Another Cyber Security Awareness Month launched this week in new and exciting ways. The 2014 kick-off event in Nashville, Tenn., included a large audience full of state government chief information officers (CIOs) and chief information security officers (CISOs) from across the nation. The National Association of State CIOs (NASCIO) and Multi-State Information Sharing & Analysis Center (MS-ISAC) joined forces with federal agencies, private-sector companies and the National Cyber Security Alliance in an unprecedented joint meeting to highlight the importance of actions to protect data in cyberspace.
The theme this year is: Our Shared Responsibility. Presidential Proclamations, nationwide events, newsletters, public service announcements and more have begun in earnest at businesses and government offices all across the nation.
Here’s one public service announcement that was just released:
The keynote speeches, predictions and warnings given on the last day of the NASCIO Annual Conference were eye-catching. Here are some quotes that were highlighted by one local newspaper:
"We've become entrenched in an ever-escalating battle to secure our systems from a determined and increasingly capable enemy," Mark Bengel, state chief information officer, told hundreds of experts gathered in Nashville….
"We will get attacked," said Phyllis Schneck, deputy under secretary for cybersecurity and communications within the U.S. Department of Homeland Security. "You will turn on the news every morning and see probably another big name (company) assessing a data breach. It will happen, like having a rainy day."
You can watch Phyllis Schneck's speech, along with the other opening speeches from technology and political leaders in the following video. (Note that a public service announcement runs first.)
Later in the morning, a panel discussed the recently released results of the 2014 Deloitte-NASCIO Cybersecurity Study, which surveyed state CISOs. This is the third such report, with previous versions in 2010 and 2012.
The highlights of the study included:
- Maturing role of the CISO: State CISO role continues to gain legitimacy in authority and reporting relationships. In 2014, 98% of respondents state they have a CISO role, and 90% of these roles report to the CIO. The responsibilities of the position are becoming more consistent across states, yet expanding. CISOs today are responsible for establishing a strategy, execution of that strategy, risk management, communicating effectively with senior executives and business leaders, complying with regulators, and leading the charge against escalating cyber threats using various security technologies.
- Continuing budget-strategy disconnect: The improving economy and states’ growing commitment to cybersecurity have led to an increase – albeit small, in budgets. 48% of respondents noted an increase in budget; however, budget is still the No. 1 barrier. CISOs have also been successful at tapping supplemental resources, whether from other state agencies, federal funding, or various agency and business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cybersecurity programs.
- Cyber complexity challenge: CISOs are concerned about the intensity, volume and complexity of cyber threats that run the gamut from malicious code to zero-day attacks. Sophistication of cyber threats is the No. 2 top barrier. 74.5% of respondents cited malicious code as the top external threat. CISOs need to stay abreast of existing and developing threats and increasing regulations to establish and maintain the security of an information environment that now increasingly extends from internal networks to cloud and mobile devices.
- Talent Crisis: The skill sets needed for effective cybersecurity protection and monitoring are in heavy demand across all sectors. 59% of CISO respondents choose Talent as one of the top barriers. State CISOs are struggling to recruit and retain people with the right skills, and they will need to establish career growth paths and find creative ways to build their cybersecurity teams.
The morning concluded with a speech by Michael Daniel, special assistant to the president and cyber security coordinator. He highlighted how the work that we need to be doing is getting harder in numerous ways – from the Internet of Things to teaching cyber etiquette to everyone in society. He also described the need to review network defenses using a risk management framework, just as other business risks are assessed.
Mr. Daniel concluded by explaining the Council of Governors Joint Action Plan for State-Federal Unity of Effort on Cybersecurity. This plan refines authorities, roles and responsibilities for state and federal entities, along with identifying capabilities available in identifying, responding to, recovering from and mitigating the effects of cyberattacks.
Finally, Mr. Daniel described the National Initiative on Cyber Education (NICE) to train and attract the right talent to work on cyber projects in the public and private sectors. You can see his entire speech here:
JP Morgan Chase Steals The Attention
But just as Cyber Security Awareness Month was getting started, the announcement came out on Thursday that more than 80 million records at JP Morgan Chase were accessed illegally. While it appears that no credit card data was stolen (for now), the scary story underlined the stakes in this cyber battle.
On Friday, it became clear that the hackers cracked ten financial firms in the major assault. Here’s an excerpt from NYTimes.com:
Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.
It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.
Indeed, a deeper look at the surge in major security breaches involving tens of millions of customers from Target to Home Depot to our most well-funded banks can lead to sense of panic by consumers regarding digital safety. Thankfully, there has not been a major pull-back of Internet banking or online shopping – yet.
The scale of scope of these breaches are unprecedented in 2014, and they lead many cyber experts in non-banking industries to wonder whether the hackers can indeed be stopped at all within organizations that spend even less than banks on cybersecurity.
Michael Daniel, Special Assistant to the President and Cyber Security Coordinator - credit: Dan Lohrmann
Final Thoughts
As we head into 2014 midterm elections, technology and security leaders are doing more to protect data than ever before, but sleeping less. The cyberattacks seem to be relentless. Insider threats are also growing.
And yet, like most cyber leaders who gave speeches this week, I remain an optimist regarding cybersecurity. The attention and support given to cyberdefense efforts continues to grow, and that is a good thing.
There are many cyber summits all across America this month, like the Wisconsin Cyber Security Summit that I will be speaking at this week along with leaders from all over the world.
I urge readers to take personal action right now. This U.S. Department of Homeland Security (DHS) cybersecurity awareness website offers some good suggestions: http://www.dhs.gov/national-cyber-security-awareness-month-2014.
In conclusion, as I take a step back and examine our overall situation regarding cybersecurity in October 2014, my thoughts go to the famous words written by Charles Dickens at the beginning of A Tale of Two Cities:
“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair….”
And, it was the autumn of awareness.