Articles

Articles

Authentication, identity management start-ups lead 2019 VC investing

Articles, Blog, News
featured image

Cybersecurity venture investments reached nearly $7 billion in 2019. Authentication and identity management start-ups were the top lures..

The red-hot venture capital (VC) investment trend for cybersecurity start-ups turned white hot during 2019, with the number of investments deals in “pure-play” cybersecurity companies soaring from 2018 levels. According to one set of numbers, the Venture Monitor report produced by Pitchbook for the National Venture Capital Association (NVCA), the cybersecurity sector is attracting “unprecedented levels of VC deal-making.”

The goal of all this deal-making is to cash out wisely when companies are either acquired or go public on the stock exchange. Like VC spending, 2019 was a major year for cybersecurity acquisitions, with more than 150 deals totaling more than $23 billion taking place.

The NVCA data, however, shows a downtick in total venture investment in cybersecurity start-ups from 2018 to 2019, from around $6.5 billion to around $5 billion. That slip is consistent with a PwC/CBInsights report on 2019 venture spending, which doesn’t break out spending for the cybersecurity sector separately but shows overall venture investing falling toward the end of the year, with year-over-year spending levels dropping by 9% to $108 billion.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

5G security is a mess. Could digital certificates help?

Articles, Blog, News
featured image

5G inherited security vulnerabilities from earlier mobile technology, but digital certificates might solve the issue of unauthenticated messages.

As countries around the world begin deploying 5G technology, the promises of faster speeds and better service sometime obscure a host of security issues affecting the next-generation cellular technology. These security concerns exist despite improvements in data encryption, authentication and privacy embodied in recent releases of the Third Generation Partnership Project (3GPP), the technical standards organization for cellular communications.

The most prominent of 5G security fears are highlighted in the Trump administration’s fight to ban technology from China’s tech giant Huawei from U.S. next-generation networks. The U.S. government is also seeking to persuade European and other allies to shun Huawei, an effort that has met with limited success. The basic fear driving the Huawei ban is that the company caters to the government in Beijing and might very well embed surveillance capabilities into its technology or otherwise spy for the Chinese government, making 5G completely insecure from the get-go.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Presidential campaigns taking email security more seriously–not so much at the local level

Articles, Blog, News
featured image

DMARC now protects the email domains for most U.S. presidential candidates, according to a new report, but local election bodies lag behind and are vulnerable to spoofing.

The 2020 election season got off to what could be a record-setting rocky start with delays in the reporting of the Iowa caucus results due to a poorly developed app. The failure of the mobile IowaReporterApp developed for the Democratic party by a company called Shadow, Inc., followed by revelations that the app was riddled with security errors, fueled further the flames of anxiety about the security of 2020 voting and election systems. (To be clear, the IowaReporterApp was not a mobile voting app but merely a means of collecting and reporting the results of the individual caucuses.)

Against the spectacular failure of the Iowa caucus and as the Democrats head into tomorrow’s New Hampshire primary having ditched the Shadow app, there are some signs that election-related security is otherwise headed in the right direction. For the first time, the 2020 U.S. presidential election hit a milestone because more than half of the candidates for president have domains that are protected from spoofing, according to a just-released study by identity-based anti-phishing company Valimail.

Of the 14 candidates currently in the race (including Donald Trump but excluding Joe Walsh, who dropped out last week), eight are protected by Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies set to enforcement. DMARC is an email authentication, policy and reporting protocol that builds on two other widely deployed email security protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mailprotocols (DKIM), that give domain owners control over who can send as them.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

Recent False Claims Act cases a caution to gov’t contractors that skimp on security

Articles, Blog, News
featured image

Two FCA cases unsealed in 2019 show that contractors can face multi-million-dollar penalties if they don’t comply with federal government cybersecurity requirements.

The False Claims Act (FCA), otherwise known as the “Lincoln Law,” can cost companies that supply goods or services to the federal government millions of dollars if they fail to provide the digital security protections they promise, as two recent cases illustrate. In one of the cases, Cisco Systems was forced to pay millions of dollars to the federal and state governments.

First passed in 1863 during the Lincoln Administration, the FCA was aimed at fraudulent contractors who sold bad horses, provisions and munitions to the Union Army. One of the law’s provisions allows for citizen “relators” or whistleblowers to be paid a percentage of what can be recovered from those who are proved to have made false claims to the federal government in the sale of goods or services.

Between the Civil War and the mid-1980s, the FCA was little used until it was given a shot in the arm by Congress in 1986 to deal with rampant problems involving defense contractors. The FCA was revised again by Congress in 2009 and 2010.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

On the 2020 Congressional cybersecurity agenda: Critical infrastructure, copyright exemptions

Articles, Blog, News
featured image

Despite the distraction of an election year, Congress is expected to give the Department of Homeland Security tools to identify critical infrastructure threats and copyright exemptions to security researchers.

Distracted by high-profile developments, gridlocked by partisan resentment, and time-crunched due to the election year, Congress is nevertheless swinging into gear on specific cybersecurity issues, Washington insiders told attendees at Shmoocon 2020 this past weekend. Among the top items that Congress might tackle are new subpoena powers to address critical infrastructure threats, a big-picture policy report, and copyright law exemptions that protect security researchers.

