• Roger Cressey speaks about cybersecurity at the Pell Center.

    Pell Center Lecture Discusses U.S Government and Private Sector Cybersecurity Efforts, the Impacts of the NIST Framework

    NEWPORT, R.I.—The Pell Center hosted a major cybersecurity lecture this month that featured Roger Cressey, an internationally known cybersecurity expert and counterterrorism analyst with NBC News, and Kiersten Todt, President and Managing Partner of Liberty Group Ventures, LLC.

    Over 50 senior leaders representing Rhode Island’s private and public sectors took part in the event to discuss cyber risk management and the impacts of the National Institute of Standards and Technology’s (NIST) National Cybersecurity Framework one year after its release.

    Mr. Cressey praised the Pell Center’s ongoing Rhode Island Corporate Cybersecurity Initiative (RICCI), which has become the de facto venue for major RI companies and state agencies—including Raytheon, Citizens, CVS, IBM, Mass Mutual, National Grid, RI Emergency Management Agency, RI State Police, as well as the U.S. Attorney’s office—to discuss some of the most pressing cybersecurity issues, share information, and encourage cybersecurity best practices. Cressey encouraged leaders to continue to engage in these types of discussions to maximize Rhode Island’s potential to become a cybersecurity incubator and role model for other states.

    Roger CresseyMr. Cressey and Ms. Todt provided a compelling overview of the increasingly complex cyber threat environment and defined it as “an arms bazaar of attack code and weapon grade arsenal,” including over 300 new malware programs discovered daily, enhanced cyber tactics, techniques and procedures (TTPs), an incredibly profitable black market, and the growing threat of data destruction and manipulation. They detailed some of the most common cybersecurity challenges to the private sector, such as the expansion of the attack surface due to the increased use of mobile devices, web applications, social engineering techniques, and the advent of the Internet of Things (IoT). They also focused on the growing cyber risks from accidental and premeditated insider threats and third party vendors, as the supply-chain often presents multiple opportunities for adversaries to penetrate networks and it is increasingly the vector of choice for hackers to access corporate systems. “Don’t throw money at the problem after a breach happens,” Mr. Cressey stressed. “It’s time to invest in cyber before an attack, not after. What we need is a change of corporate culture and a shift of mindset from prevention to resiliency that requires management buy-in and attention from the C-suite. Treat cybersecurity as a risk equal in importance to other business risks—financial, brand, reputation, and integrity. And plan for the inevitable breach… it will happen… and most likely has already happened.”

    First and foremost, however, companies need to understand their interdependencies and threat environment. Ms. Todt explained that one of the main issues with detecting an attack is that most companies do not have a centralized procedure in place to process all the information and potential red signs that they see on their networks. “Companies are drowning in data, but starving for information,” she said. “They must establish processes across the enterprise to identify threat-critical data. Employee education is the foundation of corporate cybersecurity—they are both your weakest link and your first line of defense. Companies should also establish threat information-sharing policies and have a cyber risk management plan in place—managing cyber risk means understanding that you will be breached and knowing how to mitigate the breach.”

    Their main recommendation was to use the NIST Framework to create a profile that would help their respective organizations understand their dependencies with business partners, vendors, and suppliers, and then to follow the set of cybersecurity guidelines to better identify, protect, detect, respond, and recover from cyber threats. “The Framework is your friend,” said Mr. Cressey, “it provides your organization a template to track efforts for cybersecurity practices.”

    The blueprint for the Framework grew out of President Obama’s Executive Order on “Improving Critical Infrastructure Cybersecurity,” in which he directed the National Institute of Standards and Technology (NIST) to work with various stakeholders to develop a comprehensive approach towards mitigating cyber risks to critical infrastructure. The Framework, “a product of industry, not government,” as Mr. Cressey emphasized, creates a common language for cybersecurity within and across sectors, applies a market-driven approach to cyber risk management, and provides a set of voluntary standards, guidelines, and best practices for cybersecurity. Since its release, the Framework has facilitated behavioral change in organizations, encouraged them to examine and understand key priorities and vulnerabilities, and supported cyber resiliency within and across sectors. All throughout 2014 and 2015, critical industry sectors have taken steps to align their own security guidance to the Framework, and U.S. federal agencies and departments—as well as state governments and associations—have engaged and embraced the Framework as the key standard for the various industries that they regulate.

    The Framework has also sparked an enhanced national debate about related controversies regarding cybersecurity and the controls necessary to improve it.

    Panelists-blog-postLast year, the Pell Center organized the first event of its kind hosted in New England after the release of the Framework in February 2014—a panel discussion on “Improving Critical Infrastructure Cybersecurity: The National Cybersecurity Framework and Beyond.” The panel discussed the specifics of the NIST Framework and other national and state initiatives to support its implementation. The distinguished speakers from both the federal and state government—including Adam Segewick, NIST senior information technology policy advisor; Michal Leking, the Department of Homeland Security’s cybersecurity advisor for the Northeast region; and Jamia McDonald, former executive director of the state’s Emergency Management Agency—explored how organizations charged with providing the nation’s financial, energy, healthcare, and other critical systems could use the Framework to better protect their information and physical assets from cyber attacks.

