions like the National Security Agency to enhance the departments security posture.
  • Nov 1988 – The Morris Worm was released and propagated throughout internetworked systems including those of the federal government. This “wake-up call” resulted in establishment of computer response organizations throughout DoD and also resulted in increased funding for computer security research being provided to academic organizations and institutions. The CERT/CC at Carnegie Mellon University was funded.
  • 1995 – The President’s Commission on Critical Infrastructure Protection (PCCIP) was widely regarded as a “wake-up call” for the entire federal government and since it was extensively coordinated with industry and academia was also seen as a way forward in cybersecurity for the entire nation.
  • 1997 – Deputy Secretary of Defense John Hamre was quoted as saying “Solar Sunrise was a wake-up call for DoD.” This activity resulted in increased funding to cyber defense organizations and the creation of a new joint activity called DoD’s “Joint Task Force Computer Network Defense” or JTF-CND (Bob Gourley was first Director of Intelligence (J2) there).
  • 1998 Assistant Secretary of Defense Art Money was quoted as saying “Moonlight Maze was a wake-up call for DoD.”  This activity resulted in enhanced counterintelligence resources and more information sharing across the DoD law enforcement and counterintelligence.
  • 2009 Director of National Intelligence Admiral Blair testified that “Buckshot Yankee was a wake-up call” for the government. This activity resulted in more awareness and more funding for cyber security throughout the federal government.
  • 2010 Deputy Secretary of Defense Lynn writes that “Google’s Aurora attacks were a wake-up call for us all.”  This wake-up call resulted in stronger, deeper coordination across the federal space and underscored need for a DoD strategy.
  • 2011 Deputy Assistant Secretary of Defense Bob Butler says “Wikileaks was a wake-up call for DoD.”   This wake-up call resulted in significant activities and planning across the federal space aimed at enhancing security of information from disclosure.
  • 2012 Sep, In one of the most destructive attacks against computers noted against any company to date, Saudi state-owned oil company ARAMCO had data destroyed on over 3/4 of their companies computers. The NY Times reports this as a “wake-up call” and attributes intelligence officials (including General Alexander) with that assessment.
  • 2012 Oct, South Carolina Gov Nikki Haley announced a massive hack into state websites. The Gov offered the excuse that these attacks are increasingly common. Reporters suggested this be her “wake-up call”.
  • 2012 Oct, Secretary of Defense Panetta issues what he said is a “clarion call” for American’s to “wake up” to the growing cyber threat.
  • 2012 Nov, Former Director of National Intelligence McConnell provides “wake-up call” warning of a potential 9/11 type attack via cyber.
  • 2012 Sep, Department of Energy issues a report on internal cybersecurity practices. This report by their internal inspector general was reportedly seen as a “wake-up call” for the agency’s cyber security group.
  • 2013 Jan, New York Times acknowledges hacks into its papers by Chinese sources. This was widely reported as a “wake-up call” for security experts in media.
  • 2013 Jan, Twitter was hit by a major hack in what security experts called a “wake-up call” for the ecommerce and social media community.
  • 2013 Jan, Attacks on US banks called a “wake-up call” for the industry by cyber security professionals.
  • 2013 Feb, Anonymous attacks against Federal Reserve investigated by FBI. Compromise, called a “wake-up call” compromised data from the Fed’s Emergency Communications System.
  • 2013 Feb, Chairman of the House Intelligence Committee expressed confidence that the hackers recently targeting newspapers and other companies would soon “wake-up” Washington on cybersecurity.
  • 2013 Feb, Mandiant releases a report exposing one of China’s Cyber Espionage Groups. This report, widely considered one of the best articulations of the threat, resulted in significant positive awareness on the seriousness of the threat and was widely called a wake-up call. We believe this is one of the best pieces of cybersecurity research ever produced by an independent company, and we know it is making positive, virtuous change. We hope this goes a long way to really being the wake-up call we all need.
  • 2013 July, Snowden insider attacks declared a “wake-up call” in Bloomberg report.
  • 2013 Nov, Australian newspaper cites Melissa Hathaway stating “We haven’t had our big wake-up call yet and I’m hoping that we’ll address the problems before we have a wake-up call.”
  • 2014 May, When Target CEO Steinhafel was forced out of his position for the late 2013 attacks this was called a wake-up call for CEOs.
  • 2014 Oct, Attacks against JP Morgan and loss of 76 million records called a wake-up call for the industry
  • 2014 Dec, Sony hacks called a “wake-up call” for industry by Fortune and US leaders.
  • 2015 Feb, Anthem attack and loss of 80 million records called a “wake-up call to step up cybersecurity”
  • 2015 Feb, National Association of Attorneys General declares attacks against state governments a “wake-up call”
  • 2015 May, IRS breach and loss of taxpayer personal info called “the latest cyber wake-up call”
  • 2015 May, The VC investment and tech communities should especially take note to the “huge wake-up call” issued by Mary Meeker in her annual Internet Trends report.
  • 2015 June, OPM loss of 4 million records of government employees results in latest wake up call. In a statement which stretched the truth further than saying this was a “wake-up call” OPM director Archuleta said that “Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM.”

