Securing GovSpace

When the Walls, Come Tumblin' Down

2009-06-15T08:27:53Z

John Mellencamp sang about the walls tumbling down and this week's press release by the U.S. Army telling bases to stop blocking Twitter, Facebook, and Flickr Army Allows Access To Social Media Websites should be proof enough for anyone. Following the US Navy US Navy Web 2.0: Utilizing New Web Tools and the US Air Force's New Media and the Air Force lead, it appears that the US military has realized the value of social media not only as a tool for boosting morale but also "to facilitate the dissemination of strategic, unclassified information."

Wow. Who would have ever thought that the stodgy old military would get on board with something so...hip and revolutionary? What's next, Elvis is really alive and Robert Plant is singing country music (thanks Mike)? Actually, I'm not all that surprised. The military has always been out in front with technology, it's just the "non-traditional" stuff like allowing Sailors, Airmen, Soldiers, and Marines to communicate in informal channels using the evolutionary brilliance of user generated content that breaks tradition. Should we be scared? I don't think so. Web 2.0 technologies provide a different means of communicating and distributing information but the risks have always be there, they're just a little more "out there" now.

One thing the military is great at is training and I think they'll be very proactive in making sure members of the military understand their responsibilities when Tweeting, blogging, and posting up on Facebook. The challenge now will be to instill discipline in communications to everyone, not just those with a security clearance.

While the military is the latest non-traditional organization to publicly endorse social media, throughout government it's become business de jour and it's all about transparency. President Obama's (our) new federal CIO Vivek Kundra built his professional reputation on breaking out of the traditional IT mold and using new technologies to share information with his constituents. In California, Governor Schwarzenegger has appointed a "New Media Director" to broaden and improve the state's way of communicating with the public. Across the country, states and local governments are rushing to give the public more of what they want...information, and Web 2.0 technologies are how they are doing it.

Anyone who thinks social media is just a fad isn't paying attention. It's a trend and it would behoove those of us in the security business to jump on the train and start thinking of solutions to the existing security issues and the new ones that are coming. If security becomes the party pooper (thanks Dan) on implementation of social media in our organizations, it will be disastrous for our profession. The horse has already left the barn, we just need to make sure the saddle's tight. What do you think?

President Obama and Cybersecurity, A New Comprehensive Approach

2009-06-02T04:13:39Z

Last Friday, President Obama followed up on a promise he made last July during a speech at Purdue University when, as then-candidate Obama, he said "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me." In a speech at the White House on Friday morning, President Obama declared that 21^st century challenges can't be met without a digital infrastructure and said that, "the world of cyberspace is a world we depend on every day." I was encouraged to hear him say that the security of our nation's infrastructure is a matter of America's economic competitiveness.

The President then went on to outline the results of the 60-day review of cybersecurity in the federal government" that Melissa Hathaway and her team completed in mid-April. The resulting document, titled the Cyberspace Policy Review, is 76 pages of how the federal government is going to take a leadership role in "anchoring and elevating leadership for cybersecurity-related policies at the White House."

While he didn't name the "Cyber Czar" during the press conference, it is the number one item in the "Near-Term Action Plan" of the Cyberspace Policy Review and importantly, the document calls for the White House to lead the way forward. How's that for leading with your chin? I also think it was incredibly telling that the President plans to include staff to address privacy and civil liberties. In fact, he specifically called out that the plan would not include monitoring private sector networks.

What does it mean? From my view in the cheap seats, I'm ecstatic just to see security getting such high-level visibility. We've been anticipating the president's actions for a while now and from my perspective, it's very good news to see him follow through.

I plan to spend some time analyzing the Cyberspace Policy Review document and provide my perspective on it in a few days. If you've already read and digested it, I'd love to hear your thoughts.

Cyber Dollars in the ARRA

2009-05-11T13:02:59Z

$787B. $787,000,000,000.00. Seven hundred and eighty seven billion dollars. However you say it or write it, that's a lot of dough. That's the amount of the federal stimulus package called the American Recovery and Reinvestment Act (ARRA) of 2009.

