In a 44 page document, the ISAlliance covers a broad range of issues ranging from defense to banking to higher education. The six page executive summary includes the following items:
- Overview of The Problem
- Government Must Embrace Some Inconvenient Truths
- The Cyber Security Social Contract
-
Why the Internet is Different-
Why the National Strategy is Not Working-
Why the Regulatory Models Won't Work-
The Good News - We Do Know What Works-
Core Components of the Cyber Security Social Contract
I want to highlight the central piece of the Internet Security Alliance approach - the social contract. ISAlliance's model is based upon the agreement between government and the utilities in the early 20th century to provide phone, power and light service to Americans. Here's an excerpt:
"The utilities guaranteed to make the infrastructure upgrades necessary to provide universal service. In return, government essentially guaranteed a return on the required private investment economically sufficient to make the investments good business decisions. The utilities maintained the investments over time because they were also provided exclusive franchises for the service area.
"The report goes on to describe why voluntary approaches and regulatory models are not working. The report offers several excellent solutions and lays out proposed government roles, business roles and incentives for businesses that implement best practices.
My response - I like the Internet Security Alliance proposal. We do need to move in this direction. I certainly encourage you to read their full report.
Although these recommendations are far-reaching, my only criticism is that that they may not go far enough. We also need a social contract regarding cyber ethics with all Americans. The conduct of each person online is actually our weakest link. I offer an outline for a new national strategy on cyber ethics in the appendix of my book, Virtual Integrity. Just as we do for emergency preparedness, we must engage individuals, families, non-profits, K-12 schools - as well as universities, businesses and the others mentioned in this plan.
Bottom line: We do need to take bold action. This social contract is a good idea.
What are your thoughts?
]]>
According to Federal Computer Week (FCW), "The virus is a variation of a three year old worm called SillyFDC which spreads by copying itself from one piece of removable media to another. When plugged into another computer the virus will automatically download code from another location."
The Associated Press and other news organizations reported that, "...Messages were sent to department employees informing them of new restrictions. As part of the ban, the Pentagon was collecting any of the small flash drives that were purchased or provided by the department workers...."
Fox News offered this video update, which described the serious nature of the attack.
This situation raises the wider questions regarding portable media. While these devices have long been barred from classified networks, some government organizations around the globe ban all USB use by staff. Examining the pros and cons associated with turning off USB drives can lead to an interesting dialogue.
Basically, the decision comes down to ease of use and customer satisfaction versus the serious security threat posed by a loss of sensitive data. In addition, this DoD case raises the virus threat that can come up with portable media.
So what does your organization do? Are USB ports enabled on PCs and laptops?
]]>
Some experts estimated that McColo hosted the machines responsible for 75% of the global junk email traffic sent. The relief is expected to be temporary for those trying to stop the unwanted email, since other servers will likely be found to send out the spam.
The story was covered by numerous sources including the Washington Post, who initially broke the story. Here's an excerpt:
"Also unclear is the extent to which McColo could be held legally responsible for the activities of the clients for whom it provides hosting services. There is no evidence that McColo has been charged with any crime, and these activities may not violate the law.
Mark Rasch, a former cyber crime prosecutor for the Justice Department and managing director of FTI Consulting in Washington, D.C.,. said Web hosting providers are generally not liable for illegal activity carried out on their networks, except in cases involving copyright violations and child pornography. "
Others who covered the story included BBC News and ComputerWorld.
The BBC reported, "Anti-spam firm Ironport has seen junk mail levels drop by 70% since McColo was taken offline on 11 November.... A recent study by computer scientists from the University of California, Berkeley and UC, San Diego (UCSD) found that spammers manage to turn a profit despite only getting one response to every 12.5m emails they send."
It will be very interesting to see if the amount of spam sent return to previous levels - and how fast it happens. In Michigan, we have seen a steady increase in the amount of email we block over the past few years. We were blocking over 90% of incoming email due to spam or viruses, but I'll let you know if that number drops significantly in coming months.
What did you see happening last week? Did spam numbers drop in your enterprise?
]]>At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus--a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised.
According to Newsweek, the Feds assured the Obama campaign that the cyber attack did not come from his political opponents. Meanwhile, a top McCain official confirmed that their computers had also been hacked.
But to end the story there would be an injustice to the importance of recent events. The London Times offered a fascinating analysis of President-elect Obama's use of the Internet during the campaign.
