Volume LX, Issue 8

In This Issue

Cobol’s Major Role in US Gov Breaches

Excerpted from Computerworld Report by Patrick Thibodeau

New research is turning on its head the idea that legacy systems — such as Cobol and Fortran — are more secure because hackers are unfamiliar with the technology.

New research found that these outdated systems, which may not be encrypted or even documented, were more susceptible to threats.

By analyzing publicly available federal spending and security breach data, the researchers found that a 1% increase in the share of new IT development spending is associated with a 5% decrease in security breaches.

“In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure,” the paper found.

The research paper was written by Min-Seok Pang, an Assistant Professor of Management Information Systems at Temple University, and Huseyin Tanriverdi, an Associate Professor in the Information, Risk and Operations Department at the University of Texas at Austin.

“Maybe the conventional wisdom that legacy systems are secure could be right,” said Pang, in an interview… Read More

Value of Cyber National Guard?

Excerpted by CSO Report by Maria Korolov

This past weekend at SXSW, two Congressmen suggested that the US create a cybersecurity reserves system, similar to the National Guard, but the idea has received a mixed welcome from the cybersecurity community.

According to Congressman Will Hurd, a Republican from Texas, a national cybersecurity reserve could help strengthen national security and bring in a diversity of experience.

Hurd, who has a degree in computer science from Texas A&M, has served as an undercover CIA officer and has worked as a partner at cybersecurity firm FusionX.

He has been pitching the idea of a Cyber National Guard for a while, and has suggested that the government could forgive student loan debt for those who serve.

It would also help ensure a cross-pollination of experience between government and industry.

“Neither the private sector nor public sector can protect our country from our cyber adversaries alone,” he said in an opinion piece last summer… Read More

Biosecurity and Cybersecurity Research

Excerpted from Slate Report by Kendall Hoyt

Biosecurity and cybersecurity research share an unusual predicament: Efforts to predict and defend against emerging threats often expose and create vulnerabilities.

For example, scientists must first learn how to isolate and grow a pathogen before they can develop a new vaccine.

Similarly, researchers must first learn how to break into a computer system in order to defend it.

In the wrong hands, both types of knowledge can be used to develop a weapon instead of a vaccine or a patch.

The genetic tools and exploit software that enable these activities are becoming easier to use and to acquire, prompting security experts to ask one question with growing urgency: How can we protect against misuse without limiting discovery and innovation?

Both fields have grappled with this dual-use dilemma independently for decades.

In 2005, when scientists reconstructed the 1918 flu virus that killed 50 million people worldwide, did they advance the science of prevention, or did they introduce new risks… Read More

Report from DCIA CEO Marty Lafferty

Click Here for Video.

Last week’s appointment by the Trump administration of White House Cybersecurity Coordinator Rob Joyce, formerly of the National Security Agency (NSA), as announced by Homeland Security Advisor Tom Bossert, should represent an important step forward.

The DCIA joins with other technology interests in urging the White House also to fill the role of Federal Chief Information Security Officer (CISO) as soon as possible.

The CISO position, which was created last year, was held in the final months of the Obama administration by Gregory Touhill, a retired brigadier general who first served as Deputy Assistant Secretary for Cybersecurity.

The Federal CISO position is more senior than the White House Cybersecurity Coordinator role, with responsibilities encompassing the overall federal technology infrastructure.

The individual assigned as CISO would be expected to lead the overall coordination of strategic initiatives to integrate, modernize, and strengthen agency and departmental data networks, which, as previously reported, is an important priority for the Trump administration.

The CISO would work with the Government Accountability Office (GAO), which has begun auditing implementation of the National Institute of Standards and Technology (NIST) cybersecurity framework by federal agencies, another fundamental aspect of Trump’s approach in this area, and one that needs attention.

We encourage the White House to name a Federal CISO to manage cybersecurity efforts across agencies, oversee the proposed $1.5 billion network modernization initiative included in last week’s budget submission, and implement other strategies to improve cybersecurity in the federal government. Share wisely, and take care.