Congressional interest in cybersecurity has escalated over the past decade, the panelists agreed. “Congress members are aware of a challenge. They want to do something to fix it,” Nick Leiserson, legislative director to Congressman Jim Langevin (D-RI), a senior member of the House Armed Services and Homeland Security Committees, said. “There is engagement, and that is very important. That is a change that is not where we were ten years ago when my boss was being looked at [oddly] by his colleagues. You know, they were like, ‘Here’s the tinfoil hat, Jim,'” he said.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

US elections remain vulnerable to attacks, despite security improvements

Articles, Blog, News
featured image

Continued Russian interference, insecure paperless voting processes will sow doubt about the next election.

Days away from the Iowa caucuses, and less than 11 months from the general election, voting and election security continues to be a challenge for the U.S political system. Threats to a secure election appear to loom as large today as they did in 2016, when Russian state-backed hackers and social media trolls threw U.S. political campaign and election efforts into chaos, turmoil that has only become clear after the fact.

Certainly, voting security has made great strides since 2016. State and local governments took advantage of a funding boost under the Help America Vote Act to improve their infrastructure and better coordinate among themselves to harden election systems. Congress allocated an additional $425 million as part of a spending compromise that was passed and enacted in late-December, giving election officials even more latitude to make improvements.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

2020 outlook for cybersecurity legislation

Articles, Blog, News
featured image

Here’s a rundown of all the security-related bills working their way through this year’s U.S. Congress, plus some hot security topics likely to be debated.

As the partisan divide in Washington widens during this 116th Congress, the prospects of enacting any meaningful legislation that bolsters the nation’s cybersecurity seem, at first blush, dim. Of the nearly 300 pieces of legislation that touch on some aspect of cybersecurity, or more urgently, election security, introduced since the current Congress began last year, only nine have become law. Most were budget-related measures that appropriated or increased funds for federal agencies to spend on cybersecurity or election security as part of the fiscal 2020 spending deal passed in December.

Now, roughly halfway through the current Congress, it’s time to take stock and review where things stand in the legislative arena. A number of bills have been passed by either the House or the Senate and are awaiting further action. They are worth watching in 2020 because they have progressed the farthest and arguably might come closest to gaining some momentum toward passage.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

High-profile departures widen federal government’s security talent shortage

Articles, Blog, News
featured image

Recent key departures–voluntary and forced–might make it harder for government agencies to find the talent needed to fulfill their security missions.

Respected and influential government cybersecurity veteran Jeanette Manfra announced this month that she is leaving her position at DHS to join Google as its global director of security and compliance as part of a new security team at Google Cloud. At Google, Manfra, who currently holds the title of Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency, will spearhead an “Office of the CISO” initiative at Google Cloud to help customers improve their security postures.

Manfra’s departure is just the latest in a string of high-profile departures from the ranks of well-regarded cybersecurity experts from the federal government. Google recruited at least two other prominent government cybersecurity officials to join its ranks. Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in 2017 and is now Director of Data Governance at Google. Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, left his role in 2017 to work at Google as an executive for Public Sector Cloud at Google.

[This article appeared in CSO Online. To read the rest of the article please visit here.]

The race for quantum-proof cryptography

Articles, Blog, News
featured image

Lawmakers briefed on quantum computing’s threat to encryption and the urgent need for mathematical research

One of the biggest threats to privacy and national security is the ability of the immensely powerful quantum computers to break prevailing methods of encryption almost instantaneously. Once quantum computers become a reality, something that could conceivably happen in the next decade or two, all of the data protected by encrypted systems on the internet will become decrypted and unprotected, accessible to all individuals, organizations or nation-states.

Dr. Jill Pipher, President of the American Mathematical Society, VP for Research, and Elisha Benjamin Andrews Professor of Mathematics at Brown University led a briefing last week for lawmakers on Capitol Hill called “No Longer Secure: Cryptography in the Quantum Era” about the threats that quantum computing poses to existing cryptographic systems that support national and economic security. Senator Jack Reed (D-RI) began the briefing by saying “we’re acutely aware of the potential advantages and disadvantages that quantum presents. And we’re also very concerned that some of our adversaries and competitors are investing a great deal in quantum computing.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]

CrowdStrike, Ukraine, and the DNC server: Timeline and facts

Articles, Blog, News
featured image

Politicizing cybersecurity only serves to undermine trust in its practices and objectivity, experts fear.

President Donald Trump, Senator John Kennedy from Louisiana and Secretary of State Mike Pompeo have all given credence to what cybersecurity experts and the US intelligence community deride as a baseless conspiracy theory pushed by Russia. That theory posits that Ukraine, and not Russia, was responsible for hacking into the networks of the Democratic National Committee (DNC) in the run-up to the 2016 presidential election.

Kennedy quickly backtracked from blaming Ukraine for the DNC hack, but nonetheless left wiggle room to return to this contention. After admitting he was “wrong” to imply Ukraine and not Russia hacked the DNC, he went on to say, “There is a lot of evidence, proven and unproven — everyone’s got an opinion — that Ukraine did try to interfere, along with Russia and probably others, in the 2016 election.”

[This article appeared in CSO Online. To read the rest of the article please visit here.]