Transcript of a BriefingsDirect podcast in which cyber security expert Joel Brenner explains the risk to businesses from international electronic espionage.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
Open Letter to President Obama Opposing Backdoors and Defective EncryptionAlvaro Lopez Ortega
Dear President Obama,
We the undersigned represent a wide variety of civil society organizations dedicated to protecting civil liberties, human rights, and innovation online, as well as technology companies, trade associations, and security and policy experts. We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities
We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
In addition to undermining cybersecurity, any kind of vulnerability mandate would also seriously undermine our economic security. U.S. companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers—be they domestic or international, 2 individual or institutional—to turn away from those compromised products and services. Instead, they—and many of the bad actors whose behavior the government is hoping to impact—will simply rely on encrypted of
Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
Open Letter to President Obama Opposing Backdoors and Defective EncryptionAlvaro Lopez Ortega
Dear President Obama,
We the undersigned represent a wide variety of civil society organizations dedicated to protecting civil liberties, human rights, and innovation online, as well as technology companies, trade associations, and security and policy experts. We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities
We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad.
Strong encryption is the cornerstone of the modern information economy’s security. Encryption protects billions of people every day against countless threats—be they street criminals trying to steal our phones and laptops, computer criminals trying to defraud us, corporate spies trying to obtain our companies’ most valuable trade secrets, repressive governments trying to stifle dissent, or foreign intelligence agencies trying to compromise our and our allies’ most sensitive national security secrets.
Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them “front doors” or “back doors”, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.
In addition to undermining cybersecurity, any kind of vulnerability mandate would also seriously undermine our economic security. U.S. companies are already struggling to maintain international trust in the wake of revelations about the National Security Agency’s surveillance programs. Introducing mandatory vulnerabilities into American products would further push many customers—be they domestic or international, 2 individual or institutional—to turn away from those compromised products and services. Instead, they—and many of the bad actors whose behavior the government is hoping to impact—will simply rely on encrypted of
Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
deep links! Firetown run by Michael Dammann is an illegal operation registered in the United States of America by a known disinformation agent and FRAUD. The Firetown News Network is farce. INTELLECTUAL PROPERTY 101. I want my shit back! Let the record show, you can delete a post but there is a always a trace. #InfoSec
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
Webinar slides sept 23 2021 mary aikenCapitolTechU
Capitol Technology University Cap Tech Talks Webinar presented Sept 23, 2021 by Dr. Mary Aiken called “An Introduction to Cyberpsychology: The Impact of Emerging Technology on Human Behavior.”
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Nicholas Tancredi
Capstone project for a 12-week online course with the International Association of Crime Analysts. My topic was on how crime and intelligence analysts are using open source intelligence (OSINT) to investigate Internet crime.
The Open Group Trusted Technology Forum Leading the Way in Securing Global Su...Dana Gardner
Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make supply chains secure, verified, and trusted.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.
CyberSecurity: Intellectual Property dispute fuels CyberwarElyssa Durant
deep links! Firetown run by Michael Dammann is an illegal operation registered in the United States of America by a known disinformation agent and FRAUD. The Firetown News Network is farce. INTELLECTUAL PROPERTY 101. I want my shit back! Let the record show, you can delete a post but there is a always a trace. #InfoSec
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
Webinar slides sept 23 2021 mary aikenCapitolTechU
Capitol Technology University Cap Tech Talks Webinar presented Sept 23, 2021 by Dr. Mary Aiken called “An Introduction to Cyberpsychology: The Impact of Emerging Technology on Human Behavior.”
Digital Breadcrums: Investigating Internet Crime with Open Source Intelligenc...Nicholas Tancredi
Capstone project for a 12-week online course with the International Association of Crime Analysts. My topic was on how crime and intelligence analysts are using open source intelligence (OSINT) to investigate Internet crime.
The Open Group Trusted Technology Forum Leading the Way in Securing Global Su...Dana Gardner
Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make supply chains secure, verified, and trusted.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.
