Exploring The Gap Between Cybersecurity Perception And Reality

Source: Forbes | Tony Bradley | March 9, 2017

Most company executives and security professionals have a reasonable understanding of cybersecurity. Even if they don’t fully understand the mechanics under the hood, they at least realize that there is a vast and aggressive threat landscape out there, and that their networks are under virtually constant siege from attackers. When you ask how they feel about their security, though, and how confident they are in their ability to successfully detect and block attacks, the response shows a startling disconnect between reality and their perception.

Last month at the RSA Security Conference in San Francisco, I had an opportunity to attend a panel discussion hosted by Arctic Wolf Networks. We met at Marianne’s--an eclectic little semi-secret room at the back of The Cavalier restaurant. The room is apparently themed after the cover of the Rolling Stones’ Beggar’s Banquet album and named for British rock icon Marianne Faithful.

We were served coffee and orange juice and breakfast burritos, and then we sat and listened while a handful of security experts discussed this very issue in a panel discussion titled Cybersecurity Dissonance: Perception vs. Reality. The panel was comprised of David Monahan, Research Director at EMA Research, Dan Limon, Senior Systems Administrator for The Pasha Group, and Charles Muller, Director of IT at Threshold Enterprise. The session was led by Arctic Wolf CEO and co-founder Brian NeSmith.

The discussion centered around the results from a recent study on cybersecurity dissonance. The study found that almost everyone—95 percent to be precise—believes that their security posture is above average. Roughly nine in ten respondents believe that perimeter security tools are capable of combatting all cybersecurity threats, and nine out of ten also state that they have personnel dedicated solely to managing security.

On the reality side of that equation, however, 63 percent admit they cannot stop zero day threats. Nearly three out of four report that their role is too broad and it’s difficult to focus on IT security as much as they really should. The study also found that nearly 80 percent of security alerts are not addressed within the first hour after a trigger occurs.

There appears to be a disconnect. If two-thirds of those surveyed know they’re not equipped to defend against zero day threats, and three-fourths know they’re not doing everything they can for IT security, how can it be possible that 95 percent feel their security is above average and almost all of those surveyed seem to feel their perimeter security controls are sufficient to stop all threats?

The short answer is simply that it’s human nature. It’s human nature to have an inflated sense of success or achievement. NeSmith pointed out the parallel with asking people if they keep themselves in good health. Many will answer, “Absolutely,” without hesitating. As NeSmith pointed out, though, you get a different picture when you follow up to ask how often they eat fast food, or how regularly they actually exercise. There is a disconnect where we know what we’re supposed to do, and we feel comfortable judging others for not doing those things while simultaneously feeling like we are better than we really are despite any evidence to support that assumption.

Click here to read the full article and see the video.

Annual Cybersecurity Conference to Showcase Licensable Department of Homeland Security Technologies

Source: CISC | Release | March 2, 2017

Private industries are invited to both the CISR Conference at Oak Ridge National Laboratory and a supplemental session for executives hosted by CISC, the regional cybersecurity consortium.

The 12th Annual Cyber and Information Security Research (CISR) Conference will be held at the Oak Ridge National Laboratory’s Conference Center on April 4-6, 2017.

Private industries, entrepreneurs, and venture partners are encouraged to attend this conference where the focus will be to highlight and demonstrate eight technologies available for licensing from the Department of Homeland Security (DHS)’s Transition to Practice Program. These technologies were created and refined by Oak Ridge National Laboratory and five other national laboratories. Individuals or companies interested in licensing the technologies will have the opportunity to work with DHS to test and/or secure the rights to these technologies.

The conference’s goals is to bring together cybersecurity researchers, program managers, decision makers, security vendors, and practitioners to discuss many challenging tasks and novel solutions pertaining to cybersecurity. Speakers include: Mr. Robert Boshonek, Technical Director, Navy Cyber Defense Operations Command (NCDOC); Ms. Shara Evans, Technology Futurist and CEO, Market Clarity; Kerry Long, Program Manager, Cyber Security, Intelligence Advanced Research Projects Activity (IARPA); and, Bob Sorensen, Research Vice President in IDC's High Performance Computing Group, speaking on Cyber Security Strategies & Approaches, Big Data Usage, and Cyber Profiles of Key Industrial Organizations in 2016.

The CISR conference registration includes: an opening reception; two full days of sessions, the first including the technology showcase and the second, technology demonstrations; research paper presentations; conference banquet; vendor interaction; and networking. To register for the CISR conference visit:  http://www.cisr.ornl.gov/cisrc17/registration/. Registration closes on March 31, 2017.