The mission of the ARRA has several components but one of them is to "address long-neglected challenges". Many people have been trying to make sure the technical infrastructure we depend upon to keep the lights on, help water flow, keep transportation moving and secure the financial engines in America are considered as some of those challenges. It's no surprise to anyone reading this blog that those are huge issues. In the early days of the technology revolution we didn't give a lot of thought to security in deploying many of these systems so now we are faced with one of those "long-neglected challenges".

Interestingly enough though, the challenge that many of my colleagues and I face is how to identify the appropriate source and decipher the guidelines for applying, receiving, and executing those very same dollars. Whenever federal funds are involved in such massive amounts, you'd expect a considerable amount of oversight and this case is no exception. With about $19B identified for the Health Information Technology for Economic and Clinical Health Act (HITECH Act), $7.2B allocated for deployment of broadband and $18.3B for research and development ($580M to the National Institute of Standards and Technology) there is no shortage of issues. In fact, my strategic plan will eventually include a number of enterprise projects that capitalize on these broad categories while benefiting most of the citizens in the state of California. The goal with any of these grant programs is to identify projects with the biggest bang and as broad a scope as possible. In state government that means citizens so I'm looking at projects that can upgrade systems or provide new levels of protection to infrastructures that helps both state and local governments.

I'll let you know how it comes out but if you have any thoughts or suggestions, feel free to throw them my way. I'll be writing more on this topic soon.

Vulnerabilities in the U.S. Power Grid

2009-04-10T14:10:54Z

The article released by the Wall Street Journal on Wednesday has created quite a stir and I've spent a considerable amount of time the past two days asking and answering questions about it.

I think I can say without stepping too far out on a limb that the details in the article are no apocalyptic revelation to those who are paid to worry about these things. Weaknesses in the SCADA and control system environment have been known for years and the fact that some bad guys have penetrated and mapped the electrical grid is probably not a great shock. The fact that it was so publicly presented surely focused the issue in a lot of people's minds though so this problem may inch up the priority scale.

Not that things weren't already being done to fix weaknesses in the nation's power grid but getting such a public stage for the problem will undoubtedly get telephones ringing in legislators offices that may in turn force changes more quickly.

The choice was made years ago, the first time that the formerly closed SCADA/control system environment was connected to the Internet through some organization's admin network or wireless connection. That first time, when people began to see the incredible convenience of the Internet in remotely managing the switches, sensors and valves of these widely distributed systems, control was lost. Now these same systems and networks that security professionals fight to keep secure everyday, the same ones you are reading this blog on right now, with all their warts and weaknesses, are the same ones in many cases being used to manage our nation's critical infrastructures. Unfortunately, these control system weaknesses have been known for some time but startlingly little has been done to address them. Pogo said it best.

I always get a little nervous when I see a quote from an 'Official' that cautions, "...the motivation of the cyberspies wasn't well understood, and they don't see an immediate threat." Well they may be right about the immediate threat part (or maybe not) but as for the motivation part, put on your Mr. Wizard pointy hat for a second. Just what do you think is the motivation of someone, anyone, who hacks (or waltzes unhindered) into company and government networks across the nation, maps key critical infrastructure system environments and leaves behind little presents that may go boom someday. Here's a hint, the answer is not tea and crumpets at 2:00.

The good news is that both the government and utilities companies are beginning to take this threat seriously and devote the resources to slowly begin fixing the problems. In fact, there are many SCADA-related conferences during the year where security issues are beginning to get as much attention as efficiency of service delivery. While visibility is often a double edged sword, it can also be the catalyst that changes the game.

Escape from Conficker-geddon

2009-04-03T13:40:23Z

So here we are again, a couple of days post-Conficker Armageddon and some people are feeling like they missed the party. No one has said it yet but I can already see it in some eyes, "Looks like another over-blown security event, hyped by the media and exploited by the security guys." Really? It's the old circular question, "did Conficker just not live up to it's hype or did all of the attention we gave it mitigate what might have happened?" Just like police who see a drop in crime after adding more officers, we always seem to be answering this question after we focus in on specific problems like this.