Of course the reason to publish this list is not to make fun of people for using the term “wake up call.”  The reason to publish the list is to get your brain deeper into the game. Maybe there is something you can do to prevent Cyber Threat Amnesia.  Maybe you can suggest action to current community or government or business leaders? Or maybe you can find ways to educate policy makers or Congress or the American public? Or maybe you have other ideas for stopping this madness of forgetting about the threat.

We certainly want to do our part. We will keep writing about cyber issues here. And we will continue to publish items for awareness in our OODA Daily Pulse.

Let us know if there is more you think we can do to strategically raise awareness of this threat.  We are open to all ideas.

For more see:

For more on these topics see the CTOvision Guide to National Security Technology and

Airbus confirms software errors/configuration brought down A400M transport plane

airbus_a440mThe Register is reporting that badly configured software, installed incorrectly, is responsible for the crash of an Airbus A400M transport plane. Engine control software, installed wrong, was to blame.

The A400M crashed just after takeoff on its first real production test flight, 9 May near Seville’s San Pablo Airport, killing four.

For the initial report on the software  see: The Register.

For more background on the crash see: Wikipedia.

For more see:

CTOvision Interviews RADM Paul Becker, Director for Intelligence, Joint Chiefs of Staff, On The Cyber Threat

Rear-Admiral-Paul-Becker-Joint-Staff-J2We recently had the opportunity to interview the Director for Intelligence (J2) for the Joint Chiefs of Staff, RADM Paul Becker, USN.

RADM Becker has served in this position since September 2013. The Joint Staff J2 is a position requiring a constant awareness of the day-to-day threats to the nation. Becker had the perfect background for this position, having served in a similar capacity at the United States Pacific Command, the combatant commander with the largest area of responsibility in the U.S. military. He has also served in operational positions leading large intelligence activities forward in Afghanistan and in many other hot spots around the globe.

Our questions of RADM Becker centered around the cyber threat from the high-end actors. Our dialog is captured below:

Gourley: There is a school of thought that says in cyber security the adversary does not matter. Since identifying who is attacking is hard, the most important thing is to just defend against everyone and patch everything. Is this consistent with your view?

Becker: I would never advise to leave systems unpatched. History is pretty clear that not paying attention to your own systems is setting yourself up for failure. But studying the potential adversaries in cyberspace can help you prepare in other, more strategic ways. Studying adversaries and what they want can inform key decisions before and during attacks.

Gourley: Every potential adversary out there has savvy computer scientists and advanced technologies and research organizations that help them develop advanced attacks. Are those the kind of things you mean we should be studying?

Becker: When it comes to threats, we too often focus on adversaries’  “What” and “How” … “What [are they doing]?” and “How [are they doing it]? … That applies in conventional kinetic or territorial scenarios, and it’s my experience the “What are they doing” and “How are they doing it” dominate discussions in cyber scenarios as well.

I’d like to focus on the Why … “Why [are they’re doing it]? … Which delves into understanding adversaries’ grand strategies, and why they employ cyber actions, particularly against our business sector.

Gourley: Who are the high-end cyber adversaries we should be learning more about?

Becker: I’ll list four: China, Russia, Iran, North Korea.  The Chinese in particular are cleaning us out in the aerospace world by exploiting well-known vulnerabilities … and those vulnerabilities are eroding our aerospace dominance. It’s not that we lack the ability to engineer the best designs in the world. It’s that too many of those key components are stolen via IP theft before they are even brought to market, thereby damaging our national advantage. Meanwhile, according to the DNI’s congressional testimony earlier this year, Russia remains the most sophisticated threat across the cyber board, while Iran and North Korea are less capable but more unpredictable and aggressive.