In addition, executives interested in cybersecurity are invited to attend a separate event held on the conference registration day by the Cyber and Information Security Consortium (CISC). The afternoon meeting will occur in the ORNL conference center and will include a panel on strategic attack and response trends, structured networking, peer forum cultivation, and a discussion on corporate governance as it relates to cybersecurity. For more information and to register for the CISC event https://www.cyberinfosec.org/spring-event/.

About DHS’ Transition to Practice Program (TTP)
Addressing rapidly evolving cyber threats requires a better way to bridge the gap between cybersecurity research and the marketplace. The Cyber Security Division within the Homeland Security Advanced Research Project Agency (HSARPA) has created the Transition to Practice (TTP) program to address this need. Through TTP, DHS S&T is leading the successful transition of federally funded cybersecurity technologies into broader use and creating an efficient transition process that will have a lasting impact on the R&D community.

About ORNL’s Cyber and Information Security Research Group
Cyber & Information Security Research (CISR) is one of 8 research groups in the Computational Sciences and Engineering Division (CSED) of the Oak Ridge National Laboratory. The mission of CISR is to conduct cutting-edge research in cyber warfare, situational understanding, visual analytics, secure communications, sensing and signal analytics to defend, understand, secure, & defeat known and unknown adversaries to protect the nation’s energy, economic, and security infrastructure.

About the Cyber & Information Security Consortium (CISC)
With the mission of enabling its members to effectively operate and protect their enterprises amid the reality of growing and persistent cyberattacks, the Cyber & Information Security Consortium, Inc. (CISC) is a 501(c)3 non-profit corporation formed by the Oak Ridge National Laboratory and the University of Tennessee, Cisco Systems, Consolidated Nuclear Security, Sword & Shield Enterprise Security, the East Tennessee Economic Council, and other private corporations. All industries are welcome to join the consortium.

DOE Forms Cybersecurity Team

DOE Forms Cybersecurity Team

DOE Forms Cybersecurity Team

Source: T&D World | February 6, 2017 | (Photo credit: HYWARDS/iStock/Thinkstock)

New Ethernet communications technology aims to keep systems operational under cyberattack

The U.S. Department of Energy (DOE) is funding a research team to develop a secure networking solution that reduces cyberattack exposure for U.S. industrial and utility mission-critical networks.

The team, which includes representatives from Schweitzer Engineering Laboratories, Inc. (SEL), Veracity and Sempra Renewables, will focus on developing technology to reduce the cyberattack surface of energy delivery systems. The project includes automating the identification of unwanted behavior, the containment of affected network areas and the rerouting of critical information. The ultimate goal is for critical energy delivery and control systems to remain safe and operational, even in the event of a cyberattack.

The project team will create technology and methods to define security state policies and an automated system to manage the transition between security states. This will enable faster response to unauthorized traffic, streamline the identification and containment of affected networks and reroute critical information and control flows.

The project will deliver the following:

  • A security state policy enforcer application that runs on the northbound interface of a flow controller.
  • A DIN rail mount software-defined networking (SDN) Ethernet switch.
  • An industrial control system extension to the open source SDN specification using the OpenFlow® specification.
  • The ability to apply an action to encrypt/decrypt packets on a per-flow basis and automate key management.

This project builds on the already successful completion of the DOE’s Watchdog and SDN projects, which were sponsored by the DOE’s Cybersecurity for Energy Delivery Systems (CEDS) program. These projects successfully introduced an SDN flow controller (SEL-5056) and a substation-hardened SDN switch (SEL-2740S) to market.

Your Cybersecurity Self-Defense Cheat Sheet

Your Cybersecurity Self-Defense Cheat Sheet

Your Cybersecurity Self-Defense Cheat Sheet

Source: Slate.com | Jacob Brogan| February 1, 2017

What’s a man in the middle attack? Who’s advocating for better consumer protections? And more basics.

Key players

Nathan Freitas: Freitas founded the Guardian Project, which develops security-focused applications for mobile devices.

Eva Galperin: As director of cybersecurity for the Electronic Frontier Foundation, Galperin has researched malware and coordinated security training initiatives.

Matthew Mitchell: Mitchell works to help educate activists, especially in black communities, about encryption and cybersecurity.

Bruce Schneier: A cryptographer and privacy advocate, Schneier has written widely on questions of cybersecurity.

Edward Snowden: Famous for leaking a trove of NSA documents, Snowden has become a prominent voice in conversations about digital security and privacy.


