"A New World Awaits"- Obama on Cybersecurity

This is a guest post that I solicited today after President Barack Obama’s major cybersecurity announcement. I felt it was important to get the views and opinions of someone in the field. Enjoy! ~editor

Today President Obama announced the creation of a White House cybersecurity coordinator position and discussed the 60-day Cyberspace Police Review conducted by Melissa Hathaway. He repeated his mantra regarding transparency and accountability, and touched on the many aspects of cybersecurity that impact America- economy, infrastructure, military, open and efficient government operations. He certainly displayed his tech-saavy and awareness of information security terms. Yet, what changes is he really talking about? What practical actions can we expect to see?

He calls our cyber infrastructure “œthe backbone that underpins a prosperous economy and a strong military”. Right away he acknowledges that the lag in consumer confidence in online transactions and electronic networks is a strong factor in our slumping economy. Recognizing the economy and the military importance in a single sentence like this emphasizes that the idea that online transitions and communications should be able to be trusted equally by consumer and intelligence community alike. The fact that this new position, which oversees the new cyber security policies, is part of the National Economic Council and the National Security staff is the practical embodiment of this idea. Recognizing that securing online transactions and communications are critical not only to security, but the economy, ensures that he will be able to use greater budgetary discretion when bolstering funding for cyber initiatives. While he focused on the importance of consumer confidence, I was surprised that the exact figure regarding the billions of dollars lost due to fraud every year was not emphasized here. His bottom line is that we are losing money due to fraud, but we are losing even more money because of the fear of fraud.

The president then declared that, “œFrom now on, the networks and computers we depend on every day will be treated as they should be — as a strategic national asset.” This is an acknowledgement that the infection of these privately owned devices can seriously compromise the security of an entire nation- and not necessarily our own. When the cyber attack on Georgia occurred in September of 2008, the speculation was that the success depended largely on the infection of US PCs. These acted as a botnet to attack Georgia. Russian hackers certainly knew that Georgia was not prepared to cut off traffic from the United States. The President seems to acknowledge that they can no longer ignore the threat that comes from the computers of average citizens. Part of this is addressed by his motion to create an education campaign to address business, educators, and the average American. I believe he wants to educate people to the risks they present to the nation when they ignore an infected computer or leave their internet connections open and unprotected. On a business level, I believe these comments spring from the Aurora experiment, which demonstrated the vulnerability of our power grid. He is placing a responsibility and forcing the industries to acknowledge that their reliance on cyber systems is both an asset and a risk. He is careful to emphasize that the solution is not to eliminate or control the asset, but to mitigate the risks.

The president promised the new position would “œ”¦work with”¦state and local governments and the private sector to ensure an organized and unified response to future cyber incidents.” His focus here is on being transparent, issuing warning and updates and most of all- creating a format that is not “œad hoc”. This is something that security breach specialists have been calling for- a uniform procedure and response. There is too much variation in the thresholds, requirements, and regulations regarding the reporting, disclosure and handling cyber incidents today. I expect that companies can expect to see an outline of thresholds and reporting guidelines for reporting incidents. I also expect that notification will be required far earlier into the discovery of a compromise, so companies will not be able to “œgather all the facts” before informing the public and appropriate agencies of the incident. I would expect that more details will be provided, and agencies will be encouraged to coordinate in efforts to address vulnerabilities rather than keeping them secret until a solution can be found. Promoting the sharing of information about vulnerabilities should be seen as a benefit to the entire sector and not as a liability for the individual company. How  or if Obama plans to protect companies and agencies from the losses that may occur during the interval between sharing a vulnerability discovery and its “˜unified response’ will make or break this initiative. This is consistent with the recommendations in the Cyberspace Police Review.

Speaking on that note, the President stated, “œWe will strengthen the public-private partnerships that are critical to this endeavor”¦ let me be clear, my administration will not dictate security standards for private companies”. This will be the most difficult of his agenda items to live up to, and the one that he will be most criticized for. Many private companies fear information sharing, vulnerability sharing and full disclosure of data breach details. It will be a long and difficult road to convince the private sector that it is in their best interests to cooperate. The Cyberspace Police Review calls for a neutral third-party agency to take information and share it appropriately, but I doubt that will be enough to change the habits of the industry unless it is mandated. It will be difficult to maintain his other goals without some industry pressure or regulation. The market simply does not correct itself when it comes to matters of information security and commerce. I personally believe this speech was intended to hint that it is in the private sector’s best interests to cooperate with this collaboration if they want to remain as unregulated as they currently enjoy. I believe that the current amendments to privacy and security legislation are an attempt to ease changes into the industry by simply “œtweaking” aspects of current accepted regulations and rules.