Gourley: You mentioned China, but can you give any insights into why their approach to the Internet differs so much from the U.S. approach?

Becker: The U.S. vision for cyberspace and the Chinese vision differ significantly. It is an important dichotomy to understand.

In the US-published International Strategy for Cyberspace, cyberspace is seen as a seamless landscape of global networks that is interoperable, open, secure, reliable and based on norms of behavior (respect for private property, personal privacy, protection from crime). Most importantly, it grows and develops though worldwide multi-stakeholder governance instead of through top-down control. On the other hand, China views cyberspace sovereignty as an extension of their national sovereignty (that’s why they have a “Great Cyber Wall”). In their vision of cyberspace – and the Chinese have a Cyber Strategy as well – the Internet is controlled through state-centric governance, with authority resting with the United Nations, where decisions about the Internet will be made with each country having one vote. The Chinese vision for cyberspace shapes the internet in a way that first and foremost ensures survival of the ruling Chinese Communist Party (CCP) through two pillars; 1) economic growth, and 2) internal stability … 1) ECONOMIC GROWTH – keeping the economic machine moving forward is the prime directive … the ends justify the means … it includes industrial espionage which in turn helps modernize the PRC military and prevent U.S. intervention in Asia, and 2) INTERNAL STABILITY  … which includes propaganda and targeting domestic sources of political unrest (read: firewalls to prevent infiltration of foreign influence, intrusive monitoring of the population, and hacking of foreign people’s emails and websites to help enable their hunt for internal dissent).

Gourley: It is pretty clear the U.S. and most other nations are NOT going to adopt the Chinese vision for the Internet. But what are the odds that China will adopt our vision?

Becker: Our two nations’ visions for cyberspace are not congruent and not likely to become so. This is an important point to understand if we want to develop an optimal strategy to address challenges in the U.S. – PRC cyber relationship. We in the U.S. must first understand why China acts the way it does, and that calls for an understanding of Chinese motives and agendas embedded in their strategy. Authoritative Chinese speeches and writings consistently present the PRC as an underdog to the U.S. in cyberspace and in advanced aerospace platforms and weaponry … they consider us a “hegemon” in this sector; they see themselves as David to our Goliath. And therefore Chinese military theorists regard cyber warfare as an “assassin’s mace” weapon, a weapon that allows a weaker power to destroy a stronger one. Back to one of the CCP pillars; widespread Chinese hacking is not merely an attempt to gain economic or military advantage … It is considered essential to survival for the CCP. In order to achieve the strategic ends of the Chinese Grand Strategy for Rejuvenation, which includes a return to a centuries old position of preeminence in Asia – and with greater influence worldwide – the Ends (preeminence) justify the means (cyber actions against our aerospace sector). At this point the Chinese have no reason to change a strategy that is working in their favor. The Chinese comprehensive cyber strategy is just that; a comprehensive whole of government effort that includes military network reconnaissance, external diplomacy, internal security and international commerce. The Chinese hack because they feel they need to, and they’ve not incurred any costs for doing so that deter their activities, and therefore the U.S. can expect PRC hacking to continue and probably increase in the future.

Gourley: This last point is something that strikes me as important to dwell on a bit. You assess that PRC hacking will continue and probably increase in the future. So, it is not going to stop anytime soon, not matter how much the U.S. wants it to. So, any suggestions on what we do about those types of threat?

Becker: This brings us back to the opening point of the interview. Whether we are talking about China or Russia or North Korea or ISIS, we need to seek awareness of the adversary in ways that doesn’t just talk about capability, but motives. In the case of the PRC, U.S. policymakers and corporate leaders should be familiar with China’s Grand Strategy, and understand how their vision and strategy for cyberspace fits into that when adopting policies and practices aimed at mitigating the threat of cyberespionage or cyberattacks. The U.S. (including industry) should tailor counter-hacking solutions that impose costs on thieves. It’s my sense the current U.S. policy of seeking to counter widespread and damaging Chinese cyberattacks through promoting adherence to international norms and rules for behavior in cyberspace will not achieve great effects. I hope Chinese cyber behavior proves self-defeating. Economic transactions are ultimately about mutual benefit, and nobody should continue doing business with a partner who continually rips them off.

Gourley: What actions do you believe your assessments might motivate in industry?

