April 5, 2013 - As governments increasingly shift their cybersecurity discussions to center stage, it’s clear that cyberexploits and attacks have become part of the landscape. This new reality in turn raises the question, “How do we handle the situation?”

March 25, 2013 - Increasing concern about cyberthreats aimed at critical infrastructure and the theft of intellectual property and privileged information continues to escalate planning, actions and calls for new capabilities, such as the plan announced recently by the U.S. government to form offensive, as opposed to solely defensive, cyberteams to combat these threats.

February 28, 2013 - Recent government analyses focused on the costs of cybercrime, such as this estimate by the U.K. National Audit Office that cybercrime is currently costing that nation between £18 billion and £27 billion, continue to emphasize the role of cyber resilience as a critical economic enabler. One can make an analogy of cyber resilience to the human body: It’s implausible to create an environment in which you never get sick. No one is going to live in a bubble, nor will companies or societies; it’s a big dirty world. So, the question to ask is: “How do we keep ourselves from contracting a deadly disease, while still understanding that occasionally we do fall sick? How do we stay healthy enough to recover quickly?” In cyber, you can’t operate inside a hermitically sealed environment. For one thing, you don’t even control that environment. For example, some enterprises share information environments with suppliers, vendors, subcontractors, distributors, designers and customers. The real issue is: Will you be able to successfully carry on your work as a government, as a company or as a department despite the fact you have to live in an environment where there’s always some menace. In the end, resiliency may be more important in some ways than other aspects of cybersecurity. Some view cybersecurity as a world in which we keep all threats out, whereas resiliency says, “I can keep going in the presence of these threats.” However, you have to be careful to keep from extending this analogy further. It’s one thing if you are afflicted with malware and can get yourself back on your feet, but if at the same time you lose essential information, such as critical intellectual property, or if your infrastructure is damaged, you may find it harder to recover. For example, what some cyberterrorists do is damage your information — not so that they can steal it, but so that you can’t use it. Or, in the case of a computer network attack, before you can recover, a power grid could be damaged, or the centrifuges that make highly enriched uranium could burn out. The fact that you have resiliency doesn’t remove the need to be as secure as possible, particularly in regard to critical assets, which can’t be risked. To get back to the human body analogy, in the end you can recover from a lot of things, but there’s a point beyond which if you suffer a rise in temperature, for example, you will have brain damage and you won’t recover. Resiliency is important, and is frequently overlooked, because mostly it’s about continuing to operate. However, you have to be careful that the resiliency issue isn’t extended beyond the point of making good sense.

February 25, 2013 - Today’s spotlight continues to expand on cyberthreats, particularly to critical infrastructure, evidenced most recently by President Barack Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity. Aimed at building on the government’s partnership with critical infrastructure owners and operators, perhaps the most important directive in the order is the collaborative development of an effective framework of standards, practices and procedures under the National Institute of Standards and Technology. While there is much debate among stakeholders regarding whether such a framework should be mandatory or voluntary, and whether it contains within it the foundation for a stronger regulatory approach, it’s clear we need such a framework. In the past, an organization’s operational technology (OT) — which, for example, serves to open and close valves, as well as regulate turbine speeds and even systems that mediate the clearance of international financial transactions — was not built to use the Internet or connect with an organization’s enterprise information technology architecture. Today, however, organizations are starting to see the potential benefits of linking their OT and IT systems and adding devices to their infrastructures with Internet protocol addresses. A great deal of benefit can be gained from enriching our lives with this technology. Indeed, the worst possible answer is letting fear, uncertainly and doubt constrain us from making the best use of our best technology. Instead, in the cybersecurity world, we have to find a way to get the wolf away from the door, not lock ourselves in our homes and enjoy this ecosystem of information technology that we have created. As a country, our greatness is characterized by solving problems at the technology frontier, rather than retreating from them. In the end, this means building a secure, seamless ecosystem that goes from the mobile device in our pocket all the way to the programmable logical device that’s embedded in a power plant turbine, a pipeline or an air traffic control system. Accomplishing this will be our next big challenge, and getting this done will require strong collaboration between industry and government. In the near term, organizations looking to link their operational and information technologies need to examine carefully their plans for this interconnection, assess the results and security from that interconnection, start to perform gap analysis between what they have and what they need, and develop an action plan to close those gaps. This is hard work, but it needs to be done. And, we must go further. The National Institute for Standards and Technology, which the President’s Executive Order discusses, may be key in helping develop really secure cyberecosystems. To solve this technology challenge requires a national research agenda that stimulates the development of standards and encourages discussion as to how these standards can be realized rapidly. We’re facing the emergence of two huge vulnerabilities: unsecured mobile devices and unsecured operational technology. Resolving these vulnerabilities is not something that will happen instantly. Instead, it’s going to require effective collaboration between industry and government. That action is likely to be voluntary, but some type of regulation may prove necessary as well. Because inevitably someone will see the cost benefits of linking their operational and information systems. And while we shouldn’t be in a rush to make that transition, the pressures to make that transition at some point will be almost irresistible.

January 11, 2013 - The associated challenges of securing enterprise data, keeping data private and protecting intellectual property may seem daunting. But fasten your seatbelts: In 2013 we’re also going to start integrating these concerns with the security of systems used for manufacturing, supply chains and critical infrastructures.

November 19, 2012 - Sam was a guest on WUSA9′s Government Contracting Weekly in the Washington, DC metro-area. Sam talked with host Hilary Fordwich about current cybersecurity threats, important progress on public-private partnerships, and the challenges facing today’s CIO. The show can be viewed here.

October 9, 2012 - It’s been said that the commercial and public sector cybersecurity are too different to address in common. We’ve heard that national security-level cyber threats are beyond the concern of the private sector. While that might have been true in the past – and I don’t it ever was true – we’ve come to a different realization.

September 21, 2012 - We get asked from time to time what we think of the "value of cybersecurity." How much, we're asked, is cybersecurity "worth?" What are the units of cybersecurity we measure? What should they cost? How valuable are they?

September 5, 2012 - In the recent past, we worried about financial cybercrime. That kind of cybercrime remains a problem, surely, but we’ve learned that the risks associated with the theft and misuse of intellectual property, such as the design of a new aircraft fuselage or a new pharmaceutical, or of a company’s global go-to-market strategy, or even the trade negotiating position of the US or one of its allies, can be worth far more, in the wrong hands. That said, we’re still some way from characterising accurately the scope of either financial cybercrime or the theft of intellectual property. However, either can be a measureable proportion of a country’s GDP. In fact, the theft of intellectual property has the potential, some believe, to alter the global economic balance.

July 7, 2012 - Push on a balloon and make an indentation. You'll notice that somewhere else, the balloon bulges. The balloon's volume is finite; at some point, with enough pressure, it will burst. Today's cybersecurity challenge is a bit like that bulging balloon. Everything we do has an effect on just about everything else.