    One year later, the Framework continues to be increasingly used and lists among its greatest benefits the establishment of a common language, collaboration opportunities, the ability to demonstrate due care in adopting the Framework, the ability to promote better security within the vendor supply chain, and cost efficiency in cybersecurity spending. In addition, as more U.S. federal agencies and state governments adopt the Framework, and strongly encourage private sector organizations to implement its approach, there can be little doubt that the Framework has or will soon evolve into the de facto standard for cybersecurity. It may remain a voluntary undertaking, but it seems clear it will become the standard against which all other developments are measured.

    For more information on the Pell Center cybersecurity initiative and future events, visit the RICCI webpage or contact the Pell Center at [email protected].


    The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.Verizon Foundation

  • Chinese and Russian flags in juxtaposition

    A Pivot to the East in the Struggle for Power in Cyberspace

    As the U.S. relationship with China and Russia continues to deteriorate—cyber-espionage accusations straining relations with the former, the crisis in Ukraine complicating ties with the latter—the two Eastern superpowers joined forces last week to sign a new cybersecurity pact.

    The deal between China and Russia unites our main cyberspace adversaries and signals Russia’s pivot to the East, all of which will likely exacerbate cybersecurity tensions all around.

    According to the Wall Street Journal, the terms of the agreement are clearly aimed to bring Russia and China closer together: they have vowed not to launch cyber attacks against each other; they have agreed to pool information; they have committed to share law enforcement and technology resources to better equip themselves against any incoming attack that may attempt to “destabilize the internal political and socio-economic atmosphere,” “disturb public order” or “interfere with the internal affairs of the state”.

    While it may be naive to believe the pact signals the end of Russia and China spying on each other—countries will always be suspicious of others—the new pact will undoubtedly see the two nations strengthen their defenses significantly, while freeing up offensive resources for deployment elsewhere, perhaps even in the United States, as House Intelligence Committee Chairman Mike Rogers (R-Mich) warns.

    This new cybersecurity pact follows both a renewed push from Beijing and Moscow in favor of changes to global Internet governance that would reduce the traditional role of the U.S., and years of hacking attempts and cyber intrusions believed to emanate from both Russia and China.

    Recently, Secretary Ashton Carter revealed Russian hackers were able to breach one of the DoD’s unclassified computer networks—which, according to The New York Times, was in fact the White House’s unclassified computer system. They reportedly gained access to the email archives of people inside the White House, and perhaps some outside, with whom Obama regularly communicated and were thus able to read emails that the President had sent and received. The same month as these alleged cyber attacks, Fire Eye, an online security company, released a detailed report suggesting that state-sponsored attacks originating from Russia had focused on lifting military, government, and security information. Their findings came amid rising Sino-American tensions related to information security. China, in fact, pulled out of its own cyber working group with the U.S. last year, after the U.S. Justice Department indicted five members of China’s People’s Liberation Army on cyber espionage charges, and denounced tech giants like Google and Apple as “pawns” of the American government. As if these events were not enough to increase frictions, China recently crossed a historic first: explicitly admitting the existence of special cyber warfare units.

    The U.S., meanwhile, has recently unveiled a new, more aggressive cybersecurity strategy (.pdf). The strategy’s tenets include accelerating cyber-related R&D at the Pentagon, conducting an assessment of the DOD cyber mission force’s ability to deal with multiple threats, and fleshing out the department’s deterrence doctrine. The long cyberwar of the 21st century may just be getting started, but the battle lines are already being drawn.

    Russia and China Pledge Not to Hack Each Other | The Wall Street Journal

    What does China-Russia ‘No Hack’ Pact Mean for the US | Dark Reading

    White House Cites a Breach by Hackers | The New York Times

  • Francesca Spidalieri stands in a decorative archway at the 2015 Global Conference on CyberSpace

    Pell Center Senior Fellow Meets World Leaders and Experts Shaping the Future of Cybersecurity

    GCCS-pic-2NEWPORT, R.I.—
    Pell Center Senior Fellow Francesca Spidalieri recently traveled to Europe for the Global Conference on CyberSpace and to meet with world-renowned cybersecurity subject-matter experts and policy-makers discussing the future of Internet governance and security. Spidalieri shares her account of her trip:

    Armed with information, experience, and lessons-learned from my research work in the United States, I embarked on a quest to Europe to shed light on some of the most pressing topics at the intersection of cybersecurity and international affairs.