Becker: You opened your questions on the topic of maintaining systems and that is absolutely important. Better defenses are imperative. But it is also important to put in place, better Information Sharing with those who can help: That is to say if you are in industry and being attacked and you know it, you need to be incentivized to ask for help. No one can beat an adversary like Russia or China alone. Tell the local law enforcement or the FBI that you’re being attacked. And call in professionals from industry who know how to rapidly assess and react to breach. Studying the high-end threat should also lead you to think through how to protect your most important data. Prioritizing protection around your crown jewels will enable you to mount a better defense and perhaps contain damage while you are signaling for help.

Gourley: What actions are being done by government that we should track?

Becker: Earlier this month, the Administration took definitive action by promulgating an Executive Order imposing sanctions against those who seek to undermine or hamper U.S. security through cyberattacks. I applaud that. And just last month, the Secretary of Defense announced the Pentagon’s updated Cyber Strategy. This is a good beginning and must be a critical part of a deterrence plan that wields all instruments of statecraft including political, diplomatic, economic, law enforcement and military capabilities.

Finally, I’d also emphasize practices that impose costs on thieves should be given extra attention and that includes “naming and shaming” hackers (such as Mandiant has done). I’lll leave you with some thoughts espoused by a cyber-savvy colleague, USAF Lieutenant Colonel Enrique Oti, currently a Fellow at Stanford University’s Hoover Institute; if we really want to deter a Chinese business from hacking our aerospace industry we have to personally raise the cost on the Chinese CEOs to such an unacceptable level that they won’t want to hack the U.S. again. Some examples of how to do this include; de-list offending companies from U.S. stock exchanges, seizing assets, freeze bank accounts, close U.S. subsidiaries, indict senior executives, ban travel to U.S. for company employees their families and remove their children from U.S. universities to name a few.

Steps like these will indicate we’re serious about cyber deterrence. To quote an oft-used Chinese proverb, sometimes you need to “kill the chicken – to scare the monkey.”

Gourley: Thank you Admiral Becker for your time and insights.

Becker: You are welcome. Thanks for spreading the word.

Cybersecurity and IT Standards and Your Enterprise

As we have noted in the past, “The nice thing about standards is that you have so many to choose from” teaches Andrew S. Tanebaum in his classic text on Computer Networks.

This adage is especially true when it comes to cybersecurity. We encounter so many standards in the corporate world that in so many cases they become totally ineffective. This is an area requiring continued technical leadership or it will have little impact. But with technical leadership, good security standards can make a world of difference.

Our recommendation is to focus on your business needs first, but then select the right body of standards for your organization and your mission. Once you select your corporate approach to standards, remember you will get what you measure. Enforce your standards.

Here is a high level overview of key cybersecurity standards:

  • Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG): A publication of best practices in cyber defense consisting of 20 key actions, called security controls, that can reduce/mitigate most threats. These are the easiest to understand, easiest to implement and most effective approaches we know of.
  • ISO 27001 and 27002: Focused on helping organizations manage the security of assets including financial information, intellectual property and employee data. If you are a large organization already working ISO processes this may be a worthwhile approach.
  • NIST Cybersecurity Standards: NIST has been contributing to best practices and standards for decades. Many of their standards, like their Special Publications 800-12 (overview of controls), 800-14 (common principles), 800-26 (management advice), 800-37 (Risk Management Framework) and 800-53 (security and privacy controls) are aimed at the federal government but can be instructive to companies. Their work on a Cybersecurity Framework is aimed to help industry find more common approaches and a common language for cybersecurity. The benefits of this cybersecurity framework to companies seems to be in helping get everyone on a common wavelength, including suppliers when enforced via contractual mechanisms.
  • COBIT 5: Tools, resources and guidance by ISACA.org. COBIT stands for Control Objectives for Information and Related Technology. This framework helps organizations leverage best practices in multiple domains including audit, risk management, regulatory/compliance, government of IT.
  • RFC 2196: Published by the IETF, so as you can imagine this is focused on policies and procedures for sites that have systems on the Internet (which means, by the way, all systems these days).  Written long ago but still so very valid.
  • ISA/IEC-62443/ISA-99: The International Society of Automation (ISA) Security Compliance Institute functions within ISA’s Automation Standards Compliance Institute (ASCI) to provide professional management of this body of standards, which focus on industrial automation control systems.
  • IASME: a UK-based standard for information assurance at small-to-medium enterprises (SMEs) based on best practices. Accredited by the UK Government. Supported by certification body companies that can audit and smartly aligned with cybersecurity offerings in ways that may prove to be especially virtuous.