Senate Votes to Overturn Privacy Rules

Excerpted from Reuters Report by David Shepardson

The US Senate on Thursday voted narrowly to repeal regulations requiring internet service providers (ISPs) to do more to protect customers’ privacy than websites like Alphabets Google or Facebook.

The vote was along party lines, with 50 Republicans approving the measure and 48 Democrats rejecting it.

The two remaining Republicans in the Senate were absent and did not cast a vote.

According to the rules approved by the Federal Communications Commission (FCC) in October under then-President Barack Obama, internet providers would need to obtain consumer consent before using precise geolocation, financial information, health information, children’s information and web browsing history for advertising and internal marketing.

The vote was a victory for internet providers such as AT&T, Comcast, and Verizon, which had strongly opposed the rules.

The bill next goes to the US House of Representatives, but it was not clear when they would take up the measure.

Senate Majority Leader Mitch McConnell said the Senate was overturning a regulation that “makes the internet an uneven playing field, increases complexity, discourages competition, innovation, and infrastructure investment… Read More

How Companies Can Stay Ahead on Cybersecurity

Excerpted from The Conversation Report by Scott Shackelford

If you’re like me, on a given day you interact with a whole range of connected technologies for work and play.

Just today, I used Box to share and download files for work, called up Tile to find my keys, relied on Google Maps to run an errand while streaming a podcast to my AirPods, and connected via Skype with a colleague overseas.

And that was all before lunch.

As we interact with technology of all sorts, what security safeguards should we expect from the companies building the Internet of Everything?

Cyberattacks can interrupt business operations, hurting companies’ bottom lines, and can infringe upon the privacy and other human rights of consumers and the general public.

Right now, there isn’t much regulation around companies’ cybersecurity practices.

For example, Congress has not required that Internet of Things (IoT) devices accept security updates, nor that consumer information be fully encrypted to limit the effects of a data breach… Read More

Developing Cybersecurity Best Practices

Excerpted from Baseline Magazine Report by Samuel Greengard

It’s no secret that cybersecurity has moved into the mainstream of most organizations.

As vectors and exposure points have increased, attack methods have become more sophisticated, data flows have become more connected and complex, threats have spiked and, in many cases, the resulting damage has been enormous.

“The landscape is changing dramatically,” states Kevin Richards, managing director, North America Security Practice and global lead for security, strategy and risk at Accenture Security.

To be sure, several trends are converging to create a far more dangerous cyber-security landscape.

IT is rapidly moving into the cloud, the internet of things (IoT) is growing rapidly, and, as mobility becomes even more embedded and pervasive, third-party ecosystems are expanding.

As a result, attack surfaces are growing exponentially, and software-defined everything means that bugs and coding flaws touch virtually every system and device.

The takeaway? A focus on improving the state of enterprise cybersecurity is unavoidable… Read More

Companies: Share Cybersecurity Threat Data

Excerpted from Bloomberg BNA Report by Daniel Stoller

US companies large and small feeling the burn in the aftermath of a data breach are struggling to find resources to bolster their security systems, cybersecurity industry panelists said at a March 9th House Homeland Security Cybersecurity and Infrastructure Subcommittee hearing.

Cybercriminals usually don’t discriminate based on a company’s size, going after valuable personal data no matter the target.

Companies of all sizes need to work with the government and private-sector partners to combat the growing cyberthreat in the US, even though many hesitate to share threat data, given the limited liability protection offered by the government.

Separate from the hearing, Congressman Steve Chabot (R-OH), the House Small Business Committee chairman, told Bloomberg BNA March 9th that small businesses feel post-data breach fallout more strongly than large companies “such as Ford, General Motors, and General Electric.”

Unlike large companies, nearly 60 percent of small businesses have to close shop after a data breach, which costs, on average, about $32,000 per attack, he said.

That highlights the need for cybersecurity help at all levels of industry, Chabot said… Read More

WikiLeaks Releases CIA Spy Tool Files

Excerpted from Reuters Report by Dustin Volz and Warren Strobel

Anti-secrecy group WikiLeaks on Tuesday published what it said were thousands of pages of internal Central Intelligence Agency (CIA) discussions about hacking techniques used over several years, renewing concerns about the security of consumer electronics and embarrassing yet another US intelligence agency.