Under the Tech section with the title, Is the YouTube-isation of politics a good thing? (note the English use an "s" rather than our "z"), the article describes the importance of the Internet as reported from a Web 2.0 Summit in San Francisco. On the panel, Arianna Huffington, who founded the Huffington Post, reportedly said, "Were it not for the Internet, Obama would not be president."
The panelists went to to describe how YouTube and the wider Internet has changed everything in political expectations. The panelists also brought up the digital divide and those in society who don't have Internet access and don't participate online.
A related post-election question is: How will the Internet be used differently in a President Obama adminstration?
Again the London Times offered some early insights with their article Barack Obama: master of the web shares his night of triumph with the world. The article describes the behind-the-scenes look at his election night triumph. The article also describes how quickly his new transition website was launched at change.gov which encourages supporters to: "Share your story and your ideas, and be part of bringing positive, lasting change to this country."
The website continues a tactic Mr Obama employed to such brilliant effect during his campaign: making people feel they have a stake in his strategy while simultaneously galvanising an army of supporters and new donors, who were kept in almost daily contact with the campaign through e-mails and text messages.
Will President Obama be remembered as the first "Internet President"? Time will tell. He certainly appears to be the first President who will use Web 2.0 technologies to reach out directly to millions of Americans and bypass the media with his instant messages.
No matter which side you are on, politics will never be the same. Cyberspace will now play a central role for elections at all levels of government. Elected officials will follow the President-elect's model.
My view: cyber security is no longer a side show. We are now on center stage - even in politics.
What's your view?
]]>Arstechnica.com said it this way, "Liberal democracies aren't generally pleased with massive state-run mandatory Internet filtering schemes, but Australia's government is plowing ahead with just such a project...."
"Family First would consider a mandatory ISP-based filtering system that protects children by blocking illegal content like child pornography, but allows adults to opt out of filtering to access material classified R18+ or less," said the party.
While many groups have lined up against the program and call this censorship, the government argues that parental responsibility simply isn't workable and that children are finding damaging material online.
A related article was published back in August 2007 by Arstechnica.com which announced the $189 million (Australian) anti-porn tech initiative. According to that article,
"Approximately $89 million will be used to establish Australia's National Filter Scheme, which will impose burdensome filtering requirements on ISPs and provide Australian citizens with free* access to PC-based Internet filtering software. The filtering systems will leverage the Australian Communications and Media Authority's official Blacklist, which is based on the country's National Classification Scheme. According to a statement issued on Friday by communications minister Helen Coonan, the Australian Communications and Media Authority is also evaluating plans to extend the Blacklist to include 'terrorism and cyber-crime sites upon prescription by the Attorney-General.'"
Arguments against the program are made on the basis of degradation of Internet performance and limiting the free speech of adults. And yet, it is hard to argue with the Australian government's assertion that this "illegal content" problem is now out of control in cyberspace. The challenge becomes defining what content is illegal with current technology and not blocking content which is legal for adults.
ABC News in Australia offered commentary by Michael Meloni on the high price of internet filtering and the need to focus on children. Here's a quote:
"To provide a safer environment for children online we need to focus on areas posing a real threat to young Australians like cyber-bullying, identity theft and online predators. Filtering does nothing to reduce these risks. Just like we educate children about staying safe outside, we need to educate them about staying safe online. Walk them through it just like we'd walk them to the park. If that means educating parents unfamiliar with the Internet as well, then let's do it."
While it would be inappropriate for me to take sides on this effort as CISO in Michigan, I understand the sense of urgency. No doubt, the free speech advocates have great points against limiting the freedoms of adults in society, but it is also government's responsibility to protect it's citizens against crime. The challenge becomes how far can and should governments go to restrict adults, fight predators or help children.
There are entire books on the history of this topic in America, including the Children's Online Protection Act of 1998 (which includes action required by the states), the Children's Internet Protection Act (CIPA) of 2000, and related actions taken by the courts.
So why do I put this information about Australia in an American magazine? These same issues are still very real in the USA. New questions come up every day about our government role at a federal or state level. I expect this topic to get much more attention here in 2009 and beyond than it did in 2008. The debate here has been somewhat delayed, due to the election campaign and the economy.
What are your thoughts?
]]>The Microsoft website offered details of how to get the updates.
Computerworld offered two stories related to the critical new vulnerability. The first story described attack code for critical Microsoft bug, and another article released on Saturday described how the Gimmiv worm feeds on latest Microsoft bug.
Microsoft released the patch two weeks prior to the normal schedule, since they were seeing active attacks on the Internet. According to Computerworld:
"Both Symantec and McAfee Inc. said today that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting yesterday evening, it found a 25% jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.