End-to-end encryption: A communications technology in which only the intended recipient of a message has the keys to decrypt it.

Man-in-the-middle attack: An approach in which a hacker poses as a user’s legitimate destination in order to intercept communications.

Privacy-enhancing technologies: Systems that block or otherwise restrain surveillance.

Phishing: An attempt, typically wide-ranging, to collect passwords and other sensitive data from unsuspecting users by impersonating a trusted source.

Spear phishing: An attempt to trick a specific individual into revealing compromising information via a targeted email.

Tor browser: A program that enables (relatively) secure and private browsing by passing communications through multiple layers of encryption. TOR stands for “the onion browser”—get it?

Two-factor authentication: A security technology that requires users to confirm their identity by a second means (other than username and password) before logging in to a site or service.

Virtual private network: A system that allows a user to remotely connect with another network, often facilitating encrypted interactions with the internet.


Corporate complicity: Many of us rely on Google, Apple, and their ilk to protect our accounts and information. Can we be sure that these companies have our best interests in mind when it comes to security and privacy?

Government involvement: As international, politicized hacking grows more common, governments may become more involved in private cybersecurity, potentially threatening individual privacy in the process. How much should we rely on political authorities as we work to reinforce our digital borders?

Human fallibility: Some security experts argue that humans are the “weakest link” in cybersecurity practices, but others counter that technology itself may be making things more difficult for them. Can we develop systems that won’t trip up reasonable, well-meaning people?

Inadequate tools: No one platform or technology is likely to meet all of a user’s cybersecurity needs, meaning that true peace of mind requires cobbling together a variety of awkwardly interlocked tools. Can we develop options that don’t require these clumsy assemblages? Will true cybersecurity remain out of reach for technological novices?

Inconvenience: Many of the most robust cybersecurity technologies also make it harder to use the internet. Can we guarantee our safety without sacrificing the things that make the internet fun to use?

Further readings

“A Cellphone Rights Guide for Trump Inauguration Protesters and Women’s Marchers” by Molly Olmstead: If you’re heading out to protest—whatever the reason—you’d do well to know how to protect all of the information on your phone.

Data and Goliath by Bruce Schneier: In this accessible volume, Schneier discusses the strategies that both companies and governments use to collect information about you.

Dragnet Nation by Julia Angwin: Angwin experiments with some of the techniques that we can use to push back against pervasive and intrusive surveillance.

“Five Best VPN Service Providers” by Alan Henry: Everyone has different cybersecurity needs, but this well-researched list from Lifehacker offers a range of options that will work for most.

“Inside ‘Eligible Receiver’ ” by Fred Kaplan: Back in 1997, the NSA conducted a simulated hack of the U.S. military, proving in the process that it’s disturbingly easy to compromise a powerful organization by exploiting the cybersecurity slip-ups of individual members.

“Surveillance Self-Defense Guide” from the Electronic Freedom Foundation: This comprehensive guide offers instructions for everything from making a secure password to using secure messaging apps.

John McNeely of Sword & Shield Enterprise Security Joins CISC Board

John McNeely of Sword & Shield Enterprise Security Joins CISC Board

John McNeely of Sword & Shield Enterprise Security Joins CISC Board

Source: Sword & Shield | Release | January 30, 2017  

John McNeely of Sword & Shield Enterprise Security Joins CISC Board

President and CEO of national cybersecurity firm has been appointed to the board of the East Tennessee-based Cyber & Information Security Consortium (CISC)

John McNeely, president and CEO of Sword & Shield Enterprise Security, a leading national cybersecurity firm based in Knoxville, Tennessee, was recently appointed to the board of the Cyber & Information Security Consortium (CISC), a 501(c)(3) non-profit corporation dedicated to enabling its members to effectively operate and protect their enterprises amid the reality of growing and persistent cyberattacks.

CISC grew out of an April 2016 event held at Oak Ridge National Laboratory with the goal of improving cybersecurity through a broad partnership of government, private sector and academia entities. Its four areas of strategic focus are cybersecurity workforce development, informing and educating the public and policy makers on cybersecurity issues, supporting and expanding research, development, and entrepreneurship in cybersecurity, and peer-to-peer information sharing among cybersecurity executives.

“CISC is fortunate to have John continue to contribute his valuable service to our efforts,” said Dennis Corley, director of CISC. “John has been involved from our early discussions and now, as a board member, he brings great experience and insight from two primary groups of our target audience: the cybersecurity executive suite and the cybersecurity practitioners.”