    CyberReadiness_picI first visited Geneva, Switzerland, for a series of meeting during which I had the opportunity to present some of my most recent work on countries’ cyber readiness—the Cyber Readiness Index assesses countries’ maturity and commitment to securing their cyber infrastructure—and explored possible collaborations with similar projects at the International Telecommunication Union (ITU) and the United Nations Institute for Disarmament Research (UNIDIR). The ITU created a Global Cybersecurity Index, which ranks the
    GlobalCybersecurity_piccybersecurity capabilities of nation states, and the UNIDIR developed a Cyber Stability Policy Tool, which aims to support policy-makers and diplomats to frame discussions and make better-informed decisions related to cyber risks and threats. The leaders of the two projects, Luc Dandurand, Head of the ICT Applications and Cybersecurity Division at the ITU, and Ben Walker, UNIDIR Emergency Security Threats Program Lead, welcomed the possibility to collaborate on data-sharing and highlighted the many benefits of cross-intersection among the indices. TowardsCyberStability_picThe three indices, in fact, share the overall goals of better informing decision-makers working at the national, regional, and international levels about the complexity of the cyber arena; promoting
    government cybersecurity policies, strategies, and initiatives; and providing frameworks to evaluate countries’ progress towards cyber security or stability.

    During my Swiss visit, I also met and discussed some of my work carried out under the Pell Center’s Cyber Leadership Project with Gustav Lindstrom, Head of the Emerging Security Challenges Programme at the Geneva Centre for Security Policy (GCSP)—an international foundation that promotes peace, security and stability through executive education, research, and dialogue. Both the Pell Center and GCSP, in fact, have initiatives aimed at providing cyber leadership development and training for private sector representatives as well as government officials on the security and legal implications of emerging technologies.

    GCCS-picAfter Switzerland, I traveled to The Hague to participate in the Global Conference on CyberSpace (GCCS), hosted by the Dutch government. This was the forth iteration of the International Cyberspace Conference process, often called the “London Process” because it started in London in 2011, aimed at promoting practical cooperation across a broad suite of cyber issues, from security to economic development. This multi-stakeholder process aims to build a focused dialogue on principles for governing behaviors in cyberspace and ensure that the Internet remains free, open, and secure. The key objectives of the conference this year were to:

    • Support practical cooperation in cyberspace;
    • Promote capacity-building and knowledge exchange in cyberspace; and
    • Discuss norms for responsible state behavior in cyberspace.

    GCCSThe conference drew high-level participation from Ministers and leaders from international organizations, businesses, universities, and civil society, and the quality of conversation and ideas was impressive. This highly-anticipated event was preceded by the International ONE Conference—dedicated to cybersecurity professionals and (intern) national CERT community—and additional side events, including a panel discussion on International Cyber Norms and Global Swing States at the Hague Institute for Global Justice, a lunch debate on Advanced Persistent Security sponsored by Microsoft, Shell and KMPG, and the launch of the Asia-Pacific Insights Report. The GCCS and ONE conferences brought together over 1500 participants from a hundred countries and representing perspectives from all over the world to discuss how an open, interoperable, secure, and reliable cyberspace supports international trade and commerce, strengthens international security, and fosters free expression and innovation.

    The Netherlands emerged as one of the top world leaders in the area of cybersecurity by organizing and hosting both events back-to-back in the same venue with the overall goal of “creating a bridge between all the actors involved in the global ICT-community” and “building international coalitions necessary to effectively create a secure, free, and profitable digital domain.”

    The GCCS conference’s main outcome was the launch of a Global Forum on Cyber Expertise (GFCE), designed to provide a dedicated and informal platform for policymakers, practitioners, and experts from different countries and regions. The goal is to share experiences, identify gaps in global cyber capacity, complement existing efforts in capacity building, make available technical expertise as well as new funding to strengthen cybersecurity, help fight cybercrime, better protect data, and support e-governance. Membership of the GFCE is open to all countries, intergovernmental organizations and private companies who subscribe to the Hague Declaration on the GFCE. So far there are a total of 42 subscriptions, with the United States as a founding member.

    Francesca SpidalieriAfter my whirlwind tour of Europe, I returned in time to attend the RSA Conference in San Francisco—the biggest cybersecurity conference in the world—which this year broke attendance records with over 33,000 participants. This renowned conference, usually focused mostly on security tools and technologies, highlighted information-sharing between companies and the role of chief security officers (CSOs) as key conversation points. This year, however, it also dedicated an entire space of the three huge conference buildings to a “Cyber Safety Village-Kids Initiative,” that offered innovative programs and ideas designed to help children make smarter and safer decisions online, and to teach them how to protect themselves from various dangers on the Internet—including cyber-bullying, online predators, and identity theft. In addition, a powerful keynote panel on how to protect children from online predators left many of the participants shaken and almost in tears—not what you would expect at a technology event. After Alicia Kozakiewicz shared, in amazing detail, her nightmarish abduction by an Internet predator and her difficult rescue, the panel discussed additional challenges and offer solutions designed to ensure the safety of children online and offline.

    In sum—what a wonderful journey! Even though it is clear that much has already been achieved to increase security and establish some norms of conduct in cyberspace, my travels to Europe and San Francisco only confirmed that there’s still much more to be done in the years ahead.

    I’m looking forward to it.