That scenario becomes more likely, too, as more tools that exploit the flaw are released to the public. Sample exploit code was posted to the Milw0rm.com hacker site today, and over the next few days hackers are expected to move that code into attack tools that are easy to use."
Some experts were predicting that the attack code will soon be used to build botnets with infected computers. What is clear is that all governments need to respond immediately and apply the patch, if they haven't already done so last week.
Has anyone seen this attack on their networks?
]]>"The survey shows that these high rates of technology ownership affect family life. In particular, cell phones allow family members to stay more regularly in touch even when they are not physically together. Moreover, many members of married-with-children households view material online together."
A report released last month on work called Networked Workers, describes how pervasive the use of the Internet has become in the United States.
"The majority of employed adults (62%) use the internet or email at their job, and many have cell phones and Blackberries that keep them connected even when they are not at work."
There is good news and bad news in these reports and poll numbers. Most workers think that increased connectivity makes them more productive, but the majority also think that these tools also add stress and new demands to their lives.
Digging deeper, Pew has two separate reports regarding work. One covers Email at work. Again, respondents recognized the good and bad aspects of email. Interestingly, the polls show that spam is less a problem at work than with personal email accounts.
Another report covers Wired Workers: Who They Are and What They're Doing Online. There are many positive aspects to this report, as well as a darker side mentioned.
"Some 17% of Internet users (and 11% of all Americans) say they know someone who has been disciplined or fired because of his or her use of the Internet on the job."
In my opinion, coverage of these reports has been somewhat limited, probably due to the coverage on the upcoming election. Still, there was some mainstream press coverage. USA Today offered this report back in September: Study: American workers tethered (with mixed feelings) to work via tech. One man who was interviewed for the report said,
"If everybody also threw their BlackBerrys away, I would too," he said, chuckling. "The only problem is, in my industry, it makes me more competitive."
Initial coverage of family use of the Internet has been more positive. CNet claimed, "The Internet is no 21st-Century Boob Tube."
Overall, there weren't many surprises in these new poll numbers or Pew reports. One thing to keep in mind is the law of averages. That is, some people are spending much more time online than these numbers indicate. (Of course, others are spending significantly less.) Still, there were no shocking numbers that grabbed headlines nation-wide.
I plan to discussing these poll numbers further in future blog entries. Meanwhile, what's your opinion on these reports?
]]>
The Federal Trade Commisiion (FTC) website listed details of the story this afternoon:
"According to papers filed with the court, the defendants recruited spammers around the world to send billions of spam messages directing consumers to Web sites operated by an affiliate program called "Affking." By using false header information to hide the origin of the messages, failing to provide an opt-out link, and failing to list a physical postal address, the defendants violated the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003.
Some security researchers believe that at one time, nearly one-third of the world's spam e-mail came from a network of compromised computers, often referred to as a 'botnet,' that sent spam promoting the defendants' Web sites. Their enterprise included participants in Australia, New Zealand, China, India, Russia, Canada, and the United States."
]]>"You know you shouldn't do it, but that liquid courage convinces you otherwise and, soon enough, you've fired off a hasty e-mail to an ex, a co-worker or, worst of all, a boss.
Many a relationship has been prolonged -- and perhaps many a career has been cut short -- by the dreaded drunken e-mail."
At first, I thought this was a bad joke. Was Google trying to add some comic relief to our lives? Could this be an attempt to change the subject away from our 401Ks and our current Wall Street banking woes?
But I kept running into this story all week. Some on mainstreet are honestly thinking that this is some type of breakthrough. Even morning talk shows are offering demos on how hard the Google math is. The Internet has plenty of video interviews on this topic. One video from NBC San Diego can be seen here.
Personally, I find this topic to be beyond humorous. Is this really such a big problem? Will people really use this new feature? Perhaps I'm living on a different planet or not consuming enough alcohol, but are millions of cyber surfers really drunk?
OK, I'll try and offer some serious commentary on this new development.
The Problem: Sure, people send emails and instant messages in poor judgment. They hit the return button millions of times each day - only to regret the message later. We all need to stop and think before we click. Sometimes these messages are accidental and other times they are intentional but naive or unwise.
Most people occasionally use the Internet when they should go offline and talk in person. I've intervened in many email wars at work over the past decade between professionals sitting in back to back cubes. This happens even when people are sober.
The Good: People are finally confronting the fact that there are real-world consequences to their virtual actions. As I've said in several blogs, our virtual worlds and real world events are merging at home and work.
