LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

April 02, 2013

A Glimpse Into Federal Cyber Security Policy with Rep. Mike McCaul

By John Dickson

Uschamber_cybersecurity
I recently had the opportunity to participate in a US Chamber of Commerce public policy discussion in Washington DC with Representative Michael McCaul (Twitter: @McCaulPressShop) who is a Congressman from Central Texas and is Chairman of the House Homeland Security Committee.  This committee, along with its counterpart in the Senate, helps develop cyber security legislation in the U.S.  Although the event occurred the week after RSA, this group of security industry leaders could not have been more different than the typical RSA attendee.  For starters, everyone wore suits…

Some additional background is of value here...  Rep. McCaul is a cyber security policy veteran in Washington DC.  In his new position as the House Homeland Security Committee Chairman, McCaul is now also the House of Representatives point person for any proposed cyber security Federal legislation coming out of the House.  As such, he has a lot of power to affect the future of our country, and although he’s not a technology guy per se (he’s an attorney), he has a solid grasp of the critical high-level cyber security and privacy public policy issues that most of us are comfortable letting others handle.  

In last month’s policy meeting, Congressman McCaul’s remarks probed many cyber security public policy “touch points” that are frequently covered in the popular press such as:

  • In spite of deep cultural issues, can the Federal government do a better job of sharing time-sanitized threat information to commercial companies in a timely manner?
  • What can companies do better in order to share this critical information amongst themselves and with the Federal government?
  • If companies do share threat and vulnerability information with the government or industry players, can they do so with better liability protections?
  • What security standard – if any – should companies be held to?

The well-dressed audience (it was the Chamber after all) listened intently while Congressman McCaul provided key updates regarding the Congress legislative environment in this Congress.   His characterization of the last Congress on cyber security legislation (“universes apart”) was probably overly kind.  Given the political log-jam leading up to last fall’s election, absolutely nothing was going to get done prior to the election since both parties were reluctant to give the other party a “win” in the run-up to November.  However, according to McCaul, things might be different this time. 

Also discussed were the realities that much of the nation’s infrastructure, as well its security expertise, resides in the private sector.  Couple that with the reality that any legislation passed by Congress may very well be obsolete by the time it reaches the President’s desk for signing and you get a gist of the challenge here. 

In spite of the acrimonious political environment surrounding the sequestration, McCaul shared with the audience that cyber security legislation was an area that both parties might just be able to reach consensus.  He cited the efforts of Michael Daniel, White House Cyber Security Coordinator, to reach out to certain Congressional Leaders to review the recent White House Executive Order issued by President Obama on February 13th of this year.  Certainly the headlines involving nation state threats to our critical infrastructure and the recent Mandiant white paper highlighting China’s activities in this arena have helped drive some consensus on this issue.  Perhaps many of our Congressional leaders are looking for an issue – any issue – in which they can find a modest level of agreement..  Rep McCaul’s initial analysis of the Executive Order was it:

Strengths:

  • Get solid feedback from the private sector
  • Better defines the role of the Department of Homeland Security

Gaps

  • Voluntary standards need further definition
  • It leaves open the door to future industry regulation

Rep. McCaul insisted that two things most likely will not happen this session:

  • Anything involving the “R Word,” i.e. regulation.  There seems to be zero political appetite for turning the screws on American businesses to tighten security standards especially during these uncertain economic times.  This was welcome news to everyone in the room.
  • Ambitious legislation that helps to define all aspects of information sharing and standards that would have a profound impact across industry.  Instead, look for our elected officials to nibble around the edges of these issues and perhaps make incremental gains around information sharing.

However, one of the more interesting moments of the sessions came during the Q&A.  A representative of the electrical provider in the DC area posed an intriguing question.  When, not if, a sophisticated attacker breaches their utility, which Federal agency should they respond to first, and in what order?  When they show up on their doorstep, should they respond to the DoD (Department of Defense), the DHS (Department of Homeland Security), the FBI, NERC (the North American Electrical Reliability Corporation), FERC (the Federal Energy Regulatory Commission), or who else first?  McCaul responded that they should speak to DHS first although many members of the audience probably thought the reality would be slightly more complicated.

So, if you are interested in cyber security issues, you should probably spend some small percentage of your time keeping track of the cyber security legislative efforts and policy issues occurring at the national and state levels.  It was an eye opening experience for me and I learned a tremendous amount about how large enterprises are approaching this issue after just one session at the US Chamber.  The bottom line is that you may not care about policy and politics on a day-to-day basis, but somebody within your organization does -likely someone higher up the food chain than yourself - and some day they might ask you about your interpretation of these efforts.  It would be good for yourself and your organization to have an answer ready.

