Tuned into a cyber security discussion today with Richard Clarke who shared insights into what he calls the CHEW (Crime Hacktivisim Espionage and War) of cyber security. The talk was hosted by Veracode where Mr. Clarke is a recent addition to their Board. Some highlights below:

 Increasingly offensive nature of cyberwar

• 20-30 nations have created offensive cyberwar units
• U.S. Cyber Command and Pentagon developing offensive tools and DARPA spending money on researching advanced offensive tools.
• Stuxnet was the first cyber weapon to gain attention.
• Every(!!) (his emphasis) major company and government agency has been penetrated.

Regulatory activity

• Regulatory agencies have acted:  HIPAA now has teeth.  FERC is starting to hand out violations and fining T&D companies for non-compliance.
• SEC has guided that breaches beyond those involving PII be disclosed. Companies would be required to report when they suffer a breach that could have a material impact on their business. He gave the example of a chemical company who has its secret formula to its newest compound stolen. This goes beyond notification for when PII is stolen, which is current standard. (While increased scrutiny from the investment community would help drive compliance, a policy that requires companies to judge the severity of a breach has many unintended consequences. Niloo Howe of Paladin Capital addresses this issue nicely here. In short, disclose breaches not risks, create safe harbors and define standards.)

What can be done to secure SMBs

• Triptych of firewalls, encryption and anti-virus are necessary by not sufficient.
• Institutionalize requirements for 3^rd party software verification by embedding them in the RFP process.  Some of the biggest offenders are remote debugging interfaces that are used during development but are sometimes not removed before the product ships. Apparently this was the case with the water plant in Illinois. You never what is in the software till you get it and rigorously vet it.
• Use multiple automated tested techniques to conduct independent assessments.
• Include more stakeholders. Some CIOs don’t care about security.  They’re really focused on uptime and availability. But more stakeholders can be brought into the process. Legal council, board-level audit committees and CSOs of the gates, guns and guards variety all have vested interested in securing the cyber assets of a company.
• Go to the cloud. Many SMBs don’t have the resources to protect themselves, but they can and should be demanding more in the way of security from their cloud providers.  

Security of outsourced software

• He doesn’t believe the built-in bias that outsourced software is any less secure than that developed domestically.  Doesn’t think the origin of software makes a difference in the treat level. Domestic developers can be bribed, self-motivated or negligent. Only real protection is software validation and inspection.
• Supported late Bush administrations push into addressing supply chain concerns. Current supply chains relient on commercial and off-the-shelf software and could riddled with vulnerabilities. 

Rules for visiting China?

• Go with clean devices. And when you come back, give them away.  He has no doubt that the devices of western visitors to China are being targeted and penetrated.