The Trend: Get ready for more technology tools and techniques to build trust online. We have a long way to go in this area. How can we connect our offlines values with our online world? How about a virtual conscience based on your professed values? More accountability must come with more social networking opportunites at work.
The Solution: What we need is cyber ethics for grown-ups. This involves people, processes and technology. Although technology can help (and more tools are coming), no Google or Microsoft tool will do this for you. We're talking about character and integrity in a cyberspace that resembles the Wild Wild West. I describe this trend and personal solutions in detail in my soon to be released book, Virtual Integrity.
One final thought, Google is very good at marketing and offering what customers want. Obviously, they did some market research before rolling this out. It clearly passed the "cool" or "daily buzz" litmus test. So how can we offer similar security tools that help overcome risk and also meet customer needs at work? There is a lesson in this (somewhere) for IT professionals.
Any ideas on how to make it cool to change your password? Now that would be a breakthrough.
]]>
The indictment is also available at USA Today's blog site.
According to the Knoxville News Sentinel: "Kernell is the the son of state Rep. Mike Kernell, D-Memphis.... If convicted, Kernell faces a maximum of five years in prison, a $250,000 fine and a three-year term of supervised release. A trial date has not been set."
]]>
- Our English friends provide a different voice and perspective on world events and on happenings in the USA.
- They are often a few days or weeks (sometimes even months) ahead of us in their discussion of various topics, including technology trends.
- They don't have to be as politically correct - they can call an election or economic event as they see it.
- Personal preference. I lived in the UK (in North Yorkshire) for almost seven years - I just like the way they think and write across the big pond.
So what have they been talking about lately? Besides detailed analysis on the upcoming US elections, the $700 billion economic bailout and Europe's own banking crisis, one hot topic in their technology section is "The Grid."
Never heard of it? Check out this 4+ minute YouTube video on The Grid.
Europeans think this is a big deal. How do I know? Check out these recent headlines from our scientific colleagues, keeping in mind that these writers are known to play down just about everything: The Grid powers up to save lives and seek the God particle or Grid of 100,000 computers heralds new internet dawn.
Here's an excerpt from the first article:
"Scientists believe that the Grid, described as a "worldwide revolution," also has the capacity to find a cure for cancer and save lives following a natural disaster.
Excited researchers, from Vancouver to Beijing and Oxford to Melbourne, watched yesterday's launch at CERN, the European Organisation for Nuclear Research, near Geneva, through a live video link up.
It has been vaunted as the next evolution of the internet and may even allow researchers and pharmaceutical companies to find a cure for cancer faster than previously thought possible. This is because the Grid is able to crunch massive amounts of data very quickly by, in essence, turning a desktop PC into a supercomputer."
There is no doubt that these are exciting times, but many will see these events as somewhat scary or as another step towards "Big Brother." Indeed, other headlines on Sunday, October 5, such as Government will spy on every call and e-mail, highlighted British Government plans to expand monitoring to capture terrorists.
Regardless of our personal opinions, "The Grid" is coming. While Americans spend the next few months focused on important political and economic matters, technology keeps moving. I suspect we will spend quite a bit of time in 2009 and beyond discussing the good and bad impacts to society that the "The Grid" will bring upon us. If, as Microsoft says, we are trying to build "end to end trust" online, there is no doubt that hundreds, perhaps thousands, of articles will be written on this topic over the next decade.
Some may even say, I heard about this way back in the Spring. True, Fox News ran an article in April 2008 entitled: The Grid could soon make the Internet obsolete. It's a very good article.
But funny thing, it originally came from The London Times.
]]>
After the executive summary, introduction, and overview of the checklist program, the guide covers such topics as checklist usage, checklist development, and even examples as Appendix B offers a checklist description template and Appendix C offers operational procedures.
Government Computer News (GCN) announced the new guide and described some of the goals of the National Checklist Program (NCP):
I highly recommend taking a look at this new NIST publication. These checklists can be very helpful to follow.
So tell me, does your state use NIST or other checklists to securely configure IT products?
]]>The ceremony last night ended with several important announcements, including the introduction of the new executive committee and NASCIO President John Gillispie, CIO from Iowa, handing over the gavel to the new President, Gopal Khanna, CIO of Minnesota. As the new leader, Gopal's speech was a rousing call to action for CIOs and their staff members to make a difference and commit to improving our nation's approach to IT engagement in the public sector in all 50 states.