Standards Bodies

It is also good to know your standards bodies.  Not every standards body deals with topics of interest to IT focused CTOs. The list below is an extract from the Wikipedia article that only has those groups I think are working topics of interest to CTOs.

  • 3GPP – 3rd Generation Partnership Project – Website
  • 3GPP2 – 3rd Generation Partnership Project 2 – Website
  • AIIM – Association for Information and Image Management – Website
  • ANSI – American National Standards Institute
  • DMTF – Distributed Management Task Force. develops and maintains standards for systems management of IT environments in enterprises and the Internet.
  • Ecma International – Ecma International (previously called ECMA). Computer standards with a business-like approach.
  • GS1 – Global supply chain standards (identification numbers, barcodes, electronic commerce transactions, RFID) – Website
  • IBTA – Infiniband Trade Association
  • IEEE – Institute of Electrical and Electronics Engineers – Website
  • IETF – Internet Engineering Task Force – Website
  • ISO – International Organization for Standardization – Website
  • ITU – The International Telecommunication Union – Website
    • ITU-R – ITU Radiocommunications Sector (formerly known as CCIR)
    • ITU-T – ITU Telecommunications Sector (formerly known as CCITT)
    • ITU-D – ITU Telecom Development (formerly known as BDT)
  • Liberty Alliance – Liberty Alliance – Website
  • Media Grid – Media Grid Standards Organization – Website
  • OASIS – Organization for the Advancement of Structured Information Standards – Website
  • OGC – Open Geospatial Consortium – Website
  • OMA – Open Mobile Alliance – Website
  • OGF – Open Grid Forum (merger of Global Grid Forum (GGF) and Enterprise Grid Alliance (EGA)) – Website
  • TM Forum – Telemanagement Forum – TMF Website
  • W3C – World Wide Web Consortium – Website
  • WSA – Website Standards Association Website

Government Privacy Standards

  • GDPR: The most famous of the government compliance standards.
  • HIPAA: Focused on patient data privacy.

A note about standards and meeting the compliance requirements of GLBA, SOX, HIPAA or PCI:

Staying in compliance with regulations and requirements of laws like GLBA, SOX, HIPAA or the important industry PCI guidance require constant technical leadership, and many of those requirements also come with specific technical guidance. However all give you a significant degree of leeway in how you meet the requirements. The standards we review above can help you address them. However, more important than standards are your management approach to cybersecurity. This is a favorite topic of ours and is squarely in the sweet spot of our risk mitigation work. We work with Fortune 1000 firms to evaluate management approaches and help meet the needs of compliance and at the same time improve cybersecurity support to business and mission needs. Contact Us for more information.

Special Standards for Federal Government Business Growth

The Three Key Concepts of FISMA, FIPS and FedRamp

FISMA – Federal Information Security Management Act – designed to increase security controls by creating auditable repeatable compliance processes. The reality? Has increased security processes, provides clear benchmarks, but creates mountains of extra work that many believe actually prevent IT professionals from doing their job.

FIPS – Federal Information Processing Standards – define key aspects of how information is used and disseminated government wide. Key standards are 140-2 (security requirements for cryptographic modules), 200 (minimum security requirements for federal information and information systems) and 201-1 (personal identity verification for federal employees and contractors). All the FIPS standards have importance, yet these three are most frequently encountered.

  • FIPS 140-2 is most often referenced in terms of mobile. It defines the encryption standards necessary for any device that will connect with systems such as e-mail. It also defines the encryption necessary to protect personally identifiable information (PII) that many agencies have in abundance.
  • FIPS 200 is plain and simple the federal requirements necessary for information systems. This defines security standards and more.
  • FIPS 201-1 defines how personal identity verification (PIV) systems should function (and who needs them). PIV systems are tethered to Public Key Infrastructure (PKI) encryption and can really provide enhanced security capabilities.

FedRamp – The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that has goals of saving cost, time and staff for government organizations making security assessments. Information on FedRamp is provided at the CIO.gov website.