So, did all of the media hoopla and our own internal advisories, coercion and hard work to make sure our systems were patched help us dodge the Conficker bullet? Just like Y2K, we'll probably never know for sure but you know, I don't think it matters. Sure we had people scurrying around for a couple weeks but I'll bet all of our systems are in a little better condition now and we probably learned a few things about our IT environment that we wouldn't have ever known. Here's a crude analogy. In the Navy, when leadership starts noticing an increase in accidents or trends in work-related mistakes spike up, they often call for a "Safety Stand-down" where entire commands, an in some cases the entire Navy, takes a day or a ½ day to stop all regular work and regroup, focus, get some training and address whatever the major problem seems to be. Well, I'm choosing to treat Conficker as a "Safety Stand-down." We'll be gathering some metrics over the next few weeks that will hopefully help tell a good story.

I spoke with a few CIO's and CISO's yesterday who did take Conficker seriously and they certainly didn't feel like they wasted time. In fact, a couple of them felt like they and their folks were better off because of the drills they went through to make sure their systems were clean and healthy.

We're not even close to declaring victory because there are still millions of Conficker infected computers out there ready to use your networks for their botnet purposes. More importantly, all evidence points to the fact that the Conficker writers are very good and we still don't know the end game. Some experts expect to see additional variants that are even more difficult to patch and remove.

For today, I'm happy to have avoided a Conficker melt-down on April Fools Day but we plan to stay vigilant and keep our shields up. Maybe it's a good time to give your folks a pat on the back and tell them "job well done!"

Have a Conficker-Free Week

2009-03-29T14:08:54Z

I got a call from a reporter this week asking me about the Conficker virus. "Are you prepared?" "What do you think is going to happen?" "How widespread is the virus?" "Why is April Fool's Day important?"

I went through all of the mechanics of how we get A/V signature updates and how those updates get pushed to all of the computers in our environment on a regular basis. I also said that there's a history of people planning bad things on days that have some significance and the irony of April Fool's Day was just too rich. I then explained to him that it's our job to deal with this kind of thing everyday, Conficker was just getting more attention than most. I told him that bad guys and bad things are attacking us 24/7/forever from across the globe so it's our job to be ready for a Conficker every day. He kept asking if we were 100% sure that we wouldn't have any virus infections. This is the hard part - when you have to explain to someone that, in our business, you never achieve 100%. There's always a machine somewhere that didn't get patched or didn't get the update for a variety of reasons and it only takes one, like the well-worn weakest link analogy.

As I thought back on it later, the conversation reminded me of something a friend said a while back after a big security incident made national headlines. The company had done all the right things, had all the right policies, and trained all of their people. They did however miss one computer when configuring the OS to disable USB ports. Guess which computer a malicious employee found to steal and download customer PII to a USB hard drive? Yep. My friend said "This is the perfect example of how even 1% non-compliant equals 100% vulnerable." So true.

When the reporter saw that that there wasn't a huge, gruesome story just aching for media attention (not yet anyway), he lost a lot of interest and said he'd call me back if anything came up. This got me thinking, and not for the first time, about how so many in the general public have such little understanding of the cybersecurity problems we all face. I used to think it was a generational issue that would be solved by time but I'm not even sure about that anymore. While we can't ever stop educating, I also don't think there will ever be a general understanding of security problems.

What do you think? How can we help he general population understand the power they have over managing their own computers to prevent things like Conficker? That's a hard one huh? Anyway, keep your patches up and here's to a Conficker-free week and a quiet April Fool's Day.

Technical Innovation in America

2009-03-20T04:03:45Z

I attended the IT Security Entrepreneurs' Forum III http://publicprivatepartnerships.org/itsef/ at Stanford University yesterday where I was part of a panel discussing the current and future cybersecurity threat environment. Moderated by the always popular and entertaining Bob Bragdon of CSO Magazine, the forum was both insightful as well as informative.

The purpose of the Forum is to bring together government, innovators, entrepreneurs, system integrators, venture capitalists,academics, and scientists to discuss and address cybersecurity issues of national interest. Wow! I can tell you that innovation is alive and well in America. There were some very interesting start-ups and I kept thinking to myself, is this the next Symantec, Cisco, McAfee or Websense?