  • Pell Center Cybersecurity Roundtable Discussion Addresses Supply Chain Risks and Mitigation Strategies

    NEWPORT, R.I.—The Pell Center hosted a cybersecurity roundtable discussion on April 7 in collaboration with New England’s premier electricity and gas utility company, National Grid, as part of its ongoing Rhode Island Corporate Cybersecurity Initiative (RICCI). This particular event explored some of the cybersecurity risks of working with third party vendors and how to evaluate and manage them to enable business objectives. Mr. Michael Andreozzi, IS Compliance Manager, and Mr. Scott Baron, Director, Governance Risk and Compliance at National Grid, examined important steps companies can take to identify risks of potentially insecure service providers, and options to mitigate those risks as part of their decision making process. They also engaged the audience in an open and frank discussion about third party management policies and strategies already in place in some of the other organizations represented in the room, from both the private and public sectors.

    The HVAC company used as the entry point for Target's data breach is an example of a smaller business within a supply chain falling victim to a cyberattack. Image: Target

    The HVAC company used as the entry point for Target’s data breach is an example of a smaller business within a supply chain falling victim to a cyberattack.
    Image: Target

    Defending against cyber-attacks is a complex and never-ending job and involves enterprise-wide strategies. As Mr. Baron said: “Cybersecurity in our day and age is like playing a football game, but we are always playing from the defense, and still have to win every single time!” Moreover, the long list of very public data breaches in the past year has shown that cyber attackers are increasingly targeting third party suppliers. Many, if not all, of last year’s successful data breaches began with attackers compromising a portion of the victim company’s supply chain as a way to get access to their clients’ information and possibly internal systems.

    Working with third party vendors is almost inevitable in today’s dynamic and ever changing business environment; many companies use service providers to offer specialized services and additional capabilities, support decentralization and mobilization, increase users and customers experience, and provide scalability. 1As Mr. Andreozzi said: “along with the benefits of outsourcing, however, come also additional risks that, if are not properly managed, can adversely impact an organization and result in damages to the brand, loss of investor and customer confidence, and financial or reputational harm.” All of this can have lasting effects and possibly result in companies’ failure to meet business objectives or worse. Yet, most companies fail to recognize those security risks or see the need to work proactively with the business, partners, and suppliers to reduce them.

    For any modern organization, physical supply-chain management already presents numerous complex challenges in understanding exposure to risk. The added complexity of cybersecurity risks only amplifies this, regardless of their position within a supply chain. National Grid has over 16,000 vendors, including suppliers to suppliers, and thus a very complex environment to manage. images-4In addition, as we move toward increasingly interconnected and modernized network systems, as is happening in the energy sector with Smart Grid, the potential for wide-scale impact creates a more attractive target for hacktivists and cyber criminals, who can either disrupt service or compromise databases and data transmissions. Recognizing the risks that cyber ‘insecurity’ can pose to their organization, and especially to the confidentiality, integrity, and availability of their key assets, National Grid has made cybersecurity an integral component of its security posture and has developed strategies that involve the entire business in a holistic manner. As Mr. Andreozzi said: “The threat landscape is always changing, and we know we have to stay always ahead of the threats. However, we can’t manage what we don’t know, so we have our own assurance frameworks to carry out third party risk assessments and make sure our vendors are being compliant with our guidelines and security controls.”

    2Both speakers emphasized a common theme in RICCI events—that it is the leaders’ responsibility within their organizations to work with the business to understand and minimize the risks those suppliers and service providers can introduce along with their services. Additional best practices that National Grid has implemented to manage suppliers include:

    • Carrying out risk assessments with all suppliers, including auditing and onsite assessments. As Mr. Baron stated: “You probably shouldn’t move forward with a contractor who does not want to be audited or complete assurance reports.”
    • Following procurement processes with an emphasis on cybersecurity risks.
    • Conducting thorough due diligence for new suppliers, including using in-house security consulting teams with pen testers that can identify issues with new vendors and account for their cybersecurity competence; and employ legal teams to work on specific contracts with different vendors.
    • Considering contractual clauses with set standard terms and conditions that cover security, confidentiality, privacy, and compliance; stipulating responsibility for any compromise or data breach by holding the main provider accountable for it; and contractually mandating that security clauses apply to sub-contractor(s) in the supply chain.
    • Conducting regular information-assurance sessions to identify weak links.

    The biggest takeaway, however, was that having business continuity and resiliency plans in place, with redundancies and multiple layers of resiliencies built in the system, remains fundamental. Reliability in the utility industry, even at the detriment of security, is key.

    For more information on the Pell Center cybersecurity initiative and future events, visit the RICCI webpage or contac t the Pell Center at [email protected]

    The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.


  • Is Cybersecurity Legislation Finally Possible?

    Last week, the US House of Representatives Intelligence Committee voted unanimously in favor of a long-anticipated cyber threat data-sharing bill, the Protecting Cyber Networks Act (PCNA).

