In mid-December 2017, the White House signed the $700 billion National Defense Authorization Act (NDAA). The law sets policies and budget guidelines for the U.S. military for the next fiscal year, including cyber-related projects and initiatives. While established cyber programs are bolstered by the Act, the 2018 NDAA proscribes some new efforts. For example, all Kaspsersky products and services (including from company subsidiaries) are prohibited across the Department of Defense (DoD), an initiative working in tandem with the Department of Homeland Security’s (DHS) push to ban Kaspersky from federal government offices. Similarly, in an effort to safeguard U.S. communications channels from cyber risks, the NDAA forbids the acquisition of satellite technology from a foreign country or any company affiliated with one. These mandates are important as they acknowledge the potential threats that exist when acquiring technologies and/or services from sources outside a secure chain.
Of particular note, is a provision that could force the federal government to upgrade its out-of-date IT systems. The Modernizing Government Technology Act (MGTA), which was enacted in tandem with the NDAA, creates a $500 million fund over the course of two years to be used for modernizing legacy IT systems. Trying to secure old and outdated legacy systems has been thorn in the side of government cyber security efforts. In 2016, 71 percent of federal IT system administrators used old operating system to run important applications. The MGTA will provide necessary funding to address these technical shortcomings.
Breaches and ransomware attacks are more prevalent than ever, and concern for protecting data is mounting on a global scale.
Toward that end, the EU has put forth its General Data Protection Regulation (GDPR), but no legislation can be implemented without having some consequences on the businesses that must comply with the laws. Given that GDPR aims to standardize data privacy laws and mechanisms across industries, there are few sectors that will not be greatly impacted.
Any company that directly or indirectly controls or processes the personally identifiable information (PII) of EU citizens will be affected by GDPR changes. Both terms ‘data controller’ and ‘data processor’ are broadly defined, which means that virtually every company will be impacted by these changes. For small businesses, dealing with these data collection and processing regulations will be overwhelming, if not crippling.
This is the time of the year when all the cybersecurity company and media outlets race to summarize the last year and predict what lies ahead in 2018. But most of these predictions concentrate on cyber trends (both cybercrime and cyber- espionage) and fail to touch upon the industry we are all part of. So we at CyberDB have made a little extra effort and try to predict the trends that will dominate the cybersecurity industry in 2018.
A trend that has played a major role in 2017, with several prominent M&A deals- such as Palo Alto Networks buying lightcyber, Microsoft buying Hexadite , and Symantec buying Fireglass and Skycure. We predict this trends will intensify in 2018- with more companies reaching product maturity and failing to raise further capital (and with IPO looking like a distant option for many of the small to mid-sized companies). We said the same regarding 2016 and 2017, and we really feel the industry and customers will benefit from a smaller amount of “feature” solutions in comparison to platforms and integrated offerings.
In August 2013, the American Institute of Aeronautics and Astronautics (AIAA), the professional society for the field of aerospace engineering, convened a civil aviation conference in which cybersecurity was discussed at an industry level. Upon completion of the conference that was attended by foreign carriers, A Framework for CybersecurityAviation was published that provided a strategic path forward by identifying key focal areas such as common cybersecurity aviation standards, developing and implementing a cybersecurity culture, understanding cyber risks and being able to communicate them to bolster situational awareness, and strengthening the defensive system. Since that time, several international conferences discussing aviation cyber security have been held.
Given the global nature of civil aviation, the framework is an important document addressing many of the concerns that impacts the international civil aviation community.
In October 2017, German intelligence officials approached lawmakers and argued for greater legal authority to “hack back” in response to cyber attacks conducted by foreign nation states. The head of Germany’s domestic intelligence agency specifically advocated for the right to be able to destroy data stolen from German servers and relocated to foreign servers in order to mitigate the threat of its misuse. Additionally, the intelligence official expressed the necessity to be able to compromise foreign servers in order to bolster surveillance capabilities that would be leveraged against German cyber targets or extract specific data. Currently, Germany’s foreign intelligence agency does not have the legal to conduct such operations, although it is reputed to have the capability to do so.