While there were presentations by a wide variety of notable security experts, as is often the case (in my personal opinion anyway), the best part of the gathering was the opportunity to chat in the hall with some of the small companies in attendance. I talked with a variety of people about everything from federated IdM on a massive scale to vulnerabilities on the nation's critical infrastructures and DLP solutions to automated risk and compliance apps. As the CISO for a large government organization, one of the very important things I do is try to stay up with new technologies, especially those that create efficiencies at the enterprise level. So, while government organizations are rarely on the bleeding edge of technology, I saw a few things and talked to some people that got me excited about how we might be doing things in the future.

While all of the sessions were unique and informative, the panel discussion on "Is There An Innovation Crisis in America" was very enlightening. When the Innovation Crisis panel was asked by moderator Pascal N. Levonsohn to identify the top two things government should do to increase innovation, the three panelists (Dr. Curtis R. Carlson, Dr. Gururaj "Desh" Deshpande, and Lesa Mitchell) were almost unanimous is saying that the government should be providing more funding for research. Dr. Carlson also said that Sarbanes Oxley should be eliminated for small companies since it creates such a huge burden and Ms. Mitchell stated, somewhat humorously, that when we issue a PhD to a foreign student, the diploma should come with a green card to keep them working here in America.

John Thompson gave the closing keynote and got every one's attention when he said that Symantec is now seeing 15,000 new threats every day, or over 600 every hour and that "some attackers are as well financed as some of the start-ups here in Silicon Valley!" John will certainly be missed when he retires at the end of the month.

The bottom line is that I think it's critically important for government to actively stay in the loop with technology entrepreneurs in America and support their innovation wherever possible. What do YOU think?

A Cyber Sense of Urgency

2009-03-17T16:01:28Z

I recently read an article written by Lt. Gen. Harry D. Raduege, Jr., USAF (Ret.) in SIGNAL Magazine titled "Evolving Cybersecurity Faces a New Dawn" that outlined what he calls the four-stage journey of cybersecurity. The article is located at http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1784&zoneid=245

While the General approaches the issue from a DoD perspective, I think it translates very nicely to the cybersecurity attitude of both government and society in general. It's an interesting article and I'll leave it to you to read but I'd like to comment on just one of his points. In discussing stage three, General Raduege states that "We understand the nature of the threat and the implications for our nation, and there is a growing sense of urgency."

I couldn't agree more that there is a growing sense of urgency. In fact, we've never heard so much buzz about cybersecurity on a daily basis and it's in the top five priorities of almost all CIO's. However, my question is whether the right people are experiencing that "growing sense of urgency." Those of us in the security business certainly get it and there seem to be little flares of interest in government from time to time (usually the result of a data breach or malicious attack that gets headlines) but getting the attention of our policy makers still seems to be a challenge.

The nation spends $BILLIONS every year on thousands of projects that quite frankly, are of very little interest to, and have very little impact on, the vast majority of Americans. One man's pork may be another man's job but think about how far even a small percentage of this kind of funding would go in addressing the nation's cybersecurity and critical infrastructure weaknesses at the federal, state and local government levels. That would benefit the overall population of America far more than some of the small special interest groups on the receiving end of these earmarks.

There are a growing number of national cybersecurity champions, including General Raduege, and I'm excited about the proactive position of President Obama and Representatives Jim Langevin (D-RI) and Michael McCaul (R-TX) but we need more people leaning forward, way forward, on cybersecurity. This is not a FUD issue and it's our responsibility to clearly communicate the sense of urgency without making it one. What do you think?

Uncertainty at the Top (of Cybersecurity)

2009-03-13T21:46:49Z

Rod Beckstrom resigned last Friday from his post as Director of the National Cyber Security Center (NCSC) at the Department of Homeland Security after less than one year in the role. Citing a lack of resources and support, it's reported that Beckstrom's NCSC, which is responsible for coordinating the government's response to cybersecurity threats, received less than $500,000 in funding for the past year. I know; you know; and the government knows that $500K isn't going to go very far in addressing these big issues so if true, why are the expectations so low? Perhaps the most compelling comment from his resignation letter though is how having NSA playing a significant role in the nation's cybersecurity was "bad strategy." http://www.networkworld.com/news/2009/030909-beckstrom-resignes-ncsc.html

Mr. Beckstrom's announcement has led to some interesting discussions http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129429&instrc=news_ts_head about whether or not NSA should in fact be playing a lead role in the nation's cybersecurity mission at all. While the technical expertise that resides within NSA is beyond question, in an era of transparency in government, the issue may have some validity when you look at the historically closed environment of NSA. On the other hand, the national cybersecurity agenda hasn't really made any great strides residing within DHS in the past few years so maybe that isn't a good fit either. While NSA has received some less than positive press as a "spy agency" over the years, Information Assurance, with a focus on vulnerability and threat analysis, is one of their core missions.