The consortium is led by Oak Ridge National Laboratory, the University of Tennessee, Cisco Systems, Consolidated Nuclear Security, East Tennessee Economic Council, Sword & Shield Enterprise Security, and other private entities.

“The challenges we’ve faced in cyberspace over the years are ultimately challenges that every industry is now facing,” said John McNeely, president and CEO of Sword & Shield Enterprise Security. “There is a lot of practical information and technologies out there that we all need to be aware of, both at the executive and practitioner level. East Tennessee has a growing cybersecurity ecosystem, and I hope to continue the initiatives that CISC has started and further our efforts to be a catalyst for innovation, as well as a resource that helps businesses in our region thrive.”

About the Cyber & Information Security Consortium (CISC)

With the mission of enabling its members to effectively operate and protect their enterprises amid the reality of growing and persistent cyberattacks, the Cyber & Information Security Consortium, Inc. (CISC) is a 501(c)3 non-profit corporation formed by two of America’s leading research entities, the Oak Ridge National Laboratory and the University of Tennessee, along with Cisco Systems, Consolidated Nuclear Security Y-12, Sword & Shield Enterprise Security, the East Tennessee Economic Council and other private corporations to position the region as a national leader in the development and deployment of cutting-edge cybersecurity technologies.

All industries are welcome to join CISC, with membership motivated by “enlightened self-interest.” To learn more information about CISC and how you can become a member, visit https://www.cyberinfosec.org/.

About Sword & Shield Enterprise Security

Protecting critical data for 20 years, Sword & Shield Enterprise Security, Inc. is a nationally recognized cybersecurity provider with solutions designed to meet the needs of a dynamic security and compliance landscape. Headquartered in Knoxville, Tennessee, Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions. Sword & Shield services a broad spectrum of industries, including healthcare, retail, legal, banking and finance, manufacturing, and the public sector.

In 2016, Sword & Shield hosted the inaugural Edge Security Conference, EDGE2016, a world-class cybersecurity conference where complex business problems meet real world solutions. The second annual Edge Security Conference, EDGE2017, will take place on Oct. 17-18, 2017 at the Knoxville Convention Center. Early registration is available now through March 31, 2017. To learn more about EDGE2017 and to sign up, visit https://edgesecurityconference.com/. 

For more information about Sword & Shield Enterprise Security, visit https://www.swordshield.com/.

Cybersecurity Skills Gap

Cybersecurity Skills Gap


An interesting graphic that portrays the cybersecurity issues we face in our world today.

NIST Guide Provides Way to Tackle Cybersecurity Incidents with Recovery Plan, Playbook

NIST Guide Provides Way to Tackle Cybersecurity Incidents with Recovery Plan, Playbook

NIST Guide Provides Way to Tackle Cybersecurity Incidents with Recovery Plan, Playbook

Source: NIST News | January 3, 2017

“Defense! Defense!” may be the rallying cry from cybersecurity teams working to thwart cybersecurity attacks, but perhaps they should be shouting “Recover! Recover!” instead. Attackers are increasingly racking up points against their targets, so the National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery to help organizations develop a game plan to contain the opponent and get back on the field quickly.

As the number of cybersecurity incidents climbs, and the variety of types of attacks grows, “It’s no longer if you are going to have a cybersecurity event, it is when,” said computer scientist Murugiah Souppaya, one of the guide’s authors.

For example, the number of companies experiencing ransomware events, in which attackers hold an organization’s data hostage until the ransom is paid, have tripled between the first and third quarters of 2016 alone, according to the December 2016 Kaspersky Security Bulletin.

In addition to the overall rise in incidents, the 2015 Cybersecurity Strategy and Information Plan (CSIP), published by the Office of Management and Budget, identified inconsistent cybersecurity response capabilities across the federal government and called for agencies to improve these skills.

The CSIP defines “recover” as developing and implementing plans, processes and procedures to fully restore a system weakened during a cybersecurity event. Recovering may be as simple as restoring data from a backup, but usually it is more involved and the system may be brought back online in stages.

Recovery is a critical piece of the risk management process. Yet no federal policies, standards or guidelines focus specifically on recovering from a cybersecurity incident. And prior to the new report, no one publication has addressed recovery approaches in one place.

NIST computer researchers wrote the Guide for Cybersecurity Event Recovery to consolidate existing NIST recovery guidance such as on incident handling and contingency planning. It also provides a process that each organization — federal or otherwise—can use to create its own comprehensive recovery plan to be ready when a cybersecurity event occurs.