    The bill—which draws largely upon the Cybersecurity Information Sharing Act (CISA) that the Senate Intelligence Committee passed two weeks ago—would grant legal liability protections for companies sharing cyber threat data with the government through a civilian portal. This official portal, most likely to be managed and overseen by the Department of Homeland Security (DHS), would help mitigate the risks from cyber attacks and help both government and IT security firms take preemptive measures against those potential attacks and their perpetrators. Information passed onto the government would have to be “scrubbed” twice to filter out sensitive, proprietary, and personal information.

    Lawmakers have tried for nearly a decade to pass comprehensive cybersecurity legislation, but previous proposals—such as the Cyber Intelligence and Sharing Protection Act of 2012—have drawn widespread and determined opposition from Internet activists, civil libertarians, and privacy advocates, and the bills were ultimately scrapped.

    So what made the difference this time around?

    Across industry and government, there is now general agreement that greater data-sharing is fundamental to strengthen the nation’s cyber defenses and to detect, minimize, and possibly even prevent debilitating hacks like the one at Sony Pictures. Without a full picture of the cyber threat, we can’t stop it, they say. Businesses, alarmed by the proliferation of hacking instances on payment and online networks, have been hard at work to initiate solutions to strengthen security measures, and this bill would allow them to exchange important information without fearing potential lawsuits when passing data over to state and federal investigators. Lawmakers in both parties seem more eager than ever to move forward with this bill, as shown by the speed at which it was approved–the Intelligence panel advanced the measure in a closed session merely two days after introducing it.

    Critics of both CISA and PCNA, however, worry about the accessibility that the government could gain through their private data and have called both pieces of legislation a “surveillance bill by another name.”  Major sticking points have been whether the private sector should be able to share data with intelligence agencies including the National Security Agency (NSA), and how law enforcement officials can use that data.

    The Senate Intelligence panel has injected language in the bills to address these issues. For example, CISA will only allow non-electronic data sharing with the NSA and it specifies exactly when that data can be used. Other Senators, such as Sen. Tom Carper (D-Del.) and Sen. Patrick Leahy (D-Vt.), have submitted additional privacy-enhancing suggestions.

    Despite civil libertarians’ and privacy advocates’ fear that this legislation could bolster government’s surveillance capabilities, the Intelligence panel’s leaders are confident they will get the support needed to pass their cyber bill. Both bills should come forward before the full House and Senate by next month.

    So far, the biggest winners have been cybersecurity firms, such as CyberArk Software Ltd, VASCO Data Security International, Qualys Inc, Proofpoint Inc, and Palo Alto Networks Inc, which saw their stocks skyrocket as soon as the news of the Senate approving the bill surfaced last week, and their revenues may continue to grow as spending on next-generation security solutions by governments and corporations accelerates.

    Privacy Critics go 0-2 with Congress’ Cybersecurity Bills | WIRED

    Shares of CyberArk (CYBR), Palo Alto Networks Inc Gain After House Committee Approves Bill | BIDNESS

    Senate Dems Wooed on Cyber Bill | The Hill

  • The Real Cost of Not Implementing Cybersecurity Practices

    It’s no longer a matter of debate as to whether companies will be hacked or whether our critical infrastructure is vulnerable to cyber attacks—we know that both things are true. But after a year of well-publicized hacks at Sony, Home Depot, Target, Anthem and others, many corporations have not improved their cybersecurity practices, properly trained their employees, or safeguarded sensitive consumer data—all of which would help bolster their cybersecurity posture. The question is: why?

    The answer is straightforward—the losses involved are relatively small compared to the costs associated with strong cybersecurity measures, and many companies have concluded that the cost-benefit analysis tilts in the favor of doing nothing or very little. In other words, these companies seem inclined to disregard cybersecurity until customers decide to take their money and business elsewhere.

    Take the case of Target, for example. This week, they agreed to pay $10 million under a proposed settlement in a class-action lawsuit relating to their massive data breach from 2013. Nonetheless, the company recently said that the total bill for the breach was approximately $252 million, and that after $90 million in insurance coverage and other tax deductions, their total cost was roughly $105 million—or about .1% of Target’s 2014 revenue. Although these numbers may seem large to the average person, the costs barely made a dent in Target’s revenue stream, even if their CIO and CEO had to resign over the breach.

    On top of that, Target will be required to adopt and implement data security measures as part of the settlement, such as hiring a CISO, maintaining a written information security program, and providing security training to employees—all of which are cybersecurity measures that any company—especially a large company—should already have had.

    In short, from a purely financial perspective, investing in cybersecurity may seem like a waste of money to some companies. Instead, these entities prefer to save the extra money and perhaps use it to cover the cost of a breach if one occurs. (Smaller companies are exceptions—breaches like the one at Target would likely topple them). From a holistic perspective, however, companies should start paying attention to all the additional—sometimes hidden—costs of a breach, including brand equity, customer loyalty, and company reputation, if they want to continue to prosper and retain customers in the long-term.

    In the meantime, Target is supposed to pay individual victims up to $10,000 in damages—although it will most likely end up just reimbursing victims for “lost time,” as court papers say. That might include the time victims spent getting cards replaced and calling their bank, and this is only if customers can prove they were damaged by the data breach.  If the victims of the Target breach conclude they received the short end of the stick on this, they may just choose to shop elsewhere in the future—and that’s an added cost Target should consider as well.