So I suppose the real question is that if a national cybersecurity initiative is truly a national priority, where should the organization directing it live? Do you think vesting NSA with a leadership role in the nation's cybersecurity effort is the right choice and if not at NSA, where should it be?

Transition on the Securing GovSpace Blog

2009-03-09T03:17:55Z

As some of you have undoubtedly heard, Dan Lohrmann has moved on to bigger things and accepted the position as Chief Technology Officer and Director of the Infrastructure Services Administration for the state of Michigan. My Herculean task is to try and fill Dan's very large shoes in blogging about the latest cyber security news in government. Dan's blog has been one of the few links I hit consistently because it's always been timely and thought-provoking.

A little about me. I've been in the technology business my entire life and in the cyber security business for the past 17 or so years ... what an exciting ride it's been! I was a Cryptologist in the US Navy and left active duty in 2001 where my last job was working with the Navy's Computer Network Defense Operations, the Navy Computer Incident Response Team (NAVCIRT), and the Navy Red Team. Those early days in cyber security were incredible and just in case you're wondering, the Navy has some of the best security professionals in the world as well as an exciting and very relevant mission! While at the NAVCIRT I met a very smart guy named Stephen Northcutt who was doing some really interesting work at the Navy Surface Warfare Center and building cool IDS tool called Shadow...perhaps you've heard of him? After I left the Navy I spent a couple years with Raytheon building and running a Security Operations Center and doing some Certification and Accreditation (C&A) work which brought me face to face with the limitations and weaknesses of FISMA (it's not altogether bad, it just has limitations and I'll write more about that in the coming weeks as the Consensus Audit Guidelines (CAG) gets more legs.)

In 2005 I became the State of Colorado's first CISO and had the very enviable task of building the statewide information security program. Really now, who wouldn't leap at that opportunity? Governor Bill Owens recognized the significance of an all-encompassing security program and gave me the executive support and resources I needed to quickly establish enterprise security governance. After Governor Bill Ritter took office in 2007, he raised the ante by hiring Mike Locatis as his CIO to consolidate all IT and security operations in the state. I loved working with Mike but after three years in Colorado, opportunity knocked again and I moved to California to take over as CISO when Governor Schwarzenegger hired Teri Takai as his CIO to begin revolutionizing IT in the Golden State. Talk about timing. I now have the best and most challenging CISO job in the world and look forward to blogging about the exciting things happening in the government cyber security space.

I'm always looking for interesting things to write about so please feel free to post whenever you get the chance and if you have something provocative, let me know.

Napolitano Priority: State and Local Partnerships + Tech

2009-02-26T03:00:52Z

Secretary Janet Napolitano testified before the House Committee on Homeland Security today, and her priorities provide good news for state and local government partnerships. The Department of Homeland Security (DHS) website posted the text of today's testimony. Here is one important excerpt:

"State and Local Partnerships -

First among these areas is the Department's relationship with state and local governments. State and local law enforcement agencies are the forces on the ground that represent, inhabit, and patrol America's communities - the communities that DHS protects. We need strong relationships with our state and local partners, and I am committed to building them.

Partnerships with state, local, tribal, and territorial agencies affect DHS's ability to identify threats and bolster preparedness before an incident; they also affect our ability to work with first responders and assist a community's recovery after an incident. The information we gather, the funding we grant, and the training and assistance we provide are all more valuable in securing our Nation if DHS's relationships with the involved state and local agencies are strong.

Information sharing between DHS and state and local governments is particularly critical to our security...."

Secretary Napolitano went on to describe the important priority that science and technology also play in defending the homeland in the 21st century. The former Governor of Arizona clearly "gets it" and understands the expanded role that fusion centers must play in the 50 states.

This testimony should be music to the ears of those in the local criminal justice community as well as CIOs in states and large cities around the country who have been trying to move various homeland defense plans forward. These efforts include cybersecurity initiatives. We need new partnerships between federal and state efforts, and it looks as if they will become a top priority.