The publication supplies tactical and strategic guidance for developing, testing and improving recovery plans, and calls for organizations to create a specific playbook for each possible cybersecurity incident. The guide provides examples of playbooks to handle data breaches and ransomware.

This document also provides additional information related to the “Recover” function in the Framework for Improving Critical Infrastructure Cybersecurity, more commonly known as the Cybersecurity Framework.

“To be successful, each organization needs to develop its own plan and playbooks in advance,” said Souppaya. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.”

Photo Credit:  ©Pumai Vittayanukorn/Shutterstock. Animation: K. Irvine/NIST


2017: The Year of Cybersecurity Scale

2017: The Year of Cybersecurity Scale

Source: Network World | Opinion Article by Jon Oltsik | January 5, 2017

Cloud, IoT, mobile, and digital transformation will place new demands on usability, scalability, and enterprise-class features of cybersecurity analytics and operations products

It’s no surprise that lots of pundits and cybersecurity industry insiders claim that 2017 will be a challenging year full of nation state attacks, ransomware, and a continuing wave of data breaches.  I concur with this common wisdom, but I also believe that 2017 will be remembered as the year where cybersecurity analytics and operations encountered a wave of unprecedented scale. 

Now I know that the need for security scalability is nothing new.  Leading SIEM vendors can all talk about how they’ve had to rearchitect their products over the past few years to scale from thousands to millions of events per second (EPS) and somehow make sense of all this activity. 

Yup, EPS growth will continue, but cybersecurity scale is about to hit an exponential curve, driven by things like:

Cloud utilization.  ESG research (and other sources) indicate that more and more workloads are moving to public and private clouds.  What’s more, the use of agile development, DevOps, and cloud computing render all computing as a temporary activity.  Workloads are spun up, spun down, and replaced on the fly as needs and whims dictate.  Containers will also become more mainstream in 2017 and only accelerates these trends.  Somehow security teams must be able to keep up (i.e. monitor, audit, investigate, etc.) with all this activity.    
IoT.  Forecasts I’ve read suggest that there will be over 20 billion connected devices by 2020 and industries like energy, health care, manufacturing, and retail are actively deploying IoT applications.  This means transient connections of thousands of sensors, actuators, gateways, and data collectors that need to be authenticated and monitored.
Network growth.  There are lots of angles here.  Physical networks and network backbones are expanding from 10Gb to 40/100Gb.  The transition from IPv4 to IPv6 continues.  Cellular networks are being upgraded while IoT devices are driving greater Wi-Fi bandwidth and proliferation.  Simply stated, there’s more traffic, sessions, packets, flows, and protocols to keep an eye on.
Digital transformation applications.  Beyond the technology alone, more organizations are using these technologies to revolutionize how they do business.  Whether its automated manufacturing, self-driving cars, or smart grids, we are using and trusting a cornucopia of technologies to a greater degree.

These and other parallel trends are driving massive growth in the amount of data we need to collect, process, analyze, and store for cybersecurity analysis and operations.  Oh, and more data, analysis, and decision making also makes cybersecurity far more complex.

In my opinion, the need for massive cybersecurity scale has some serious repercussions on the industry...

Click here to read the full article.


A Visual Map of Emerging Cybersecurity Trends

A Visual Map of Emerging Cybersecurity Trends


Source: TechRepublic | Dan Patterson | January 4, 2017

A study by TechRepublic and data firm Affinio reveals the social media communities and influencers talking about IoT, ransomware, bots, and other cybersecurity threats.

Last year consumer, corporate, and political targets were hammered by ransomware extortion attempts, phishing excursions, and DDoS attacks. Driven by this slew of high-profile attacks, cybersecurity has rapidly emerged as a priority in 2017 for enterprise companies and SMBs.

To visualize emerging cybersecurity issues, TechRepublic and data firm Affinio sampled and diagrammed social media data from influential communities. TechRepublic previously used Affinio technology to better understand digital business trends, including voter priorities during the 2016 presidential campaign, how tech groups talk about Edward Snowden, and web media related to the Russian cyberattack.

Affinio extracts insights from web, mobile, and social media data. The company's algorithm grabs snapshots of naturally-forming user clumps and communities, then visualizes how each group is connected. For example, unsurprisingly, health care experts tend to communicate online with other health care experts. Affinio analysis shows that health care experts also communicate with information experts, tech news consumers, and digital marketers.