    Target To Pay $10 Million to Settle Lawsuit from Massive Data Breach | Huffington Post

    The Reason Companies Don’t Fix Cybersecurity | CBS Money Watch

    Target Data Breach Victims Could Get Up to $10,000 Each from Settlement | The Washington Post


  • Why the Clinton Email Case Matters

    As you may have heard in the news recently, former Secretary of State Hillary Clinton did not use an official US government email with a .gov address during her entire tenure as Secretary, and instead exclusively used a ClintonEmail.com personal address for all State Department-related correspondence. Reports suggest that her email account was hosted on a server that was not physically under government control and instead was located at her private residence in New York. Clinton assured that the server and email system, originally set up for former President Bill Clinton’s office, had “numerous safeguards” but she did not provide additional details about the security measures in place—other than being physically protected by the Secret Service. According to the security research firm Venafi, she also failed to encrypt her private email service with a digital certificate for the first three months as Secretary of State. Political scandal aside, the so-called “emailgate” controversy does raise a number of cybersecurity issues that we should be thinking about.

    One of the biggest takeaways from this case is that our leaders have a responsibility to master and develop good cyber policy and secure the country’s most valuable, sensitive information. This means that politicians at the highest levels need to have a basic understanding of cybersecurity, and—critically—that we can’t let important cybersecurity lessons be lost in a political turf war.

    The story about Hillary’s use of a private email account matters for three reasons:

    1. The Secretary of State, as a Cabinet-level official, is one of the most prominent targets of foreign espionage efforts. The President, Secretary of Defense, head of the CIA, and other top leaders in the public and private sectors alike also qualify in this top tier of potential targets. These individuals handle some of the most important and most sensitive—therefore most alluring—information in the country. Foreign governments and nefarious actors are sure to be interested in obtaining that information.
    2. Nation-state threat actors represent the top of the food chain in terms of cybersecurity adversaries. Nation-states and highly organized criminal gangs can bring the most talent and resources to bear in this arena, so you need to employ the best of your best to thwart those potential cyber-attacks. It should go without saying that a private email server established in one’s home—even if one is the Secretary of Defense—is likely not as secure as official US government servers.
    3. Take points #1 and #2 together and you have a situation where very high-value targets are threatened by the most advanced and sophisticated offensive information security capabilities out there. Put another way, the best of the best are gunning for those people to get their information.

    Clinton’s assertion that her server had not been penetrated and her emails had not been compromised cannot be proved with 100% certainty, much less by a politician who is not a cybersecurity or IT expert. It took Target Corporation months to figure out that they’d been hacked in 2013. The same is true for Home Depot, SONY, and many other retailers that suffered data breaches in 2014. Even a financial institution the size of JP Morgan, which spends over $250 million a year on cybersecurity—and plans to double that amount—was recently hacked.  These entities have legions of cybersecurity professionals patching, deploying anti-virus systems, and remediating cyber-attacks, and yet they still were hacked. In other words, if they can be hacked, so can Clinton’s private email server. And many other questions remain: how secure was the server used? Who was protecting it? Was there any evidence that it was compromised (again, this can be quite difficult to establish)? Assuming that it was compromised, what information was on it and what could have been exfiltrated?

    Regardless of one’s political affiliation and support, this case demonstrates how a single decision—to use a private email instead of a government one—can violate security best practices and possibly the State Department’s security policy (assuming they had a clear policy in this case). In the wake of the emailgate scandal, we ought to ask if this is an incident limited to a single individual or if this is a systemic problem whereby senior government officials communicate sensitive.

    Could Hillary Have Compromised the President’s Emails? | POLITICO

    Why The Clinton Email Server Story Matters—and Why It May Be Worse Than You Think | GeekWire

    Hillary Clinton Used Personal Email Account at State Dept., Possibly Breaking Rules | The New York Times

  • Pell Center Panel Discussion Addresses Cybersecurity Workforce Management: Challenges & Solutions

    thNEWPORT, RI—Over 50 senior leaders representing Rhode Island’s private and public sectors, law enforcement, and academia gathered at the Pell Center on March 10 to participate in a two-hour panel discussion entitled “Enterprise Cybersecurity Workforce Management.” The event, part of the ongoing Rhode Island Corporate Cybersecurity Initiative (RICCI), brought together cybersecurity experts and practitioners to discuss ways to optimize enterprise resources, prioritize essential security tasks, and develop a comprehensive cybersecurity strategy—one that integrates best practices across policy, technology, and people—to increase the security posture of organizations. The panel included Francesca Spidalieri, Pell Center Senior Fellow for Cyber Leadership; Maurice Uenuma, Senior Vice President at Center for Internet Security; Geoff Hancock, CEO for the Advanced Cybersecurity Group; and Jack Nicholas, Director and General Counsel at Creative Services Inc.