Bottom line, I think this testimony is good news to struggling states.

What do you think?

Phishing for Stimulus

2009-02-17T11:13:50Z

Get ready for a flood of offers, spam and phishing attempts with the word "stimulus" in the headlines. Some messages and websites will no doubt be legit, others will not, but I suspect that computer security staff will not like this word very much a few months from now.

Allow me to illustrate... I returned home from an all day ski trip with my family in northern Michigan on President's Day (February 16). After helping to get the kids to bed, I sat down with my laptop in my favorite chair and went online to find out what news and email I had missed over the past 24 hours.

As I was checking out the headlines at AOL.com, which is my wife's default home page, I saw this sponsored ad highlighted near the top of page:

$12,000 Stimulus Checks

I Got a $12,000 Stimulus Check in Less Than 7 Days. Get Yours!

(Just for the record, I don't know this guy nor am I encouraging you to go to this website.) I just wanted to give you an example of what I'm talking about. Still, I'm sure that someone will think that I am phishing for stimulus with this post.

So why does this bother me? For one, the President hasn't even signed the legislation yet. How could this guy have received any stimulus check already? If you go to his website, he calls the check a "grant" that is "money I do not have to pay back." He is obviously using that magic word to grab our attention. It worked in my case.

Second, these types of ads and emails will soon be all over the place. Governments may even be tempted to block spam emails with the word "stimulus" in the subject heading. But be careful! You may also block stimulus emails that are legitimate.

In security terms, this is just another email spam or phishing campaign. We've seen them before from major world events such as the Olympics, Super Bowl, World Series, tsunamis, hurricanes like Katrina and Ike and more. I suspect that this campaign will be somewhat successful - given our current economy and the attention that this topic has received.

Third, governments need to be aware that various ads, emails, and other messages regarding the stimulus will be everywhere as they try to send their own true stimulus messages. When we returned home from skiing, we even had a voice message on our answering machine from a politician on how he helped to make the stimulus happen. From buying cars to new houses to various other provisions, get ready for a deluge of stimulus stories.

In these very hard economic times, many people are hurting financially. The sad truth is that even a positive message can become difficult to deliver when the field becomes crowded. Numerous good news articles are appearing daily on all aspects of the stimulus package. Our job is to help enable the good and disable the bad (messages). It won't be easy.

What are your thoughts on this topic? Seen any good stimulus ads lately?

Cyber Security Review Points to Growing Market for Contractors

2009-02-11T11:25:10Z

On Monday, President Obama ordered a 60-day review of federal cyber security programs. The review will be led by Melissa Hathaway, a top cyber security advisor to Mike McConnell, the former director of national intelligence.

The Washington Post described the growth in cyber security efforts and how the sector will continue to grow in coming years. Here's an excerpt:

"Industry executives say the sector will be one of their fastest-growing markets in coming years, and analysts say it could generate over $10 billion in contracts by 2013....

Immediately upon taking office, the Obama administration underscored the importance of protecting U.S. information networks in a posting on the White House website.

It pledged to work with industry, researchers, and citizens to 'build a trustworthy and accountable cyber infrastructure that is resilient, protects America's competitive advantage, and advances our national and homeland security.'"

Despite numerous technology articles recommending the fast appointment of a cyber security czar and the quick implementation of the report from the Commission on Cyber Security for the 44th Presidency, this security review makes sense to me. Given the current state of economic issues and the focus on the stimulus package and helping the bank system, this comprehensive review should help to ensure the right team is put in place with the right level of authority and organizational control spanning various agencies.

While it looks like we will all be waiting a few more months before new cyber security policies and plans become clear, efforts started under President Bush on the Cyber Security Initiative continue to strengthen federal networks. Check out this article written a year ago by Mike McConnell. Understanding 2008 cyber events and projects is vital to understanding future security plans.

What are your thoughts on the future of the cyber security industry in the next few years?

Scams Rise as Stocks Fall

2009-01-30T01:16:33Z

As the financial markets fall, cybercriminals are increasing their Internet attacks to steal personal information.