This process is used by enterprise companies, said Affinio spokesperson Maura Woodman, because the data helps vertical industries better understand markets and "reveals interest-based communities within a broader audience." The approach is successful, she explained, because it "helps businesses to understand target audiences on a human level, and leverage those insights in a way that is repeatable, predictable, and scalable."

Click here to read the rest of the article and view the graphic representations.

Alternative Perspectives on Technology Policy in the Trump Administration

Alternative Perspectives on Technology Policy in the Trump Administration

Source: Brookings | Stuart Brotman, Robin Lewis, Nicol Turner-Lee, and Niam Yaraghi | December 21, 2016

Editor's Note: TechTakes is an occasional blog series that collects the perspectives of Brookings scholars on timely topics in technology policy. On December 14, the Center for Technology Innovation hosted an event at Brookings titled "Technology policy and the Trump administration" where CTI scholars discussed the new administration's approach to these issues. Watch video of the event here.

Come January 20, President-elect Donald Trump will have the opportunity to continue or suspend many of the technology-focused initiatives begun by President Obama. These programs included expanding broadband access, training workers for jobs in STEM fields, and building supercomputers, among others. Trump and his advisers may also choose to pursue their own technology policy agenda, and will likely have to react to new developments during his time in office. Brookings experts Stuart N. Brotman, Robin Lewis, Nicol Turner-Lee, and Niam Yaraghi weigh in on what direction technology policy will take in the Trump administration, and how it might react to future technology change.


Stuart N. Brotman, Nonresident Senior Fellow, Center for Technology Innovation

President Trump’s initial focus will be on implementing some of his top campaign themes and governing priorities, many of which have significant potential technology impacts. For example, tax reform that lowers the corporate tax rate to 15 percent and offers further accelerated depreciation may help stimulate capital investment in telecommunications networks, which has stalled during the past year.

Expanded tax treatment including tax credits may be proposed for applied research and development, especially if linked to manufacturing activities that may generate more jobs at home. Economic incentives also may be offered to U.S. high-tech companies such as Apple to bring manufacturing jobs back to the U.S., comparable to a widely-publicized deal at the Carrier division of United Technologies. In this area, President Trump may directly intervene on a case-by-case basis, targeting select technology companies that could serve as notable examples of repatriation.

With President-elect Trump’s steadfast opposition to the enactment of the Trans-Pacific Partnership, and with no expected support of it in the 115th Congress, the trade focus will move away from multilateral agreements in favor of bilateral pacts.  These agreements may be difficult to develop in practice, since digital technologies and services often transcend geographic borders. Regardless of the form of these agreements, a number of technology issues will receive high priority in them. These include customs duties for digital goods; faster, more transparent customs procedures for U.S. exporters of digital equipment; cross-border data flows; trade secret theft; and safeguarding telecom network competition, including competition with state-owned enterprises.


Robin Lewis, Associate Fellow, Center for Technology Innovation

Technology policy constitutes a key component of the drive to expand engagement with formal financial services. Both in the U.S. and abroad, digital technologies such as mobile phones have advanced access to and usage of formal financial services among underserved groups by rendering these services more convenient, less expensive, and more secure than many traditional alternatives. In the next several years, sustaining—and potentially augmenting—many of the ongoing efforts to develop and scale digital technologies that enable underserved consumers in the U.S. to engage with quality, affordable financial services could support the president-elect’s stated objectives of amplifying economic growth and prosperity.

After all, financial inclusion serves as a key ingredient in fostering entrepreneurship, reducing inequality, promoting financial health, and amplifying economic growth. Under the Obama administration, initiatives to advance financial inclusion through the deployment of digital technologies have received significant attention and support from entities such as the U.S. Department of the Treasury. While President-elect Donald Trump has signaled an general interest in continuing to spur technological innovation generally, to date he has not identified specific policy proposals or goals aimed at expanding financial inclusion through digital or traditional platforms.

If anything, some of his statements have suggested the opposite may occur. For example, Trump’s widely publicized interest in potentially constraining the flow of remittances from the U.S. to Mexico to compel Mexico’s president to build a wall along the U.S.-Mexico border, if put into practice, would have significant negative repercussions not only in Mexico, but also in the U.S. In addition, his anticipated critical posture toward the Consumer Financial Protection Bureau has the potential to undermine a significant safety net. Moving forward, the president-elect should carefully consider the important role digital financial mechanisms play, not only in enhancing individuals’ livelihoods, but also in advancing the macroeconomic growth that is a key goal for all presidents.