Overall, I thought this was an excellent conference. NASCIO remains a very strong organization with considerable power and influence with various groups across the country. As many states transition to new Governors and our nation elects a new President, it will be interesting to see how things develop in state government IT in 2009.
One very positive recent development for NASCIO was the announcement by Senator Norm Coleman (MN) on a bill to strengthen state government cyber security. Hopefully, this bill will become law. My view is that this bill is a sign of closer ties with Congress and federal government agencies in years to come.
Dr. Hall's main message was that our language matters much more than we realize, and we need to reexamine our vocabulary to more clearly articulate important messages externally and sell public policy and IT priorities. For example, acronymns like IRE (which stands for Information Resource Executive) and even CIO are not well understood by the public. Other words to avoid include infrastructure, GIS, IPv6 and other technical terms.
On the other hand, Dr. Hall recommends using phrases like "Identity Theft" which are well-understood by the public.
As we make the case for IT to the public, we need to explain what our roles are in clear terms. For example: save lives, save money, save the planet, are well-understood. Take another look at the questions: "What do you do to support the taxpayer?" Translate your job into positive actions that can gain buy-in.
Dr. Hall challenged the audience to tell their neighbor what they do at work in an easy to understand single sentence. She did an excellent job of pointing out public perception of the work that we do, with video examples of IT going down and causing public disruption at airports. When things go well, say at schools or in transportation, others get the praise. We need to repackage our entire approach and show the value that public CIOs and IT shops add on a daily basis.
Later in the morning, another session was held entitled: CIO Reflections: Perspectives from both sides of the table. The session was moderated by Teri Takai, CIO of California, and it brought in current state government CIOs who came from the private sector as well as former piblic sector CIOs who are now in the private sector. It was a great conversation.
Here are a few of the takeaways:
- CIOs who go to the private sector are often shocked that they aren't seen as "thought leaders" but rather new execs that need to grow the business and the bottom line.
- Relationships and understanding of roles and issues are two of the greatest benefits you bring from a public sector CIO job to the private sector.
- Private sector execs who become public sector CIOs will fail if they take the job to "save government." The issues and challenges are large and different, and they better listen to the advice of other CIOs who have gone before them.
- One panelist said that you are there to not just run the IT business but to help the Governor get re-elected. Help your boss succeed on their priorities.
- All of the panelists saw huge value in NASCIO before during and after they were public CIOs. Some even called other public CIOs and learned more before they accepted the job.
- Know your strengths and weaknesses, and seek out other mentor CIOs who can offer advice and direction. Both sides agreed that humility was very important in dealing with relationships all-around.
Overall, a great day. More to come on the afternoon sessions and the awards banquet tomorrow.
]]>
This morning's keynote address featured the Honorable Tom Ridge, former Governor, Commonwealth of Pennsylvania and first Secretary, U.S. Department of Homeland Security.
Governor Ridge congratulated NASCIO on their bipartisan approach to dealing with state government technology problems in a world where everyone has "special interests." His main themes included:
- A need to elevate the message and add a sense of urgency to pressing IT issues in government.
- CIOs need to develop advocates or champions to sell their messages.
- Security of cyberspace is a "national priority."
- CIOs have one of the toughest jobs in government, because they get all the blame but little of the credit for successes. Citizens expect nothing bad to happen - just like with Homeland Security.
- Not much trust in government. We need to work on developing more
In the Q/A session, Governor Ridge said we need to consolidate IT more and eliminate silos in a new adminstration, as we address IT and cyberspace in the future. When asked what he would have done differently if he had the chance, he joked that he should have finished his term. He closed with a reiteration of the importance of IT and expressed his willingness to advocate for NASCIO at the National Governor's Association.
A later session focused on consolidation efforts in IT by many states. Stories were told about Tenn, Texas, and Indiana. The numbers were impressing, with savings quoted by Tennesee in the range of $34 million.
In Indiana, 800 servers were decomissioned, a new state portal was built, IT contracts were combined (with savings over $20 million), and TPI benchmarked their improvements and showed results as being top in service and lowest in cost. Indiana also added disaster recovery services.
Overall, it is clear that consolidation is happening all over the USA and in greater numbers than I ever thought possible. The benefits are ranging from improved security to lower cost and better service.
An afternoon session on Green IT presented the economic case for going green. Virginia talked about telework programs and Michiagn layed out aggressive green IT programs. Google also discussed their approaches to Green IT.
Overall, the first day was well-attended, with about 500 attendees, including CIOs, their staff, and vendors. More to come tomorrow.
]]>