Choice, Consistency, Confidence Keys to Improving Services' Performance throu...Dana Gardner
Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on hybrid cloud and tying together the evolving elements of cloud computing.
HP Discover 2012 Case Study: McKesson Redirects IT to Become a Services Provi...Dana Gardner
Transcript of a BriefingDirect podcast from HP Discover 2012 on how health-care giant McKesson has revamped it's IT approach and instituted a cultural shift toward services.
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...Dana Gardner
Edited transcript of BriefingsDirect Analyst Insights Edition podcast, Vol. 52 on client-side architectures and the prospect of heightened disruption in the PC and device software arenas.
Showing Value Early and Often Boosts Software Testing Overhaul Success at Pom...Dana Gardner
Transcript of a BriefingsDirect podcast on how a managed service provider is using HP tools to improve quality and speed modernization in application development.
Defining the New State for Comprehensive Enterprise Security Using CSC Servic...Dana Gardner
Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.
Troels Ørting Jørgensen, Chairman at Bullwall, Expert Member at INTERPOL
Mr. Ørting is a globally recognized Cyber Security Expert. He has been working in cybersecurity ‘first line’ for over 4 decades. Throughout career, Mr. Ørting has been working with governments and corporations to advise on how they react to the increasing international cyber threats, and worked closely with law enforcement, intelligence services and cyber security businesses.
Formerly, with the Danish National Police, first as Director, Head of the Serious Organised Crime Agency and then as Director of Operations, Danish Security Intelligence Service; Deputy Head, ICT Department and Deputy Head, OC Department, Europol, EU’s Police Agency; Head of European Cybercrime Centre and Head of Europol Counter Terrorist and Financial Intelligence Centre. 2015-18, Group Chief Information Security Officer (CISO), Barclays. Chaired the EU Financial Cybercrime Coalition, of which most banks are partners, and has very strong experience in cyber security. Since 2018, Head of the Centre for Cybersecurity, World Economic Forum. Chairman of the Board of World Economic Forum Centre for Cybersecurity (C4C).
Troels Oerting
“WE, IN SECURITY, SHOULD NOT PROMOTE FEAR – BUT PROTECT HOPE”
BEFORE THE GLOBAL PANDEMIC HIT THE WORLD IN SPRING 2020, the digital transformation increased speed and magnitude. Fuelled by super-drivers like mobile/5G, IoT, Cloud and AI the number of users, applications, storage, connections and algorithms outpaced what we had seen before. The huge possibilities provided by the Internet created a ‘tech’ environment attracting the best brains the World could produce and geopolitical tensions between China, Russia, EU and US intensified the regional competition on ‘who controls the Internet’ and the subsequent influence, growth and wealth.
THE GLOBAL COVID PANDEMIC FORCED US TO MOVE APPROXIMATELY 1.2 BN WORKERS FROM THEIR OFFICES to work from homes in order to keep the wheels spinning. Internet enabled communication tools substituted physical meetings, teaching, marketing, trading, reading, accounting, watching and demand for online services surged and Accenture has estimated that globally we went through 3 years normal speedy digital transformation in just 3 months. This will continue. We will not go back to the ‘old days’ even after we get a vaccine. We will continue to work remotely – not necessarily from home but from anywhere. Both employers and employees have seen the benefits of this new flexible work-regime providing support from working both from offices and from anywhere.
“In the future everything will be connected, everything will be sensing, everything will be stored and everything will be used, sold or utilised in other ways”
THE FUTURE will provide more positive opportunities for the global, and connected, citizen – for businesses, education, healthcare, sustainability, climate, transparency and democracy. But it will also present challenges to security, privacy...
Cybersecurity Trends 2018: The costs of connectionESET Middle East
To help the reader navigate through the maze of current threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
Staying Ahead in the Cybersecurity Game: What Matters NowCapgemini
This essential book gives you the most recent and relevant topics on cybersecurity. It focuses on the organization, management and governance dimensions of security, whilst staying away from over-technical discussions. Each chapter highlights one of the most recent developments, what it means and why you should consider doing things differently as a result.