The discussion transcripts showed that CIA hackers could get into Apple iPhones, Google Android devices, and other gadgets in order to capture text and voice messages before they were encrypted with sophisticated software.

Cybersecurity experts disagreed about the extent of the fallout from the data dump, but said a lot would depend on whether WikiLeaks followed through on a threat to publish the actual hacking tools that could do damage.

Reuters could not immediately verify the contents of the published documents, but several contractors and private cyber security experts said the materials, dated between 2013 and 2016, appeared to be legitimate.

A longtime intelligence contractor with expertise in US hacking tools told Reuters the documents included correct “cover” terms describing active cyber programs.

Among the WikiLeaks claims is that the CIA has been able to bypass the encryption on popular messaging apps… Read More

AWS Security Primer: What to Know

Excerpted from CloudTech Report by Avishai Wool

If you’re considering migrating your business applications to a public cloud, the chances are that you’ve looked into Amazon Web Services.

With its higher capacity and wide range of cloud services, AWS has become the most popular choice for businesses looking to take advantage of the scalability and cost-effective storage that cloud computing offers.

Security in AWS is based on a shared responsibility model: Amazon provides and secures the infrastructure, and you are responsible for securing what you run on it.

This model gives you greater control over your traffic and data, and encourages you to be proactive.

However, before migrating your applications to AWS, here are some tips on how to manage and enforce security for maximum protection across your AWS and on-premise environment.

Amazon offers a virtual firewall facility for filtering the traffic that crosses your cloud network segment; but the way that AWS firewalls are managed differs slightly from the approach used by traditional firewalls… Read More

Network for Cyber Risk Launches

Excerpted from Fortune Report by Jeff Roberts

Financial firms have long used rating agencies like Moody’s or S&P to judge the risk of bonds.

Now, companies that face risk from cyberattacks – which these days is almost everyone – have a tool to do the same.

On Wednesday, CyberGRX unveiled a platform that acts as a clearinghouse for cyber risk.

Developed by a group of blue chip security pros from companies like Blackstone and Aetna, CyberGRX promises to make the process of flagging cyber dangers from their vendors dramatically more efficient.

The risk posed by vendors has been top of mind for many companies ever since the infamous hack on Target in 2013, which saw attackers compromise the computer systems of Target’s HVAC supplier in order to steal credit card information from 40 million customers.

According to Jay Leek, the former chief security officer of Blackstone, the idea for a clearinghouse came about because companies spend enormous amounts of time filling out check-lists to assess the security risks posed by their vendors.

Many of Blackstone’s portfolio companies, for instance, were all conducting the same compliance tests… Read More

Online Cybersecurity Course for Biz Pros

Excerpted from CSO Online Report by Kacy Zurkus

A growing trend in the cybersecurity industry is rooted in educating everyone about the risks of a cyberattack.

Universities around the world are developing undergrad and graduate degree programs, professional mentors are engaging with high school students, girls are coding.

Everyone’s getting in on cybersecurity awareness, particularly as it relates to business risk.

That’s why MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy.

MIT Professor Howard Shrobe, Director of Cybersecurity and a principal research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), said, “We created this course to tackle the ever-important issue of cybersecurity.”

“Cyberattacks continue to occur and we are basically stuck in what I often refer to as “cyber hell,” paying this reactive game of catch-up in which bad actors always seem to have the advantage.”

MIT’s mission is to move organizations away from the current “patch and pray” approach toward security by default… Read More

New Google Cloud Clients

Excerpted from iCrunchData Report by Julie Love

Alphabet’s Google is making progress in taking on cloud computing leaders Amazon and Microsoft, executives said on Wednesday, as the search engine company stakes more of its future on the cloud as a new source of growth.

At a conference in San Francisco, CA, Google cloud computing chief Diane Greene ticked off a host of new clients, including HSBC, Colgate, Verizon and eBay.

The company also announced it had acquired Kaggle, a popular platform for data scientists that could boost Google’s edge in the crowded field of artificial intelligence.