Finally, his emphasis remained that they “œwill not”¦ will not include monitoring of private sector networks or internet traffic”¦ I remain firmly committed to net neutrality, so we can keep the internet as it should be- open and free”¦ A new world awaits, a world of increased security and greater potential prosperity”. This is an important distinction to make, and another subtle hint that the open and free market of the internet is critical to our economy and safety. He demonstrates his understanding that greater security does not mean the compromise of privacy or civil liberties, and therefore regulating the internet is not the answer. Recognizing net neutrality as a part of his cyber security efforts was a great way to try and smooth any ruffled feathers by the greater internet community. Since many of these initiatives address technology not widely used or available, it is more important for President Obama to emphasize what would not change as a result of this new position.

Ending his speech President Obama focused on the leadership we experienced in the 20th century and promised leadership in the 21st century. This has been another mantra of his- that we are able to lead, that we are leaders, even in this economy. Given the changes he is trying to make across government and industry, the belief that we are leaders in privacy and security is more important than the reality. I believe he stayed away from drawing comparisons internationally for this reason. Americans still have a bit of the cowboy spirit, and the best way to harness it is to convince the public that we are blazing a new trail of cyber security and policies. The spirit of innovation is obviously an important cultivation in this endeavor, and he makes no bones about his willingness to invest in education, training and programs necessary to nurture it. Practically, we should expect to see more government grants and funding in math, science and technology. Scholarships, research projects and grants are on the horizon as incidents to strength the public-private partnership. The question is- with what strings attached?

Rachel James is a licensed private investigator and cybercrime specialist at ID Experts. Her views do not necessarily reflect the views of ID Experts. You can connect with her on LinkedIn.

Read More

General Motors, The Feds.

In the early days of this blog, I wrote a lot about political issues. Frankly, when I was getting going in the blogging world almost five years ago, it was about the only thing I knew to do. Political blogging was huge and it was about the only kind of blogging that registered on the radar. Over the years, I’ve found my niche and it is clearly what you find here today. However, today I need to address a huge issue facing the American public, small businesses and every aspect of the American fabric of society. I must get this off my chest, because it matters to business in a way that nothing else in our lifetimes has.

As time goes on, I have gone from extreme right wing conservative to moderately progressive and still trend right on some issues. It doesn’t really matter though, because the principles that I believe in are firmly based in a sense of pragmatic, if not downright cruel, reality.

Over the weekend, the Obama administration did something completely unthinkable that will have a longterm negative impact on the enterprising and innovative American markets. The federal government made board level decisions on behalf of a publicly-traded company, General Motors.

It is clear to any objective mind that the General Motors (and to a lesser extent Chrysler) proposal for restructuring in the face of bankruptcy, and to secure taxpayer funds, was less than adequate. In fact, some rumors from within the company suggest that GM essentially sat on their hands as they approached the deadline originally agreed to with the Bush administration. Clearly, this is less than acceptable. Clearly, this mindset believes that they truly are “too big to fail” and that the feds would simply swoop in and rescue them yet again.

Clearly, clearly, clearly. Yet… none of this is clear.

The Obama Administration suggested a change to threatened the GM board of directors that they had to remove CEO Rick Wagoner.

I understand why. If Wagoner was too sluggish in his behavior, or “sat on his hands pending an Obama bailout” then he certainly needed to be removed. All evidence points to only positive results from his removal. However, the federal government directly intervened in the private sector governance of a publicly traded company.

This outrage is enough, but somewhat legal if they own a portion of the stock. IT’s expected that, as shareholders, the government would want a say.

However, here is the part that no one is talking about. In essence, General Motors has become a Wholly Owned Subsidiary of the United States of America. While your Orwellian alarms go off, let me rub salt in the wound. The SEC is supposed to regulate GM. That’s right, the Securities and Exchange Commission, a fully functioning independent agency of the U.S., is now tasked with regulating itself.

Can anything good come from this? I think not.

In an ideal world, one filled with unicorns and gryffons and other mythical creatures, the SEC executes their funtion without privilege or bias. In an ideal world, GM adheres to the same regulations put in place by the SEC that governs the market. In an ideal world. Since when has self-policing ever worked? Especially with the SEC.

To make matters worse, in an effort to stimulate company growth and remove government ownership of the company (yeah, right), the Feds are likely to make moves that will help GM, but may undercut the market. For instance, cutting the MSRP of automobiles by a certain percentage to stimulate sales. These kinds of actions are generally regulated by the Justice Department (as well as the Commerce Department) and fall under unfair trading practices.

At what point is a U.S. owned company able to compete on the open market without undercutting market tensions and forces, and at which point does the “adherence to market principles” mean the destruction of the company?

My feeling is that the longterm ramifications of bailing out and direct government intervention into the governance and conduct of a company is a dangerous precedent. Beyond a dangerous precedent, I believe it will only exacerbate the complete destructive collapse of the economy.

There will be some who call me crazy. Who call me a sensationalist. That tell me I am too conspiratorial. Remember this post when my predictions actually come to fruition. Within six months.

Read More