Co-written with IBM and Sogeti, read their latest publication on cybersecurity to arm yourself with the necessary knowledge to protect your enterprise.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Similar to Corporate Data, Supply Chains Vulnerable to Cyber Crime Attacks from Outside the Country (20)
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Corporate Data, Supply Chains Vulnerable to Cyber Crime Attacks from Outside the Country
1. Corporate Data, Supply Chains Vulnerable to Cyber Crime
Attacks from Outside the Country
Transcript of a BriefingsDirect podcast in which cyber security expert Joel Brenner explains the
risk to businesses from international electronic espionage.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: The Open Group
Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.
Dana Gardner: Hello and welcome to a special BriefingsDirect thought leadership interview
series coming to you in conjunction with the Open Group Conference this July in Washington,
D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be
your host throughout these discussions.
The conference will focus on how security impacts the enterprise architecture,
enterprise transformation, and global supply chain activities in organizations,
both large and small. Today, we're here on the security front with one of the
main speakers at the July 16 conference, Joel Brenner, the author of "America
the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and
Warfare."
Joel is a former Senior Counsel at the National Security Agency (NSA), where he advised on
legal and policy issues relating to network security. Mr. Brenner currently practices law in
Washington at Cooley LLP, specializing in cyber security.
Previously, he served as the National Counterintelligence Executive in the Office of the Director
of National Intelligence, and as the NSA’s Inspector General. He is a graduate of University of
Wisconsin–Madison, the London School of Economics, and Harvard Law School.
Joel, welcome to BriefingsDirect.
Joel Brenner: Thanks. I'm glad to be here.
Gardner: Your book came out last September and it affirmed this notion that the United States,
or at least open Western cultures and societies, are particularly vulnerable to being infiltrated, if
you will, from cybercrime, espionage, and dirty corporate tricks.
My question is why wouldn't these same countries be also very adept on the offense, being
highly technical? Why are we particularly vulnerable, when we should be most adept at using
cyber activities to our advantage?
2. Brenner: Let’s make a distinction here between the political-military espionage that's gone on
since pre-biblical times and the economic espionage that’s going on now and, in
many cases, has nothing at all to do with military, defense, or political issues.
The other stuff has been going on forever, but what we've seen in the last 15 or so
years is a relentless espionage attack on private companies for reasons having
nothing to do with political-military affairs or defense.
So the countries that are adept at cyber, but whose economies are relatively
undeveloped compared to ours, are at a big advantage, because they're not very lucrative targets
for this kind of thing, and we are. Russia, for example, is paradoxical. While it has one of the
most educated populations in the world and is deeply cultured, it has never been able to produce
a commercially viable computer chip.
Not entrepreneurial
We’re not going to Russia to steal advanced technology. We’re not going to China to steal
advanced technology. They're good at engineering and they’re good at production, but so far,
they have not been good at making themselves into an entrepreneurial culture.
That’s one just very cynical reason why we don't do economic espionage against the people who
are mainly attacking us, which are China, Russia, and Iran. I say attack in the espionage sense.
The other reason is that you're stealing intellectual property when you’re doing economic
espionage. It’s a bedrock proposition of American economics and political strategy around the
world to defend the legal regime that protects intellectual property. So we don’t do
that kind of espionage. Political-military stuff we're real good at.
Gardner: This raises the question for me. If we're hyper-
capitalist, where we have aggressive business practices and we have
these very valuable assets to protect, isn't there the opportunity to take the technology and thwart
the advances from these other places? Wouldn’t our defense rise to the occasion? Why hasn't it?
Brenner: The answer has a lot to do with the nature of the Internet and its history. The Internet,
as some of your listeners will know, was developed starting in the late '60s by the predecessor of
the Defense Advanced Research Projects Agency (DARPA), a brilliant operation which produced
a lot of cool science over the years.