 

Related Reading:

Technological Dimensions of Cyber Defense

ITIL for CTOs

 

Complying With Health Insurance Portability and Accountability Act (HIPAA) Security Rules

Complying with HIPAA security and privacy rulesHIPAA was enacted in 1996, and by April 2005 security standards were required to be in place for most covered entities. In 2013 key portions of this law were updated. This post provides an overview of key elements we believe security and technology professionals (and most citizens) should be tracking.

The technology and security communities focus largely on Title II of HIPAA, which provides changes to the law designed to reduce health care fraud and abuse while protecting privacy and enhancing security.

This is the section of the law that regulates the use and disclosure of Protected Health Information (PHI).  PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. It includes any portion of a patient’s medical record or payment history.

In January 2013 HIPAA was updated to include changes meant to enhance security, including breach notifications, as part of the Health Information Technology for Economic and Clinical Health Act (HITECH).

With these modifications, the law now imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. These notification requirements are similar to many state data breach laws related to personally identifiable financial information. Breach notifications are to be made to patients, and if the breach impacts more than 500 patients then HHS must also be notified. This will result in HHS publicly posting the entities name on their website (see the current list here). Additionally, breaches involving more than 500 people in a state are required to notify prominent media in that state (normally done via press release).

These rules apply to any entity with patient information. Entities are generally discussed in two categories:

  • Covered Entities (CE) are any providers of treatment, payment or operations in healthcare.
  • Business Associates (BA) are any entities that have access to patient information, which can include subcontractors or other partners.

This breakout into two categories is important since the rules require covered entities to help enforce these standards with their business partners/associates. This must be enforced contractually.

Now to quickly review things you already assume are in the rules: The regulations are that PHI will be protected and guidance is given that there will be physical safeguards (including limiting facility access control and also access to workstations), technical safeguards (including access control, authorization and encryption), auditing (including records on activity that can be used in forensics), appropriate policies, and security of data in transit.

As for how these goals are met, there is leeway. Entities are permitted to use any security measures that allow them to reasonably and appropriately implement safeguards. Savvy CIOs in the healthcare domain are usually very familiar with community best practices and standards that apply here.

Complying with HIPAA is almost always an exercise in learning the terms and requirements of the law, knowing the business process of the entity processing information, and applying smart guidelines like the community-built “Critical Security Controls” collaboratively maintained by the Center for Internet Security (these are the controls previously known as the SANS Top 20).

Related Reading:

DoD Contractors: Complying with new DFARS regulations is easier with external help

CTOvision Interviews CIA CIO Doug Wolfe on Commercial Cloud Services (C2S) Lessons Learned and Road Ahead

CIA CIO Doug Wolfe Interviewed on C2SWe recently had the opportunity to interview the CIA CIO, Doug Wolfe.

Doug has been the CIA’s CIO since 2013. In this role he oversees the agency information technology vision and strategic direction. He is also an advisor to the intelligence community CIO and a collaborative leader in the federal technology world. His past tours including serving as deputy director for acquisition, technology and facilities at the office of the director of national intelligence, inventing new sources and methods in the CIA’s S&T directorate, supporting launch and operations of multiple satellite systems at the National Reconnaissance Office and serving as the deputy CIO of the agency.

Doug also spent time in industry. Prior to the CIA he worked at Rocketdyne on the space shuttle’s main engine program. He has a bachelor’s degree in mechanical engineering from the University of Southern California and a master’s degree in system engineering from Virginia Tech

Many of us in the technology community have been tracking the exciting news about the CIA’s ability to leverage commercial advances in cloud computing via their Commercial Cloud Services (C2S) project. Since the enabling capability for C2S is provided by Amazon, C2S provides what is essentially an Amazon Web Services “zone” for Intelligence Community use. However, this zone is protected and operates in ways that keep it physically separate from the open Internet and logically part of the IT infrastructure of the Intelligence Community.

CTOvision readers no doubt immediately grasp the potential benefits of this approach, which include an ability to rapidly scale up and down compute when needed, a new agility for mission support, more comprehensive designs for security and more efficient use of resources overall. Now that the agency has been working with C2S we wanted to ask Doug for technical insights that can put this into context for us.

The following is from our discussion with Doug:

Gourley: Now that the agency has had time to start leveraging your C2S capabilities can you give us a feel for some of what has been accomplished?

Wolfe: C2S is up and open for business and serving a wide range of users from across the community. Some of what has been accomplished is foundational, like establishing concepts of operation and building out policy and process. Other foundational capabilities include working issues like connectivity to enterprise governance solutions.