    The panel focused on the human element of cybersecurity and the recognition that every employee plays a part in securing the data, systems, and digital infrastructure of any organization. While frequently considered a technology-focused challenge, cybersecurity remains a profoundly human-centric endeavor. As IT professionals, humans are the ones who design, build, implement, maintain, and govern the systems which form the “central nervous system” of modern organizations. And humans, as employees of the organization, remain the most frequent avenue of cyber attack and constitute a major ongoing vulnerability to organizations everywhere. And it is humans, as nefarious actors, who conduct cyber attacks for a variety of (very human) motives. And humans, as cybersecurity professionals, are the ones who must identify, protect, detect, respond, and recover from cyber attacks.

    Due to the deep human involvement in cybersecurity matters, proper workforce management is essential to enterprise resilience in the face of persistent cyber threats. This requires a holistic approach covering everyone from executives to front-line employees, from cybersecurity professionals to IT managers, and including the hiring, deployment, and management of the workforce. In turn, workforce management must be aligned to prioritized enterprise action.

    CybersecurityWorkforceHandbookMr. Uenuma and Mr. Hancock shared with the group gathered for the event some of the main highlights from the “Cybersecurity Workforce Handbook: A Practical Guide to Managing Your Workforce”, recently published by the Council on CyberSecurity (now integrated with the Center for Internet Security). The key topics covered during their respective presentations included: ways to align the workforce to prioritized action, assign essential tasks for the entire workforce, deploying mission-critical cybersecurity roles, building a security-oriented culture, and providing effective governance of cybersecurity activities. “In order to tackle the extent of cybersecurity threats we see in today’s world, a comprehensive approach needs to be utilized that spans across policy, technology, and people,” Mr. Uenuma stated. IMG_5990“Critically important in this process is equipping those individuals who are responsible for managing information systems, hiring cybersecurity talent, developing corporate policy and creating corporate culture. The Handbook is an asset to those individuals—providing guidelines for effective workforce management in the cybersecurity sphere.” As the Handbook points out, “there is a near-infinite list of ‘good things’ for every enterprise to do and to know to improve the security of cyberspace, but it’s seldom clear what to prioritize. This overload of defensive support if a ‘Fog of More’—more options, more tools, more knowledge, more advice, and more requirements… but not always more security. What is needed is a way to organize and prioritize activity around a set of actions known to be effective in addressing most threats.”

    Critical Controls“We want to make best practices common practices,” Mr. Uenuma emphasized. Indeed, the list of Critical Security Controls for Effective Cyber Defense—specific and actionable ways to prevent and mitigate the most pervasive cyber attacks—represent the foundation of the Handbook.

    Mr. Hancock discussed the shortage of cybersecurity professionals and the need to optimize workforce planning to prioritize what is most important to each specific company and to get “the right people to do the right things.” Skills gapWhen asked who he would hire if he could add one more person to his hypothetical company, he quickly responded that he would look for a risk manager—not an IT expert, but somebody who understands enterprise risk and knows how to integrate business into security and security into business.

    Ms. Spidalieri contributed insights and recommendations to the Handbook, especially with regard to the increasing role that non-technical executives and board members must play in their organizations’ overall cybersecurity posture and the need for them to see cyber risk as an integral component of their enterprise risk management process. She argues that “achieving cybersecurity is more than just a technical problem […] it is an operational issue that requires senior leaders to develop and implement overarching strategies that integrate best practices across policy, technology, and people.”

    20150310_095858Mr. Nichols shared his personal experience advising companies with state and federal laws in regards to hiring, retention, and privacy right within the workforce, and shared common challenges when trying to balance the need for more or new technology with what a small or medium-sized enterprise can afford. “The goal of every company is to make money, and the cost of ‘doing cybersecurity’ is often seen as just one more expense. But we just cannot afford not to do cybersecurity! The Handbook can help us prioritize tasks and strengthen our security best practices.”

    To download a copy of the Cybersecurity Workforce Handbook, click here.

    For more information on the Pell Center cybersecurity initiative and future events, visit the RICCI webpage or contact the Pell Center at [email protected].

    The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.


  • Pell Center Panel Discussion Focuses on Cyber Information Sharing and Risk Management

    NEWPORT, RI—As part of the ongoing Rhode Island Corporate Cybersecurity Initiative (RICCI), the Pell Center recently hosted a panel discussion on “Cyber Information Sharing: Examining a Risk Based Approach to choosing the right information sharing partners and policies.” The event brought together representatives from over 20 different organizations across the state and a world-class group of cyber experts. 20150224_091229The panel included Ms. Ellen Giblin, Counsel at Locke Lord and Pell Center Adjunct Fellow; Mr. Don Ulsch, PWC Managing Director, cybercrime and breach response expert, and author of the book Cyber Threat!: How to Manage the Growing Risk of Cyber Attacks; and Mr. Ken Mortensen, PWC Senior Managing Director, cybersecurity and privacy expert, and author of the book Health Care Privacy and Security.