It was developed for a very limited purpose, to allow the collaboration of geographically
dispersed scientists who worked under contract in various universities with the Defense
Department's own scientists. It was bringing dispersed brainpower to bear.
It was a brilliant idea, and the people who invented this, if you talk to them today, lament the fact
that they didn't build a security layer into it. They thought about it. But it wasn't going to be used
3. for anything else but this limited purpose in a trusted environment, so why go to the expense and
aggravation of building a lot of security into it?
Until 1992, it was against the law to use the Internet for commercial purposes. Dana, this is just
amazing to realize. That’s 20 years ago, a twinkling of an eye in the history of a country’s
commerce. That means that 20 years ago, nobody was doing anything commercial on the
Internet. Ten years ago, what were you doing on the Internet, Dana? Buying a book for the first
time or something like that? That’s what I was doing, and a newspaper.
In the intervening decade, we’ve turned this sort of Swiss cheese, cool network, which has
brought us dramatic productivity and all and pleasure into the backbone of virtually everything
we do.
International finance, personal finance, command and control of military, manufacturing controls,
the controls in our critical infrastructure, all of our communications, virtually all of our activities
are either on the Internet or exposed to the Internet. And it’s the same Internet that was Swiss
cheese 20 years ago and it's Swiss cheese now. It’s easy to spoof identities on it.
So this gives a natural and profound advantage to attack on this network over defense. That’s
why we’re in the predicament we're in.
Both directions
Gardner: So the Swiss cheese would work in both directions. U.S. corporations, if they were
interested, could use the same techniques and approaches to go into companies in China or
Russia or Iran, as you pointed out, but they don't have assets that we’re interested in. So we’re
uniquely vulnerable in that regard.
Let’s also look at this notion of supply chain, because corporations aren’t just islands unto
themselves. A business is really a compendium of other businesses, products, services, best
practices, methodologies, and intellectual property that come together to create a value add of
some kind. It's not just attacking the end point, where that value is extended into the market. It’s
perhaps attacking anywhere along that value chain.
What are the implications for this notion of the ecosystem vulnerability versus the enterprise
vulnerability?
Brenner: Well, the supply chain problem really is rather daunting for many businesses, because
supply chains are global now, and it means that the elements of finished products have a
tremendous numbers of elements. For example, this software, where was it written? Maybe it
was written in Russia -- or maybe somewhere in Ohio or in Nevada, but by whom? We don’t
know.
There are two fundamental different issues for supply chain, depending on the company. One is
counterfeiting. That’s a bad problem. Somebody is trying to substitute shoddy goods under your
4. name or the name of somebody that you thought you could trust. That degrades performance and
presents real serious liability problems as a result.
The other problem is the intentional hooking, or compromising, of software or chips to do things
that they're not meant to do, such as allow backdoors and so on in systems, so that they can be
attacked later. That’s a big problem for military and for the intelligence services all around the
world.
The reason we have the problem is that nobody knows how to vet a computer chip or software to
see that it won't do these squirrelly things. We can test that stuff to make sure it will do what it's
supposed to do, but nobody knows how to test the computer chip or two million lines of software
reliably to be sure that it won’t also do certain things we don't want it to do.
You can put it in a sandbox or a virtual environment and you can test it for a lot of things, but
you can't test it for everything. It’s just impossible. In hardware and software, it is the strategic
supply chain problem now. That's why we have it.
Gardner: So as organizations ramp up their security, as they look towards making their own
networks more impervious to attack, their data isolated, their applications isolated, they still have
to worry about all of the other components and services that come into play, particularly
software.
Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.
Brenner: If you have a worldwide supply chain, you have to have a worldwide supply chain
management system. This is hard and it means getting very specific. It includes not only
managing a production process, but also the shipment process. A lot of squirrelly things happen
on loading docks, and you have to have a way not to bring perfect security to that -- that's
impossible -- but to make it really harder to attack your supply chain.
