Tuesday, August 11, 2015

Cybersecurity & Civic Hacking # 10: NE Wisconsin Cybersecurity Proposal

In the past nine ‘Cybersecurity & Civic Hacking’ posts, I’ve mentioned a proposal for a collaborative NE Wisconsin cybersecurity initiative which includes a civic hacking component, but I haven’t written a post that describes how that regional cybersecurity initiative will work.

This tenth post in the series presents a few details of how the proposed cybersecurity initiative will work, including some aspects of civic hackers being involved with our regional digital security. But before I describe these details, let’s first review why NE Wisconsin needs to launch this initiative.
  1. Most residents and businesses in NE Wisconsin face numerous cybersecurity threats and don’t have the knowledge or money to make sure you aren’t seriously impacted by those threats.
  2. Everyday life for residents and businesses in NE Wisconsin will continue to get more computerized, digitized, automated and connected to the Internet, increasing your cybersecurity risks.
  3. The US government will not be effectively protecting residents and businesses in NE Wisconsin from cybersecurity threats.
  4. US tech companies in Silicon Valley and elsewhere will not be effectively protecting residents and businesses in NE Wisconsin from cybersecurity threats.
The above reasons for launching the initiative aren’t hype and aren’t concepts I dreamed up. If you research what’s been written or said over the past five years by knowledgeable and respected digital security specialists who don’t sell computer security software or services, you’ll come to the same conclusion and agree with those points.

To highlight what's being said by US digital security leaders in 2015, here are excerpts from relevant articles.
  1. Alex Stamos was the chief information security officer for Yahoo, responsible for the security of their hundreds of millions of users, and recently became chief security officer for Facebook, so he’s now responsible for the security of FB’s billion+ users. In April 2015 Stamos said, “I’m not very happy with where we are as an industry,” he said, with a grim look on his face. “We’re really focusing on the 1%,” he added, referring to the small number of companies that can afford to spend on cybersecurity teams and products, and the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online...“The vast majority of people are not safe using the internet everyday...”
  2. One Silicon Valley veteran journalist has long been skeptical about whether digital security really is a major problem or just hype. In July 2015 he said, “Computer experts have long warned about a catastrophic cyber-attack...With all of the enormous resources the country enjoys, those warnings seemed like the rantings of a digital Chicken Little...I admit I was terribly wrong. We are so screwed...I attended a preview of retail giant Target’s new “Internet of Things” showroom...I couldn’t help notice an irony: the retailer that in 2013 was subject to a hack that [compromised] the credit-card data of 100 million consumers now wanted people to entrust their entire homes to the internet...One week later I found myself at a dinner in a fancy hotel to discuss cybersecurity with the executives of top Silicon Valley firms. Unlike the festive Target event, the mood was decidedly grim...By 2020 the US will be hit with an earthquake of a cyber-attack that will cripple banks, stock exchanges, power plants and communications, an executive from Hewlett-Packard predicted. Companies are nowhere near prepared for it. Neither are the Feds...“A slow-moving train wreck,” one executive said. Forget about coordinating with each other or the Feds: companies don’t even know how to deal with their own hacks, never mind worry about someone else’s…”
  3. Tony Scott, the US chief information officer (CIO), was previously CIO at VMWare and Microsoft, two major tech corporations. He was quoted in a July 2015 Washington Post article. “A big problem exposed by a massive data breach at the Office of [Personnel] Management (OPM) is the woeful state of the federal government’s cybersecurity. It’s not comforting when the Obama administration’s chief information officer says Uncle Sam’s information technology needs bubble wrap and Band-Aids to help counter cyberattacks...The federal government has a serious shortage of cyber talent and the future is dim...”
  4. Security professionals responsible for the security of organizations networks and data, as well as many other well-respected security leaders are generally open about the likelihood that pretty much any digital system can be successfully attacked. A July 2015 article pointed out that: “...the 2015 Black Hat Attendee Survey polled a...group of 460 security professionals.
    Norse Real-time Digital Attack Map
    Seventy-three percent said they thought their organizations would suffer a data breach at some point in the next 12 months, but only 27 percent said that the group would be able to handle it
    ...”
When Copernicus and Galileo said Earth orbited the sun, people didn’t believe them. You don’t have to believe the cybersecurity people referenced above, but you owe it to yourself to research the topic and not just blindly trust the companies who sell digital security products and services and the US government to take care of you.

Anyone who does not feel a need for greatly improving their personal digital security, or the security of their organization, will not be interested in the rest of this post. For those who are deeply concerned about cybersecurity in the US and in NE Wisconsin, below is the general outline of this regional cybersecurity proposal.

The NE Wisconsin cybersecurity initiative will be led by a new collaborative college degree program with at least one four-year college and one two-year college in our region. Our goal is not to amaze Stanford and MIT by creating digital security breakthroughs or to be recognized as the world’s best cryptoanalysts. The goal of this cybersecurity initiative IS to make sure all residents and organizations in NE Wisconsin can be part of the 1% that Alex Stamos referred to above, the companies and individuals who have cost-effective world class security assistance and know enough to be safe on the Internet and in the rest of their digital world. So I don’t expect NE Wisconsin colleges to develop new encryption software, to create world-class antivirus programs or to out-hack the NSA. The Wisconsin colleges will instead develop classes and student projects designed to learn from the best digital security practices and leaders. Our colleges will graduate students who can help everyone in NE Wisconsin use the most effective cybersecurity knowledge-and-tools to be part of the safest 1% of the digital world.