    The discussion focused on a complex issue in today’s increasingly sophisticated cyber threat landscape: the ability to establish and maintain effective information sharing partnerships to enhance an organizations’ situational awareness and manage an organizations’ exposure to intrusions and breaches.

    Organizations and their boards understand the need to share valuable information on serious cyber incidents and exchange actionable intelligence, but they do not always know how to choose their sharing partners and obtain the proper threat feed. The complexity of this sensitive exchange grows proportionately with group size, and perhaps exponentially when those group members are critical infrastructure industries with specialized security concerns. The panelists noted the key role that information plays for any business, and they encouraged the senior executives in the room to take a risk-based approach to vetting information-sharing partners and acquiring the right threat feed to manage their cybersecurity programs.

    As Ms. Giblin stated after the event, “Mr. Mortensen and Mr. Ulsch engaged the audience to examine methods to conduct relevant risk assessments of current incidents and explore secure methods to participate in cyber threat information sharing. By conducting these exercises companies may build their own cyber threat feed responsive to their industry regulation and their customer requirements to prevent or mitigate cyber attacks.”

    During the panel discussion, Mr. Ulsch stressed three fundamental aspects of information-sharing: (1) determining whether the source of information is reliable; (2) sorting and analyzing the data collected in a company’s environment (“create intelligence from information”); (3) knowing what to look for. “Even if you can capture a tremendous amount of intelligence but don’t analyze it correctly or chose not to for fiscal or other reasons, and then a breach happens, you will most likely realize that you had indicators of that cyber attack already available in your environment pre-breach but did not recognize or analyzed them properly. And that can have serious liability and regulatory implications if a breach happens and you had important information and didn’t act on it!”

    Mr. Mortensen noted that “there are a lot of organizations collecting information and capturing events, but the biggest gap today is not having proper risk assessment processes.” “Once you get passes getting good information,” he added, “the question is how you manage that information.” Risk assessment and risk management, in fact, ought to be part of every discussion about the cybersecurity of any organization. “Getting the right threat feed, thus, involves understanding your environment and how the data needed to understand that environment is analyzed and managed.”

    All panelists emphasized the importance of employees’ cybersecurity training and that every member of an organization must have a basic understanding of the threats and vulnerabilities inherent to their company’s environment. “It should be ingrained in the people working in your organization,” Mr. Mortensen said.

    Mr. Ulsch summarized the main takeaways from the discussion in his closing remarks: “You are never going to be 100% secure, but you need to first and foremost understand your information, then the top threats and top vulnerabilities in your environment, and finally the processes to secure those information and do what you can with the limited resources you have.”


    For more information on the initiative and future events, visit the RICCI webpage or contact the Pell Center at [email protected].

    The Rhode Island Corporate Cybersecurity Initiative is supported by The Verizon Foundation for the 2014-2015 academic year.verizon-foundation-300-230

  • U.S. Launches New Cybersecurity Agency

    In an effort to thwart cyber-attacks and provide government agencies with a repository of cyber intelligence, the Obama Administration announced this week the creation of a new office charged with analyzing and integrating cybersecurity threat data collected by regional intelligence agencies. The new agency, the Cyber Threat Intelligence Integration Center (CTIIC), aims to do for cybersecurity what the National Counterterrorism Center did for terrorism after the Sept. 11, 2001 attacks.

    Cybersecurity has moved to the top of the Obama Administration’s agenda after recent hacking attacks against Sony Pictures, Home Depot, Anthem, Target Corp, and the federal government itself. During his State of the Union Address, Obama called for stricter cybersecurity measures, including higher legal penalties for hackers and legislation that would facilitate sharing of threat information between companies and government.

    While industry executives and cybersecurity experts have welcomed Obama’s increased focus on cybersecurity, some are questioning whether a new government agency is the answer, and whether it should be part of the secretive U.S. intelligence community. Responsibility for cybersecurity is already spread across various government agencies, including the National Security Agency, Department of Homeland Security, FBI, and the U.S. military’s Cyber Command.  At first glance, then, this new agency appears to be a duplicative body in an already-unwieldy bureaucracy. Government officials have rejected the criticism of the new agency, which is expected to be relatively small, by arguing that it will not overlap with existing agencies that have operations that investigate and disrupt cyber-attacks. Instead, its proponents argue, it will help feed timely and actionable intelligence to other agencies.

    Congress has tried for years to pass legislation to encourage companies to share data from cyber-attacks with the government and with each other. Past efforts, however, were stymied by liability and privacy concerns. Last month, Obama proposed legislation to strike a balance between the two, offering liability protection to companies that provide information in near real-time to the government, while requiring them to delete personal data from it. In addition, this is an area where cooperation with the Republican-led Congress seems likely, which is a welcome antidote to the ongoing gridlock in Washington.

    Additional questions will remain on the effectiveness of the new Cyber Threat Intelligence Integration Center, including: how it will work within our existing bureaucratic arena; how it will cooperate with the private sector as well as overseas allies and partners; and how it will balance security with domestic laws and rights.