Notion of cost
Gardner: Well, Joel, it sounds like we also need to reevaluate the notion of cost. So many
organizations today, given the economy and the lagging growth, have looked to lowest cost
procedures, processes, suppliers, materials, and aren't factoring in the risk and the associated cost
around these security issues. Do people need to reevaluate cost in the supply chain by factoring
in what the true risks are that we’re discussing?
Brenner: Yes, but of course, when the CEO and the CFO get together and start to figure this
stuff out, they look at the return on investment (ROI) of additional security. It's very hard to be
quantitatively persuasive about that. That's one reason why you may see some kinds of
5. production coming back into the United States. How one evaluates that risk depends on the
business you're in and how much risk you can tolerate.
This is a problem not just for really sensitive hardware and software, special kinds of operations,
or sensitive activities, but also for garden-variety things. If you’re making titanium screws for
orthopedic operations, for example, and you’re making them in -- I don’t want to name any
country, but let’s just say a country across the Pacific Ocean with a whole lot of people in it --
you could have significant counterfeit problems there.
Explaining to somebody that the screw you just put through his spine is really not what it’s
supposed to be and you have to have another operation to take it out and put in another one is not
a risk a lot of people want to run.
So even in things like that, which don't involve electronics, you have significant supply-chain
management issues. It’s worldwide. I don’t want to suggest this is a problem just with China.
That would be unfair.
Gardner: Right. We’ve seen other aspects of commerce in which we can't lock down the
process. We can’t know all the information, but what we can do is offer deterrence, perhaps in
the form of legal recourse, if something goes wrong, if in fact, decisions were made that
countered the contracts or were against certain laws or trade practices. Is it practical to look at
some of these issues under the business lens and say, "If we do that, will it deter people from
doing it again?"
Brenner: For a couple of years now, I’ve struggled with the question why it is that liability
hasn’t played a bigger role in bringing more cyber security to our environment, and there are a
number of reasons.
We've created liability for the loss of personal information, so you can quantify that risk. You
have a statute that says there's a minimum damage of $500 or $1,000 per person whose
identifiable information you lose. You add up the number of files in the breach and how much the
lawyers and the forensic guys cost and you come up with a calculation of what these things cost.
But when it comes to just business risk, not legal risk, and the law says intellectual property to a
company that depends on that intellectual property, you have a business risk. You don’t have
much of a legal risk at this point.
You may have a shareholder suit issue, but there hasn’t been an awful lot of that kind of litigation
so far. So I don't know. I'm not sure that’s quite the question you were asking me, Dana.
Gardner: My follow on to that was going to be where would you go to sue across borders
anyway? Is there an über-regulatory or legal structure across borders to target things like supply
chain, counterfeit, cyber espionage, or mistreatment of business practice?
Depends on the borders
6. Brenner: It depends on the borders you're talking about. The Europeans have a highly
developed legal and liability system. You can bring actions in European courts. So it depends
what borders you mean.
If you’re talking about the border of Russia, you have very different legal issues. China has
different legal issues, different from Russia, as well from Iran. There are an increasing number of
cases where actions are being brought in China successfully for breaches of intellectual property
rights. But you wouldn't say that was the case in Nigeria. You wouldn't say that was the case in a
number of other countries where we’ve had a lot of cybercrime originating from.
So there's no one solution here. You have to think in terms of all kinds of layered defenses. There
are legal actions you can take sometimes, but the fundamental problem we’re dealing with is this
inherently porous Swiss-cheesy system. In the long run, we're going to have to begin thinking
about the gradual reengineering of the way the Internet works, or else this basic dynamic, in
which lawbreakers have advantage over law-abiding people, is not going to go away.
Think about what’s happened in cyber defenses over the last 10 years and how little they've
evolved -- even 20 years for that matter. They almost all require us to know the attack mode or
the sequence of code in order to catch it. And we get better at that, but that’s a leapfrog business.