For some more information on budding Federal cybersecurity policy, check out:

Contact us if you have any stories you want to share about how cybersecurity legislation might impact your business.

--John

john _at_ denimgroup.com

@johnbdickson

April 02, 2013 in Conferences, Current Affairs, Denim Group, Information Security, John Dickson, Security, Web Application Security, Web/Tech | | Comments (3) | TrackBack (0)

Technorati Tags: , , , , , ,

May 16, 2011

How Do We Get More Software Security Concepts Taught in Higher Education?

By John Dickson

In my last blog post I focused on the gap between software security and higher education, and how initial efforts to force universities to teach software security concepts in their curricula have largely been unsuccessful. In spite of requests from some of the largest software companies and their leaders, there hasn’t been a measurable change in how security concepts involving software are being taught in our universities. Therefore, the security of software being developed in industry has not been improved by college hire talent entering the workforce. Entry-level developers have to be taught how to build secure applications in addition to everything else they have to learn starting out on the job.

I’ve characterized many of the initial efforts to change the status quo at universities as the “stick” approach – using implied threats, i.e., not hiring graduates, in order to influence curriculum development. In my last post, I commented that that felt these efforts had been largely ignored by the faculty and staff at Computer Science departments at major universities. Now I want to highlight some of the “carrots” that I’ve seen – actions or broader initiatives that I feel have had a positive impact on the teaching of security software concepts at institutions of higher ed.

I hate to say it, but some of these concepts are right out of Andrew Carnegie’s “How to Win Friends and Influence People” - namely that if you want someone to do something, figure out what they want to do, then work back from there. My thoughts involving getting professors to teach software security concepts are not entirely different from what Mr. Carnegie developed nearly 100 years ago. In this case, if you want professors to teach secure software concepts, figure out what the professors want, then work back from there. Below is a list of ideas that I’ve seen in the real world that have worked (to varying degrees). They represent a starting point for positive engagement with universities that graduate armies of junior developers each year.

Hire their students – Ultimately, most conscientious professors care about where their students work after graduation. It reflects well on them with their department heads and administrators if you hire their students, if nothing else because they will be good sources for future community fundraising activities. If you hire their students, and develop a personal relationship with senior members of the faculty, you are more likely to find a receptive party when you broach the topic of teaching more application security concepts.

Sponsor interns – Great interns translate to great college hires when they graduate too, so you are self-interested to hire great interns. If you or someone in your company has developed personal relationships with faculty, they may even help you identify the pick of the litter.

Provide interesting graduate thesis ideas – As an industry professional, you know best what issues are persistent challenges in the application security field. If you can provide insight into these operational issues reflecting real-world issues, you are likely able to provide faculty with great ideas for future research for graduate theses.

Serve on an Advisory Panel – Nearly every major computer science or security program in higher education has an industry advisory group that provides input to their respective departments. If you really want to get to know the faculty and influence what is taught, volunteer for an advisory panel. I’ve been on the University of Texas at San Antonio (UTSA) Institute for Cyber Security industry advisory group for nearly three years, which has allowed me to better understand the inner workings at that institution. In addition, I recently sat on a review committee as the only non-faculty member to review the governance of the same Institute. Both experiences have provided unparalleled understanding and visibility into the computer science and security programs at UTSA. If you don’t have time to do that, consider delivering an application security guest lecture during one of the computer science classes.

Donate money and resources! - Perhaps the strongest way to gain the attention of faculty and staff at an institute of higher education is to give money or resources. One of the things I learned during the UTSA review was that Federal and state grant dollars are scarcer now than in the recent past. So if you can write a check to drive sponsored research or contribute to a scholarship fund, you will get the attention of university leadership. Short of actually writing a check (or checks), there are other ways to contribute that can have a positive effect, and provide the positive relationships. Another approach is to donate resources – software, or information that can be included in curriculum.

Next blog post – Additional ideas for engagement and what the Open Web Application Security Project (OWASP) is doing to move the needle.

Contact us

--John

john _at_ denimgroup.com

@johnbdickson

May 16, 2011 in Current Affairs | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , ,

August 24, 2009

Social Networking Security Slide Deck Online

By Dan Cornell

John Dickson gave a presentation on the security implications of social networking to a group of CSOs last week.  The slide deck is now online at SlideShare:

Social Networks and Security: What Your Teenager Likely Won't Tell You
View more documents from Denim Group.

John's main point is that CSOs need to approach social networking as a business issue rather than a security issue if they want to maximize their ability to influence policy and implementation.

--Dan
dan _at_ denimgroup.com
@danielcornell

August 24, 2009 in Current Affairs, Dan Cornell, Denim Group, Information Security, John Dickson, Pro Services Life, Security, SoCIAl Networking, Speaking Events, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)