C2S accomplishments also include support to multiple IT projects and programs. Of all the capabilities we are providing now, one that is very transformational has been what is occurring in support of agency software developers. We have given our developers repeatable ways of building development and test environments and made it easy for them to orchestrate the many business processes good development projects require. This has simplified their administrative requirements, empowered them with more functional development and test environments, and enabled a move to a DevOps approach. After developers start using C2S they soon realize they are spending less time on non-productive functions and can spend more time building real functionality. The result: developers are more agile, more efficient and can better support missions.

Gourley:  How will the IC benefit from commercial relationships you have developed with companies like Cloudera and Amazon via C2S?  Do you expect other technologies to come over to C2S in the near term and what are the key capabilities on the horizon?

Wolfe: With Amazon we have what is essentially a private AWS availability zone, which is now available to the Intelligence Community. Capabilities that AWS roles out to their own availability zones are made available to the community shortly thereafter. This means several things. One is that programs that leverage C2S do not need to make up-front investment in infrastructure to develop, configure, test and then host their capability. It also means that the many quality control and service management capabilities required to ensure consistently functioning applications is immediately available to programs. The same is true of our relationship with Cloudera via C2S. We wanted to provide developers with an easy way to access all the Apache Hadoop data framework, governance and security capabilities they will need, in one place, integrated into the way they work.

On the topic of data, we have found new approaches to data management have been very helpful in addressing our needs. Our needs center around working securely with a wide variety of data types. Developers need a framework that is knowable and repeatable for them to do this. Users need an infrastructure that is always on and available so they have the data they need for their mission. C2S now enables both those key functions.

Gourley: How do end users benefit from C2S?

Wolfe: C2S enables more reliable and functional delivery of services to end-users. One of the biggest benefits to date has been in delivering reliable and functional services to end users and doing it faster because developers have common and known and easy to work with environments. In most cases end users will not know C2S is delivering this capability. They just see more and better functionality. One category of functionality, for example, is in geospatial applications. Working with both our own and NGA’s technical teams we are leveraging C2S to deliver enhanced geospatial analysis tools and end users do not need to be troubled to know where the compute power for those come from.

Gourley: How soon will marketplace be made available to the community within C2S?  High and low side?

Wolfe: We plan on continuing to enhance our ability to deliver apps and the use of a marketplace in C2S will help us do just that. We will have enhanced marketplace functionality for users throughout the community by late 2015 and have plans to continue the improvement from there. Users will be able to access and interact with a high-side version of the marketplace that lets them select the apps to run in service to their mission needs and work requirements. The technology teams that keep apps running will have benefits now expected in enterprise grade service delivery organizations.

Gourley: How do small technology firms introduce their capability to your team if they believe they have a capability to benefit the IC?  How easy is it to port over now?

Wolfe: Any technical team that can build to the AWS model, which really means anyone from a single developer to a large systems integrator, can build to the integration guidelines of the AWS platform. If a solution is developed and tested on the AWS marketplace it will run in C2S. So porting over is easy. But the most critical question for any firm to consider when seeking to introduce a capability to C2S is to know what intelligence community challenge it addresses.

Gourley: Can you share any lessons learned with the community regarding data provenance in your C2S environment?

Wolfe: The ability to know the history of a given piece of data is important to our way of work, where analysts must know with confidence where data came from and who may have touched it. Data provenance is also important to ensuring compliance with oversight requirements. We have developed an expertise in architecting solutions with advanced data provenance leveraging C2S and the Apache Hadoop framework and are happy to share this expertise with others in the community.

Which raises another point: As we develop lessons in areas of data provenance and other advances in cloud computing we are continually looking to share those lessons, both inside the intelligence community and back into the technology ecosystem that has provided us so many great capabilities in service to our mission. You can expect lessons from us in data provenance and many other advanced cloud computing constructs to be made available for the benefit of others.

Gourley: CIA Director Brennan recently announced a major reorganization of the agency and a shift to execution of many key duties through mission centers. Has your work in C2S provided you with new capabilities relevant to this new organization?

Wolfe: Technology is here to serve the critically important missions of the agency and it is my job to ensure it is ready to serve no matter what the missions, functions and organization are. The organizational changes introduced by Director Brennan on 6 March 2015 are the result of lots of hard work and strategic thought by officers across the agency, and I’m proud to say the announced changes were informed by a knowledge that IT will support these critical changes. C2S is one of the ways we will execute on our requirements to support. It has become a foundation for accelerating the integration of digital capabilities across many agency organizations and that is a key goal of the announced reorganization.