That’s fundamentally the way we do it.
Whether we do it at the perimeter, inside, or even outside before the attack gets to the perimeter,
that’s what we’re looking for -- stuff we've already seen. That’s a very poor strategy for doing
security, but that's where we are. It hasn’t changed much in quite a long time and it's probably
not going to.
Gardner: Why is that the case? Is this not a perfect opportunity for a business-government
partnership to come together and re-architect the Internet at least for certain types of business
activities, permit a two-tier approach, and add different levels of security into that? Why hasn’t it
gone anywhere?
Brenner: What I think you’re saying is different tiers or segments. We’re talking about the
Balkanization of the Internet. I think that's going to happen as more companies demand a higher
level of protection, but this again is a cost-benefit analysis. You’re going to see even more
Balkanization of the Internet as you see countries like Russia and China, with some success,
imposing more controls over what can be said and done on the Internet. That’s not going to be
acceptable to us.
Gardner: So it's a notion of public and private.
Brenner: You can say public and private. That doesn’t change the nature of the problem. It
won’t happen all at once. We're not going to abandon the Internet. That would be crazy.
Everything depends on it, and you can’t do that. It’d be a fairy tale to think of it. But it’s going to
7. happen gradually, and there is research going on into that sort of thing right now. It’s also a big
political issue.
Gardner: Let’s take a slightly different tack on this. We’ve seen a lot with cloud computing and
more businesses starting to go to third-party cloud providers for their applications, services, data
storage, even integration to other business services and so forth.
More secure
If there's a limited lumber, or at least a finite number, of cloud providers and they can institute
the proper security and take advantage of certain networks within networks, then wouldn’t that
hypothetically make a cloud approach more secure and more managed than every-man-for-
himself, which is what we have now in enterprises and small to medium-sized businesses
(SMBs)?
Brenner: I think the short answer is yes. The SMBs will achieve greater security by basically
contracting it out to what are called cloud providers. That’s because managing the patching of
vulnerabilities and other aspects and encryption is beyond what’s most small businesses and
many medium-sized businesses can do, are willing to do, or can do cost-effectively.
For big businesses in the cloud, it just depends on how good the big businesses’ own
management of IT is as to whether it’s an improvement or not. But there are some problems with
the cloud.
People talk about security, but there are different aspects of it. You and I have been talking just
now about security meaning the ability to prevent somebody from stealing or corrupting your
information. But availability is another aspect of security. By definition, putting everything in
one remote place reduces robustness, because if you lose that connection, you lose everything.
Consequently, it seems to me that backup issues are really critical for people who are going to
the cloud. Are you going to rely on your cloud provider to provide the backup? Are you going to
rely on the cloud provider to provide all of your backup? Are you going to go to a second cloud
provider? Are you going to keep some information copied in-house?
What would happen if your information is good, but you can’t get to it? That means you can’t get
to anything anymore. So that's another aspect of security people need to think through.
Gardner: We’re almost out of time, Joel, but I wanted to get into this sense of metrics,
measurement of success or failure. How do you know you’re doing the right thing? How do you
know that you're protecting? How do you know that you've gone far enough to ameliorate the
risk?
8. Brenner: This is really hard. If somebody steals your car tonight, Dana, you go out to the curb or
the garage in the morning, and you know it's not there. You know it’s been stolen.
When somebody steals your algorithms, your formulas, or your secret processes, you've still got
them. You don’t know they’re gone, until three or four years later, when somebody in Central
China or Siberia is opening a factory and selling stuff into your market that you thought you
were going to be selling -- and that’s your stuff. Then maybe you go back and realize, "Oh, that
incident three or four years ago, maybe that's when that happened, maybe that’s when I lost it."
What's going out
So you don’t even know necessarily when things have been stolen. Most companies don’t do a
good job. They’re so busy trying to find out what’s coming into their network, they're not looking
at what's going out.