Nicol Turner-Lee, Fellow, Center for Technology Innovation

The incoming administration has expressed its intent to lead its policy priorities with an aggressive infrastructure plan.  Referring to the infrastructure goals as a “golden opportunity for accelerated economic growth,” the new leadership plans to rejuvenate the domestic economy by spurring more targeted private investments and creating and recovering jobs.  Under what will seemingly be a pro-business, nonregulated market, the threat of broadband “overbuild” looms, bringing new meaning to the cliche “if you build it, will they come.”  Whereas technology overbuilds have often led to increased competition in certain markets and lowered consumer prices, an oversaturated broadband market can also create network redundancies, faster depreciation of assets, and decreased consumer demand.

The latter of three can be quite substantial given the increased trajectory of internet use since 2000.  In the U.S., 84 percent of citizens were online in 2015 compared to 52 percent in 2000, with the highest levels of adoption among the more affluent, highly educated, and younger adults.  Further, mobile wireless use has been driving increased rates of digital access.  In 2016, the number of smartphone users in the U.S. are 223 million, and is projected to reach 264 million by 2021, thus suggesting that a majority of internet growth is wireless.

Managing supply and demand of broadband services should be at the core of the new administration’s efforts.  With unbridled supply, the marketplace will be ripe for competitive offerings and differentiated services, including free or unlimited data plans.  Smart digital inclusion plans and programs with clear goals and outcomes should be prioritized to narrow the gap among those who haven’t adopted broadband into their daily lives.  Increased investments in digital literacy training, especially within community anchor institutions (e.g., libraries and schools) can cultivate more interest and use.  In sum, the new administration’s efforts to expand and maximize infrastructure must equally address the demand for these and other emerging services so that when it’s built, they will indeed come.


Niam Yaraghi, Fellow, Center for Technology Innovation

Under the Trump administration, no other sector will undergo as many fundamental changes as healthcare. However, President-elect Trump’s healthcare policies have been particularly vague;  while he is intent on repealing Affordable Care Act, we are not certain about his solutions for replacing it, other than the proposal to allow health insurers to compete in multiple states. While the exact outcomes of such a proposal remain to be carefully analyzed, the idea behind it – fostering competition and relying on the invisible hand of the free market –  may be a sound solution to our nation’s health information technology challenges. Every medical provider is now using an Electronic Health Records (EHR) system, but physicians are frustrated with their EHR systems, and exchanging medical data remains a major challenge and cyber-security attacks undermine the privacy of patients more than ever.

In the current system, providers have very little incentive to receive data and absolutely no incentive to send data. Market based proposals such as patient-mediated solutions and centralized health information exchange platforms would eliminate the most important barriers to interoperability and significantly enhance health information exchange. However, to implement these solutions, the government should allow medical providers to meet the demand for information by charging a fee for supplying it.  In addition, privacy breaches are more likely to happen in the health care industry than any other sector. According to the Office for Civil Rights (OCR), the medical information of more than 155 million American citizens has been exposed through about 1,500 breach incidents since late 2009. To prevent these breaches and protect patient privacy, OCR should allow the healthcare industry to learn from its failures and create larger incentives for medical providers and their business associates to protect patient privacy. In the long run, a cyber-insurance market will ensure the privacy of patients by creating incentives for different entities in the healthcare sector to prioritize security practices and privacy policies.

World War II Codebreaker Bletchley Park Is New UK School For Cybersecurity

World War II Codebreaker Bletchley Park Is New UK School For Cybersecurity

Source:  Forbes | Monty Munford | November 29, 2016

The 2014 movie The Imitation Game tells the story of Alan Turing, the UK coding genius who built the influential Turing Machine, helped defeat the Nazis, but who also accepted chemically castration as an alternative to being gaoled for homosexual offences.

Treated disgracefully by the establishment, he was finally pardoned by the Queen in 2013, following a public apology by then British Prime Minister Gordon Brown in 2009. The film was overdue recognition for the work Turing had done in computing and winning World War II for the allies.

During the War, Turing worked for the Government Code and Cipher School at Bletchley Park, an hour’s drive north of London and while Turing died at the tragically young age of 42 and can’t come back, Bletchley Park has since resurrected itself as a national monument for the work done there.

The Government bought the 581-acre site in 1938 and it was reopened in 1993 as a museum, but is now expected to play a vital role in the current coding threat of cybersecurity, not secret Nazi codes.

That coding legacy has now become an endowment that will be one of the major factors in the UK’s battle against the ongoing threat of cybersecurity. Late last week it was announced that Block G of Bletchley Park would become the UK’s first (not-for profit) College for Cybersecurity.