Thorn: Digital Defenders of Children

Everyone I have ever spoken to about Thorn is a huge supporter of this group. We are so proud to have them involved with our 30 April 2015 Synergy Forum.

Thorn leverages technology to combat the sexual exploitation of children. They partner with tech companies, governments and other non-governmental organizations to execute on their mission. They aim to deter predatory behavior, rescue victims, and protect vulnerable children.

Do you wonder why they named the group Thorn?  Watch this short clip for that plus more on their mission and some of their interesting technical news.

For more on Thorn visit Thorn

For other resources see:

SCADA and ME: A Book For Children and Management

TikTok now faces a data privacy investigation in the UK, too

Spookstock is secretive charity concert to help the children of fallen intelligence professionals

Influential National Association of Insurance Commissioners (NAIC) Moves On Cyber

Zoom: Leader in video-first unified communications

Influential National Association of Insurance Commissioners (NAIC) Moves On Cyber

naicCybersecurity practitioners and policymakers have long been discussing the potential positive benefits of smart insurance policy and standards to reduce risk. Of the many actions and activities we see in the insurance world today, the news of NAIC involvement is seen as particularly interesting.

What is the NAIC?

The National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight. NAIC members form the national system of state-based insurance regulation in the U.S.

What have they announced?

NAIC has coordinated two drafts which will provide comprehensive policy for oversight of insurance regarding cybersecurity:

The first is a draft of Principles for Effective Cybersecurity Insurance Regulatory Guidance, developed by the Cybersecurity (EX) Task Force. This document will help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. It also outlines the process for working with the insurance industry to identify risks and offer practical solutions.

The second draft document: the Annual Statement Supplement for Cybersecurity policies, comes from the NAIC’s Property and Casualty Insurance (C) Committee.

Here are the 18 draft principles from this first document:

NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance

  • Principle 1. Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks.
  • Principle 2. Insurance regulators have a significant role and responsibility regarding the insurers’ efforts to protect sensitive customer health and financial information.
  • Principle 3. Insurance regulators have a significant role and responsibility in protecting the sensitive information housed in insurance departments and at the NAIC.
  • Principle 4. Insurance regulators recognize the value of collaboration in the development of regulatory guidance with insurers, insurance producers, consumers and the federal government with the goal of a consistent, coordinated national approach.
  • Principle 5. Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology (NIST) framework.
  • Principle 6. Regulatory guidance must consider the resources of the insurer or insurance producer.
  • Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed.
  • Principle 8. Insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk-based, value-added financial examinations and/or market conduct examinations regarding cybersecurity.
  • Principle 9. Planning for crisis response for insurance regulators, insurers, and insurance producers is an essential component to an effective cybersecurity program.
  • Principle 10. The effective management of cybersecurity by third parties and service providers is essential for protection of consumer’s sensitive personal health and financial information.
  • Principle 11. Information sharing is important for risk management purposes; however, it must be limited to essential cybersecurity information and protect sensitive confidential information.
  • Principle 12. Cybersecurity risks should be included and addressed as part of an insurers and insurance producers Enterprise Risk Management processes.
  • Principle 13. High level information technology internal audit findings should be discussed at the insurers and insurance producers Board of Director meetings.
  • Principle 14. It is essential for insurers and insurance producers to join Financial Services Information Sharing and Analysis Center (FSISAC) to share information and stay informed about cyber and physical threat intelligence analysis and sharing.
  • Principle 15. Sensitive data collected and stored and transferred inside or outside of an insurers or insurance producers network should be encrypted.
  • Principle 16. Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential.
  • Principle 17. Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families.
  • Principle 18. Additional data on the sale of cyber insurance products should be collected to assist insurance regulators with oversight of financial and market regulation.

Regarding  Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed.  We most strongly endorse that point. Our Daily Threat Brief is now informing executives across most every sector of the economy and can provide a strong baseline on the threat to inform cyber security guidance. Subscribe for free at https://www.oodaloop.com 

For more information, visit www.naic.org.

For more see:

The Principles of Enterprise Technology

Top 10 CTO Principles

Marc Andreessen on the future of technology and implications for interactions between government and citizens

Thorn: Digital Defenders of Children

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]