That's one reason the stuff is hard to measure. Another is that ROI is very tough. On the other
hand, there are lots of things where business people have to make important judgments in the
face of risks and opportunities they can't quantify, but we do it.
We’re right to want data whenever we can get it, because data generally means we can make
better decisions. But we make decisions about investment in R&D all the time without knowing
what the ROI is going to be and we certainly don't know what the return on a particular R&D
expenditure is going to be. But we make that, because people are convinced that if they don't
make it, they’ll fall behind and they'll be selling yesterday’s products tomorrow.
Why is it that we have a bias toward that kind of risk, when it comes to opportunity, but not
when it comes to defense? I think we need to be candid about our own biases in that regard, but I
don't have a satisfactory answer to your question, and nobody else does either. This is one where
we can't quantify that answer.
Gardner: It sounds as if people need to have a healthy dose of paranoia to tide them over across
these areas. Is that a fair assessment?
Brenner: Well, let’s say skepticism. People need to understand, without actually being paranoid,
that life is not always what it seems. There are people who are trying to steal things from us all
the time, and we need to protect ourselves.
In many companies, you don't see a willingness to do that, but that varies a great deal from
company to company. Things are not always what they seem. That is not how we Americans
approach life. We are trusting folks, which is why this is a great country to do business in and
live in. But we're having our pockets picked and it's time we understood that.
9. Gardner: And, as we pointed out earlier, this picking of pockets is not just on our block, but
could be any of our suppliers, partners, or other players in our ecosystem. If their pockets get
picked, it ends up being our problem too.
Brenner: Yeah, I described this risk in my book, “America the Vulnerable,” at great length and
in my practice, here at Cooley, I deal with this every day. I find myself, Dana, giving briefings to
businesspeople that 5, 10, or 20 years ago, you wouldn’t have given to anybody who wasn't a
diplomat or a military person going outside the country. Now this kind of cyber pilferage is an
aspect of daily commercial life, I'm sorry to say.
Gardner: Very good. I'm afraid we'll have to leave it there. We’ve been talking with Joel
Brenner, the author of “America the Vulnerable: Inside the New Threat Matrix of Digital
Espionage, Crime, and Warfare.” And as a lead into his Open Group presentation on July 16 on
cyber security, Joel and I have been exploring the current cybercrime landscape and what can be
done to better understand the threat and work against it.
This special BriefingsDirect discussion comes to you in conjunction with the Open Group
Conference from July 16 to 20 in Washington, D.C. We’ll hear more from Joel and others at the
conference on ways that security and supply chain management can be improved. I want to thank
you, Joel, for joining us. It’s been a fascinating discussion.
Brenner: Pleasure. Thanks for having me.
Gardner: I’d certainly look forward to your presentation in Washington. I encourage our readers
and listeners to attend the conference to learn more. This is Dana Gardner, Principal Analyst at
Interarbor Solutions, your host and moderator for these thought leadership interviews. Thanks
again for listening and come back next time.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: The Open Group
Transcript of a BriefingsDirect podcast in which cyber security expert Joel Brenner explains the
risk to businesses from international electronic espionage. Copyright The Open Group and
Interarbor Solutions, LLC, 2005-2012. All rights reserved.
Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.
You may also be interested in:
• Open Group Conference Speakers Discuss the Cloud: Higher Risk or Better Security?
• Capgemini's CTO on Why Cloud Computing Exposes the Duality Between IT and
Business
10. • San Francisco Conference observations: Enterprise transformation, enterprise
architecture, SOA and a splash of cloud computing
• MIT's Ross on how enterprise architecture and IT more than ever lead to business
transformation
• Overlapping criminal and state threats pose growing cyber security threat to global
Internet commerce, says Open Group speaker
• Enterprise architects play key role in transformation, data analytics value -- but they need
to act fast, say Open Group speakers
• Exploring Business-IT Alignment: A 20-Year Struggle Culminating in the Role and
Impact of Business Architecture