Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘NSA’

Cyber Stowaways

Wednesday, April 21st, 2010

Here is another must read New York Times article providing more details about the cyber attack at :

Apparently the bad guys became cyber stowaways — unwelcome and undetected network occupants. Once network access was secured, the cyber stowaways fished around until they found the source code to Google’s password system that controls access by millions of users to Google services. While Google has since added new layers of security, it is still possible that the attackers inserted a Trojan Horse/back door in the password system or studied the code to discover other software vulnerabilities.

Google has some of the smartest software engineers in the world so it is likely that they can stay one step ahead of the bad guys, but the lessons of the Google breach should send up a red flag elsewhere for several reasons:

  1. The actual incursion occurred well before the actual attack making the attackers cyber stowaways as described above. This was also true elsewhere (Heartland, TJX, etc.). The scary thing is that if Google can’t detect and remediate an attack, what hope do more pedestrian organizations have?
  2. Once inside, the bad guys have carte blanche to poke around and find anything of value. In fact, the longer a cyber stowaway remains undetected, the more value each incursion reaps. Did cyber criminals penetrate Google to steal the Gaia (i.e., password management) software or did they stumble upon it as they scanned the network? I can’t answer that question but I know the results are pretty bad either way.
  3. This event makes you wonder what other source code has been stolen by cyber stowaways. Heck, some of these attacks may still be underway. Imagine the impact if cyber criminals stole the password system at Bank of America. Yikes!

The bad guys are extremely good at what they do and in many cases, we are several steps behind. There could be cyber stowaways on lots of major commercial, government, and military networks just sitting there, biding their time, and waiting for the right opportunity or target. I hope this realization is now emanating in corporate boardrooms, congress, DHS, DOD, and NSA.

Venture Capitalists MUST Invest More in Cybersecurity

Friday, April 16th, 2010

There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

  1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
  2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
  3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
  4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

The Ominous Warnings from the Google China Incident

Friday, January 15th, 2010

Caught between a rock and a hard place, Google did something few companies are brave enough to do — it went public about a data breach. This is especially noble as the company is really betting on cloud computing and SaaS for future growth.

While Google applications were not breached, Google (and all cloud providers) took a PR hit with this incident. That said, Google did a good job of reassuring the public about its security.

Clearly Google has its own business reasons for outing China with regard to its cybersecurity attacks. Nevertheless, there are a few bigger and more ominous warnings contained here:

  1. Sophisticated adversaries can trump strong security. Google is no TJX–it really knows what it is doing when it comes to securing its networks, servers, and applications. In spite of this expertise, however, its assets were still penetrated. The bad guys are really good at what they do, folks. If this doesn’t illustrate this fact, nothing will.
  2. Beware of industrial espionage. The breach at Google may have compromised dissident emails but I have no doubt that foreign and possibly state sponsored adversaries are poking at our networks as I write this. American and European tech companies whose business is based upon Intellectual Property (IP) should be especially worried. Sort of gives cybersecurity a whole new level of business value.
  3. The cyber supply chain may be next. The majority of our technology is now produced off-shore, primarily in Asia. How can we be sure that these components haven’t been compromised already? With the exception of the DOD, NSA, and a few other global government agencies, we are just coming to terms with this risk.

Google has a lot of chutzpah but it is really fighting a battle for the good of Google. It is up to the rest of us to recognize that we are under attack and protect ourselves accordingly.

Howard Schmidt Appointed as New Cybersecurity Coordinator

Tuesday, December 22nd, 2009

To quote former President Gerald Ford,”our long national nightmare is over.” After his famous Cybersecurity policy speech in late May, President Obama has finally tapped Howard Schmidt to become the nation’s first Cybersecurity Coordinator. Schmidt will report to the National Security Council (NSC) and National Economic Council (NEC).

Is Schmidt the right person for this job? No question. Schmidt has a perfect public/private sector resume with experience at US-CERT, DHS, the U.S. Air Force, the White House, Microsoft, and eBay. He is also a well respected father figure in the security industry.

Schmidt’s appointment makes sense though it did come as a bit of a surprise. One would have assumed that Schmidt’s name was on the short list back in May. My guess is that Schmidt turned down the job at first but when the President struggled to fill this position (rumor has it that RSA’s Art Coviello, Symantec’s John Thompson, and Microsoft’s Scott Charney turned it down), Schmidt decided to take the job out of a sense of duty and service to the country.

The President is scheduled to formally introduce Schmidt today and my hope is that Howard starts his new gig tomorrow. Believe me, I’m not joking here. On day one, Schmidt must begin to address several major challenges such as:

  1. Sophisticated adversaries. On the day that Schmidt was announced, the major security story centered on a multi-million dollar cybersecurity attack of Citigroup last summer. Citigroup is no security lightweight so if its systems can be compromised there are a lot of sitting ducks out there. Cyberwar is a real threat in the next decade.
  2. A cybersecurity hot potato. As of this writing, there are a number of cybersecurity bills in committee and a lot of rhetoric on the Hill. Meanwhile, DHS, DOD, and NSA have complementary and competitive cybersecurity roles that need to be ironed out. There has also been massive spending on cybersecurity — some useful and some wasteful. We desperately need a non-elected leader to separate cybersecurity needs from politics and pork.
  3. A real lack of knowledge. Cybersecurity knowledge is in short supply. Business guys know they need to do something but are unsure what to do. Technologists often look at security in myopic terms related to IT. Consumers haven’t a clue. We need a federally-driven education program that spans public awareness campaigns all the way through scholarships and continuing education.

This is just the proverbial tip of the iceberg, Schmidt deserves kudos for taking on this nearly impossible job. Have a happy holiday Howard and thank you for stepping up to this challenge.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site