A four-year college will teach students how to research, understand and use specialized and deep cybersecurity knowledge across the total spectrum of digital applications, while two-year colleges will address workforce development needs by training cybersecurity technicians with practical knowledge. The tech college(s) will graduate cybertechs who maintain business and organizational digital security systems or will work for cybersecurity providers. The tech college(s) will also retrain older workers who want to work in the cybersecurity industry. Security refresher classes will be provided at the tech colleges and will be mandatory for certified NE Wisconsin cybersecurity provider employees.

Many US four-year and two-year colleges offer outstanding cybersecurity programs. NE Wisconsin’s college cybersecurity program will be designed with components of the best existing programs from around the country, but it will be differentiated from existing college programs in these three ways:

  • Best-Practices-of-2015 Curriculum / Unconventional Advisers Board
  • Emerging Systems Security Specialists
  • Extensive Community Collaboration

Best-Practices-of-2015 Curriculum / Unconventional Advisers Board

Cory Doctorow
We will design the curriculum and college program components by starting with a template from a highly rated colleges. The program will then be modified based on input from unconventional recognized domain experts such as Bruce Schneier, Steve Gibson, Cory Doctorow, Mark Russinovich, Mike Masnick, Daniel Suarez, Brian Krebs, and others, focusing less on traditional ‘firewall / antivirus / penetration testing’ (although a comprehensive strategy of using cost-effective traditional cybersecurity tools is necessary) and more on identified 2015 cybersecurity approaches and tools such as the NIST framework of ‘identify, protect, detect, respond and recover.’ The guiding principle of the NE Wisconsin college cybersecurity program is to provide the best possible attack prevention systems, but to also acknowledge that systems will be attacked and sometimes exploited, and to design resilient systems that best cope with exploits.

Emerging Systems Security Specialists

Security is rarely the top priority for new digital devices or for products and systems which were not previously Internet-connected or capable of wireless communication. This means cybersecurity for emerging products and systems such as smartphones / tablets, BYOD work / personal dual-use devices, cloud, Internet of Things, personal fitness, wearable computing, and connected-car systems can be weak, untested or non-existent. The NE Wisconsin cybersecurity program will help area residents have the best possible security when using these emerging systems.

Extensive Community Collaboration

This cybersecurity initiative will be extensively focused on collaborating with the people and organizations in our region. Similar to the goal of the overall regional cybersecurity program, the primary goal of this community collaboration is to help residents and organizations of NE Wisconsin be in “the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online.”
  • Cybersecurity analysis, recommendations and training for NE Wisconsin organizations.
  • Cybersecurity analysis, recommendations and training for NE Wisconsin consumers.
  • Audit and certification system for NE Wisconsin cybersecurity service companies.
  • Work with local civic hackers and TIME community (tech, innovators, makers, entrepreneurs)  to launch the NE Wisconsin Cyber Defense Force (NEW CDF).
  • Build an intentional and extensive cybersecurity network with people inside and outside NE Wisconsin.
  • Focus on catalyzing local cybersecurity startups and assisting them with launch.
Other people have already recognized and acted on the need for community collaboration and citizen involvement in cybersecurity. In “The Michigan Cyber Civilian Corps: Like a volunteer fire department for cybersecurity,” you can read about a civilian group who “volunteer to provide expert assistance to the state…[and] rapid response to Governor-declared state of emergency cyber incidents.” Sort of like an infosec National Guard, but more informal.

The goals of the NEW CDF civic hacker collaboration with the region’s college cybersecurity program has similarities to the Michigan Cyber Civilian Corps (MiC3), but also has significant differences. It will not be described as a volunteer fire department for cybersecurity or as a Cyber National Guard.
  1. The CDF will not have a primary role of responding to emergency cyber incidents like MiC3 does and will not have the mission of “protecting cyber infrastructure”. Its primary roles will be prevention and one-on-one assistance after consumer or business digital attacks.
  2. The CDF will not provide services to the entire state of Wisconsin; it will only organize activities and provide help to residents and organizations in the 18 counties of NE Wisconsin. Any statewide cybersecurity effort would end up focusing most of its resources and time on Milwaukee and Madison.
  3. The CDF will be an integral part of the audit and certification system for the region’s cybersecurity service providers. This system will ensure that consumers and businesses will be getting top quality service from highly-rated providers.
  4. The CDF will have a community-building mission to connect all NE Wisconsin’s citizens who are highly interested in cybersecurity. There will be CDF events in communities large and small throughout the 18 counties to connect with everyone who wants help with cybersecurity and with everyone who wants to be part of the team providing that help.
  5. In addition to connecting with like-minded people in NE Wisconsin, the CDF will connect with other cybersecurity geeks throughout the US and around the world to both learn and share knowledge and best practices.
  6. The CDF will provide an environment that catalyzes the launch of cybersecurity startup companies.
I hope today’s post helps you understand the big picture of the proposed NE Wisconsin cybersecurity initiative. If you have suggestions or questions, please contact me at bwaldron (at) gmail [dott] com.

More importantly, if you feel this proposal should become reality and you want to see it happen, please share a link to this post with everyone you know and encourage them to support the proposal. In order to launch and make an effort like this successful, we need the Right Influential Person to hear about this cybersecurity proposal.

Most importantly, if you’re an influential community leader in NE Wisconsin or can in some way help this cybersecurity program be launched, please contact me, and we can start defining Next Steps to make it happen.

------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & Civic Hacking # 8: Hype or Reality?"
C&CH # 09: “Cybersecurity & Civic Hacking # 9: Digital Attacks On Hardware
C&CH # 10: This post, published August 11, 2015
C&CH # 11: "Cybersecurity & Civic Hacking # 11: What If There Is No NE Wisconsin Collaborative Cybersecurity Initiative?"

*****

No comments:

Post a Comment