Set up by people in the UK cybersecurity industry and privately funded by a company called Qufaro, the College will provide a free cybersecurity education for those who have just left the Sixth Form (High School) and have the necessary coding skills. It follows initiatives such as the Cybersecurity Challenge UK, which has set up a number of competitions to interest young people in a cybersecurity career.

It offers a series of national competitions, learning programmes and networking initiatives designed to attract young people to become cybersecurity professionals and to boost the national pool of cyber skills.

This programme of activities is to bridge the skills gap and may perhaps become a conduit to those applying to work at the College in Bletchley Park. A similar pipe to employment at the government’s intelligence and signalling agency GCHQ from the College will streamline this educative process.

Click here to read the full article.

Cognitive Hack: The New Battleground In Cybersecurity

Cognitive Hack: The New Battleground In Cybersecurity

Source: Forbes | Christopher P. Skroupa | November 21, 2016

James Bone is the author of Cognitive Hack: The New Battleground in Cybersecurity–The Human Mind (Francis and Taylor, 2017) and is a contributing author for Compliance Week, Corporate Compliance Insights, and Life Science Compliance Updates. James is a lecturer at Columbia University’s School of Professional Studies in the Enterprise Risk Management program and consults on ERM practice.  He is the founder and president of Global Compliance Associates, LLC and Executive Director of TheGRCBlueBook. James founded Global Compliance Associates, LLC to create the first cognitive risk management advisory practice. James graduated Drury University with a B.A. in Business Administration, Boston University with M.A. in Management and Harvard University with a M.A. in Business Management, Finance and Risk Management.

Christopher P. Skroupa: What is the thesis of your book Cognitive Hack: The New Battleground in Cybersecurity–The Human Mind and how does it fit in with recent events in cyber security?

James Bone: Cognitive Hack follows two rising narrative arcs in cyber warfare: the rise of the “hacker” as an industry and the “cyber paradox,” namely why billions spent on cyber security fail to make us safe. The backstory of the two narratives reveal a number of contradictions about cyber security, as well as how surprisingly simple it is for hackers to bypass defenses. The cyber battleground has shifted from an attack on hard assets to a much softer target: the human mind. If human behavior is the new and last “weakest link” in the cyber security armor, is it possible to build cognitive defenses at the intersection of human-machine interactions? The answer is yes, but the change that is needed requires a new way of thinking about security, data governance and strategy. The two arcs meet at the crossroads of data intelligence, deception and a reframing of security around cognitive strategies.

The purpose of Cognitive Hack is to look not only at the digital footprint left behind from cyber threats, but to go further—behind the scenes, so to speak—to understand the events leading up to the breach. Stories, like data, may not be exhaustive, but they do help to paint in the details left out. The challenge is finding new information buried just below the surface that might reveal a fresh perspective. The book explores recent events taken from today’s headlines to serve as the basis for providing context and insight into these two questions.

Skroupa: IoT has been highly scrutinized as having the potential to both increase technological efficiency and broaden our cyber vulnerabilities. Do you believe the risks outweigh the rewards? Why?

Bone: The recent Internet outage in October of this year is a perfect example of the risks of the power and stealth of IoT. What many are not aware of is that hackers have been experimenting with IoT attacks in increasingly more complex and potentially damaging ways. The TOR Network, used in the Dark Web to provide legitimate and illegitimate users anonymity, was almost taken down by an IoT attack. Security researchers have been warning of other examples of connected smart devices being used to launch DDoS attacks that have not garnered media attention. As the number of smart devices spread, the threat only grows. The anonymous attacker in October is said to have only used 100,000 devices. Imagine what could be done with one billion devices as manufacturers globally export them, creating a new network of insecure connections with little to no security in place to detect, correct or prevent hackers from launching attacks from anywhere in the world?

The question of weighing the risks versus the rewards is an appropriate one. Consider this: The federal government has standards for regulating the food we eat, the drugs we take, the cars we drive and a host of other consumer goods and services, but the single most important tool the world increasingly depends on has no gatekeeper to ensure that the products and services connected to the Internet don’t endanger national security or pose a risk to its users. At a minimum, manufacturers of IoT must put measures in place to detect these threats, disable IoT devices once an attack starts and communicate the risks of IoT more transparently. Lastly, the legal community has also not kept pace with the development of IoT, however this is an area that will be ripe for class action lawsuits in the near future.

Click here to read the rest of the article.