Despite the announcements, analysts said Google remains a distant third in the market for cloud computing, the increasingly popular practice of using remote internet servers to store, manage and process data.

“The big challenge Google faces is that, for all the names it announced today, it’s still miles behind Amazon and Microsoft in terms of scale,” said analyst Jan Dawson of Jackdaw Research.

“It has a long way to go, and a few more client announcements aren’t going to close the gap”… Read More

Google’s Secret Cloud Weapon: People

Excerpted from Computerworld Report by David Needle

Google had several big tech and service announcements at this week’s second annual Google Cloud Next conference here.

But the company is also leveraging a surprising resource to win enterprise customers – people.

It’s surprising because Google’s biggest successes have come from technology that pretty much sells itself, such as search and related advertising services like AdWords and AdSense.

But in those areas, Google succeeded because it was able to adroitly exploit its first mover advantage.

In cloud computing, it trails the clear leader Amazon Web Services (AWS) and second-place Microsoft Azure.

So at Cloud Next, the company did what smart competitors do: it unveiled new features and pricing designed to better position the Google Cloud Platform (GCP) as a worthy alternative.

Customers, in general, praised the announcements, but then also shared an overlooked aspect of Google’s enterprise marketing… Read More

Time to Use Cloud for Everything?

Excerpted from ZDNet Report by Mark Samuels

The cloud is already playing a key role in education — and that part will only grow in coming years.

On-demand IT has reached a tipping point and organizations of all sizes and sectors are using cloud computing services to run and develop their businesses.

The cloud is disrupting traditional operating models for IT departments and entire organizations.

But where does the cloud go next and what are some of the interesting use cases that will help take cloud to the next level?

Four business and tech leaders discuss what the cloud now means for their businesses.

Okta CIO Mark Settle runs his organization, an identity management specialist, using about 140 cloud-based applications.

“I have no data center to worry about,” he says.

“It makes the budgeting cycle so much easier.”

“You basically look at your list of SaaS subscription fees and project what the future costs will be like”… Read More

The Edge Will Eat the Cloud

Excerpted from Which-50 Report by Thomas Bittman

Today, cloud computing is eating enterprise data centers, as more and more workloads are born in the cloud, and some are transforming and moving to the cloud. But there’s another trend that will shift workloads and data and processing and business value significantly away from the cloud.

The edge will eat the cloud. And this is perhaps as important as the cloud computing trend ever was.

Several overlapping trends are colliding:

Cloud computing, centralizing IT for massive economies of scale and agile provisioning, volatility and growth,

The Internet of Things (IoT), where things are becoming connected and sending reams of data,

Machine learning, taking all of that data and improving processing and predictions,

Augmented and Mixed Reality (along with Virtual Reality), where people can interact with other people and things both in physical and virtual worlds, and

Digital Business and the Digital World, where connections are pushing us to more and more real-time interactions and decisions… Read More

Coming Events of Interest

Delivery of Things World — April 24th and 25th in Berlin, Germany. Over 400 IT executives will discuss what DevOps really means for business. This event brings together all stakeholders to share their experience and expertise.

Security of Things World — June 12th and 13th in Berlin, Germany. A world class event focused on the next information security revolution. Security concerns that preoccupy enterprise customers today and pragmatic solutions to threats.

Autonomous Systems World — June 14th and 15th in Berlin, Germany. An international knowledge exchange among top experts in the field, providing a unique glimpse into the fascinating world of autonomous robots, intelligent machines, and smart technologies.

INTRASECT — June 29th and 30th in Washington, DC. The first conference of its kind to engage key stakeholders in a comprehensive and engaging examination of existing and future regulatory policy governing the usage of commercial autonomous vehicles.

Industry of Things World Asia — July 3rd and 4th in Singapore. An international knowledge exchange platform bringing together more than 300 high-level executives who play an active role in the industrial internet of things (IoT).

Industry of Things World Europe — September 18th and 19th in Berlin, Germany. Join more than 1,000 high-level executives to rethink your technology and business strategy for scalable, secure, and efficient IoT.

Posted in Newsletters