Germany, like many other nations, has been a frequent victim of advanced persistent threat (APT) activity suspected of being conducted or directed by foreign governments. A 2017 government report by the domestic intelligence service revealed that Germany was a primary target of cyber spying operations suspected of being conducted by such foreign governments as China, Russia, and Turkey. According to the report, industrial espionage costs German industry billions of euros each year, with small- and medium-sized businesses often the biggest losers.
Approved by the EU Parliament in April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) is set to go into effect in May 2018. The new regulation will be replacing the 1995 Data Protection Directive and is designed to be a new approach in the way organizations will address the processing and protection of data, particularly the personal identifiable information of EU citizens. In addition to streamlining how all EU member states secure information, the GDPR will standardize data privacy laws across the Union. Since the GDPR is a regulation and not a directive like its predecessor, the policy is binding across all EU member states.
The GDPR goes into effect at a time when substantial breaches have dominated the news, particularly in incidents where users – through no fault of their own – had their sensitive personal information put at risk. The breaches at Equifax and the Office of Personnel Management are two examples of this, the former surrendering nearly half of the population of the United States. One of the most notable aspects of the GDPR, as opposed to its predecessor, is that it focuses on individual EU citizen rights, empowering them to have substantial control over how organizations use, process, and store their information. According to the GDPR, among the individual-friendly rights include:
It’s the end of the year, and the media is busy with summarizing the year in cybersecurity- how many data breaches occurred, the total sum of money lost to cybercrime and the number of customer details leaked due to negligence or malicious activities. And behold- 2017 was worse than any year preceding it- we’ve witnessed denial-of service attacks that nearly shut down the internet, billions of dollars lost to cyber activities and companies and organization whose reputation has been so badly tarnished that it is hard to see how customers will ever trust them again.
LinkedIn is a valuable information source for the Cybersecurity professional. According to LinkedIn, there are 269,144 Cybersecurity professionals listed on LinkedIn today.
Many of them are active users that share information and engage in discussions, providing this platform far greater value than it’s original purpose as a job board (By the way, LinkedIn also list 19,049 cybersecurity positions). But not all the information on LinkedIn is freely available to everyone. Many of the more interesting discussions are taking place on LinkedIn groups- most of which require validation and acceptance by the administrators.
But if you do take the time to search for the interesting groups you are guaranteed to find great people to engage with and exposure to the most interesting content.
You can search for groups by typing “Cyber + security” into LinkedIn search bar and filter by “groups”: but you will find 1,347 results (far above the number of groups LinkedIn allows you to participate in)- but even that is not the full story- there are countless other groups with names including IT security, Cybercrime, and Cloud security.
We have put together a list of 160 LinkedIn Cybersecurity groups to help you get started.
Recent reporting has revealed that there is a growing frustration expressed by members of the U.S. Senate Armed Committee that the U.S. Department of Defense has still not established any defined cyber deterrence policy or strategy, particularly with regard to “red lines.” In December 2016, the National Defense Authorization Act sought “a report on the military and nonmilitary options available to the United States for deterring and responding to imminent threats in cyberspace.” Since that period, it appears that little has been done to develop a deterrent strategy, a perplexing turn of events given the fact that the United States has multiple avenues from which to develop a cyber deterrence strategy that includes diplomatic, economic, military, and trade options that can be leveraged to influence foreign state behavior.
Cyber deterrence is frequently discussed at the highest levels of the U.S. government, especially as hostile cyber actions continue to increase in frequency and magnitude, and in those instances where information destruction was the intended result. These include but are not limited to the theft of substantial personal indefinable information (e.g., Equifax), intellectual property (e.g., nation states), potential involvement in presidential elections (e.g., Russia ), theft of military plans (e.g., North Korea), and destruction of data (e.g., wiper malware). Historically, such activities have typically evaded any type of state repercussion, although there has been headway made in trying to punish suspected nation state actors for their suspected involvement in them to include:
They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.
Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.
Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.