USA Today ran a featured article describing the new surge in online scams. Here's an excerpt:

"The schemes -- often involving online promotions touting fake computer virus protection, get-rich scams and funny or lurid videos -- already were rising last fall when financial markets took a dive. With consumers around the world panicking, the number of scams on the Web soared.

The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September, coinciding with the sudden collapse of the U.S. financial sector, according to Panda Security, an Internet security firm.

It wasn't a coincidence, says Ryan Sherstobitoff, chief corporate evangelist at Panda."

Meanwhile, as economic problems grow, employers are worrying about disgruntled or laid-off employees. Computerworld points out the risks associated with insiders in a recent article, and declare that security breaches will rise with the downturn in the economy.

"In a McAfee Inc.-sponsored worldwide survey of 1,000 IT decision-makers, the company found that 42% of respondents felt that laid-off employees represented the biggest IT security threat caused by the recession. That's more than were worried about outside intruders. And 36% said that they were worried about security problems caused by employees in financial stress.

Crime rates spike during hard times, and with thousands of workers being laid off each week lately, there may be an added incentive for laid-off employees to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell."

What are your thoughts about potential security risks associated with the economy?

Fewer Policies, But More Tech Etiquette Please

2009-01-20T11:08:27Z

A flurry of articles have appeared recently regarding "tech etiquette," also described as "email etiquette," "computer etiquette," and a bunch of related names. Author Virginia Shea even took the concept a step further and created a new word "Netquette," and offers 10 Core Rules of Netquette."

Many of the articles offering tips are even more specific, such as "Blackberry etiquette," which typically address texting with cellphones as well.

What caught my attention over the holidays was an article called "25 Rules of Tech Etiquette" from Jon Chase at Switched.com. Take for example, rule #6

"Why should I bother using CC for group e-mails when I can just put everyone in the To: ?

E-mail was partly devised to mimic the old paper trails of office protocols of yesteryear. So, if you want to communicate directly with just one person, send that person an e-mail and CC (carbon copy) anyone else that you think should be notified, but that you don't necessarily expect to reply. If you're starting a conversation among all those people, then you'd put them all in the address bar. If you're sending a party invite to a small group of people, then you might CC your list. But heaven help you if it's more than a half-dozen e-mails. The height of e-mail stupidity is to CC a string of 50 e-mail addresses. That's what BCC (blind carbon copy) is for."

The overall list is pretty interesting, as are all of these various technology etiquette lists. From cell phone use in restaurants to texting in work meetings, they describe when it's ok to be upset with friends, family and co-workers and when it's not. These lists provide some helpful guidance, but be careful - some of the lists also contradict each other.

We know our society has a problem when comedians get involved. Check out this YouTube video (at home on your own time of course) from Greg Schwem on tech etiquette to grasp the issues pretty quickly - with a smile.

So what's my point? Besides the many articles on our new President's Blackberry usage and bringing this hot topic to your attention, there are real questions, issues and lessons here for policy makers and technology staff. Some governments and companies around the world have even formally banned blackberries from meetings. Is that the right approach, or do we change the culture at work best through tech etiquette training or do we just leave this topic alone and let the masses figure it out?

My view: we probably need fewer polices in these areas, but better training for staff on expectations for the use of technology. Several organizations, like Motorola, have even condensed their policies down to far fewer pages so that end users can better understand the do's and don'ts on the net at work. In Michigan, we are re-writing many of our acceptable use policies now to include Web 2.0 and social networking topics. However, it remains to be seen if the policies actually get shorter.

Nevertheless, I seriously doubt that we'll get to level that Jon Chase does in his 25 rules - nor should we, in my opinion. The central question that governments around the globe need to answer is this: Is a policy required or is this tech ettiquette? We can't have a policy for every situation; we need to rely on common sense, right?

What are your thoughts?

One side note: Starting tomorrow, I will become Michigan's Acting Chief Technology Officer and Director, Infrastructure Services Administration within the Michigan Department of Information Technology (MDIT). Trent Carpenter, will become our Acting Michigan CISO. As mentioned in Government Technology Magazine, I will stop blogging on security and start blogging on infrastructure, integration, and innovation if/when the position becomes permanent. I also plan to write a future blog on the transition of roles in government. Stay tuned and thanks for reading.