• Streams of binary code being transmitted from the phones and tablets of people walking to work over London Bridge

    More Women Needed to Close the Cybersecurity Workforce Gap: Picks of the Week

    The 2017 Global Information Security Workforce Study: Women in Cybersecurity | Center for Cyber Safety and Education, (ISC)2, and the Executive Women’s Forum
    No Woman’s Land: Cybersecurity Industry Suffers from Gender Imbalance, Discrimination | Law.com
    Women May be the Key to Unlocking Cybersecurity Workforce Deficit Puzzle | Bloomberg

    Information security demand is far outpacing the supply of knowledgeable and experienced cybersecurity professionals capable of addressing the numerous cyber threats that the modern world is faced with. The widening gap between the burgeoning demand for cybersecurity talent and the supply of a professional workforce has been a common theme throughout my studies in the past few years. As I wrote before, the shortage of a highly trained cybersecurity workforce can be felt across all sectors, from the federal government to Fortune 500 companies, with potentially negative consequences for national security and the global economy. Over 209,000 cybersecurity jobs are currently estimated to be vacant in the United States alone, with the number predicted to rise to 1.8 million globally by 2022.

    The tech and cybersecurity industries are among the most in-demand, profitable, and critical fields in modern history. But, although cybersecurity professionals are in great demand and can command impressive salaries, there is still a critical shortage of talent worldwide and, in particular, of women – who represent an astonishingly low number of current professionals in the field and who face a much harder path to reach the upper echelons of the corporate world.

    According to a new report, while women represent 43% of the global workforce, they only fill 11% of cybersecurity positions. The newly released Women in Cybersecurity workforce study, published by the Executive Women’s Forum on Information Security, Risk Management and Privacy (EWF), and the Center for Cyber Safety and Education, sheds light on the persistent challenges that women face when entering this growing field due to wage gaps, missed or delayed promotions, and discrimination. The study surveyed over 19,000 information security professionals from 170 nations.

    As the Lynn Terwoerds, EWF Executive Director, said in a press release: “the under-representation and under-utilization of female talent is both a critical business issue and a hindrance to the development of world-class cybersecurity organizations and resilient companies, as well as the overall safety and protection of our country.” The new report found also that women in cybersecurity earn less money than men at every level, are four times less likely to hold executive positions, and are nine times less likely to hold managerial roles, despite having higher levels of education and certification than men (half of the women surveyed held a master’s degree or higher, compared to 45% of men).

    The shortage of cybersecurity professionals, and especially women, is often exacerbated by a lack of objectivity and consistency in competency models and measurements to ensure men and women are entering and moving up in the industry equally, and by unconscious and conscious biases present all the way through the recruiting and hiring performance evaluations. These endemic aspects are compounded by a lack of clarity in job descriptions, competing professional certifications, and multiple different training and education standards, which in turn make it harder for organizations to properly identify, recruit, place, and manage the cybersecurity workforce they need.

    Solving complex problems, such as preventing, responding to, and mitigating sophisticated cyber threats, requires diverse experiences, different talents and backgrounds, and many ways of thinking. We cannot expect to close the widening gap between supply and demand of cybersecurity professionals without including more women and minorities, so diversity has to be part of the solution.

    While no single panacea exists to attract more women to this growing field and to close the workforce gap to equilibrium, organizations in both the public and private sector can start by focusing on developing programs to further educate and retain their existing workforce. This include: ensuring that all staff is regularly trained and tested so that they understand and fully appreciate their role in maintaining a strong cybersecurity posture; providing employees with opportunities to connect with mentors within and outside of the organization to help navigate some of the perceived or actual barriers and to further develop their skills; offering other incentives such as flexible work hours and paid maternity leaves; and addressing the wage disparity issues by establishing clear pay structures based on merit and movement through the profession. Leadership, sponsorship, and skill development programs can also help build the pipeline, since women who’ve completed these programs report feeling more valued in their organizations, according to the study. Other effective mechanisms that can help organizations identify, recruit, manage, and retain cybersecurity professionals, including women and minorities, include: taking a proactive role in promoting gender diversity in the cybersecurity field; looking at the universities that have higher percentages of women and minorities participating in cybersecurity or related programs and recruiting from these institutions; joining other recruiting alliances that promote workforce diversity; placing increased value on real-world experience (versus solely qualifications); and establishing an employee referral program to recruit talented and trusted cybersecurity professionals from employees’ personal networks (e.g. universities, professional associations).

    Addressing the critical pipeline issue of women in the cybersecurity workforce, however, has to start at the leadership level. Senior leaders need to commit to reversing this trend — from our universities to our board rooms — and working to create a workforce with a diversity of thoughts, genders, and backgrounds before the issue becomes irreversible. – Senior Fellow Francesca Spidalieri

  • Senior Fellow Francesca Spidalieri

    What is the GDPR and What Does it Mean for Small Businesses?

    Picks of the Week

    Originally published on White Hawk

    The digital age has ushered new ways to think about privacy issues and any business that uses information and communications technologies (ICTs) and the internet to process, store, communicate, and share data can no longer ignore the risk of data breaches, privacy violations, hacking and other cybersecurity concerns. Indeed, cyber risks affect all industries and markets and can represent an existential threat, especially to smaller companies that have limited resources and have built their business around one line of products or services. In response to the growing number of damaging data breaches in recent years, the European Union (EU) has updated older data protection regulations, raising the standards – and the stakes – of personal data privacy and strengthening the rules of the road for businesses that handle large amounts of personal information. Recent events like the Facebook-Cambridge Analytica data leak scandal are among the reasons why stricter data regulations, such as the EU General Data Protection Regulation (GDRP), are needed to prevent future large security breaches, give users more access to and control over their own data, and ultimately penalize those who fail to protect that data they collect and profit from.

    The Good:

    The GDRP– adopted by the European Parliament on 24 April 2016 and entering into force on 25 May 2018 –will require organizations to implement substantial changes to their data protection compliance programs, business processes, and IT infrastructure to demonstrate due care, custody, control, and protection of data originating in the EU, as well as protection of individuals’ right to privacy. The GDPR aims primarily to give control to EU citizens and residents over their personal data and to simplify the regulatory environment for entities operating in the EU. This new privacy regulation will reach out across geographical and industry-lines and will apply to anyone with a presence in the EU, or who handles, collects, stores, transfers or disseminates data on EU citizens including businesses and other legal entities.

    The GDPR strengthens existing data protections for individuals inside the EU and sets forth regulations on exporting data outside of the EU, including:

    1. Distinguishing and clarifying the different roles and responsibilities between those who control data (individual/company that makes decisions about data processing activities, the “controller”) and those who process data (individuals/companies who are contracted by the controller to handle and collect data, the “processor”).
    2. Expanding the scope of what is understood to be personal data, including names, ID numbers and locations, as well as IP addresses, cookies and other digital fingerprints.
    3. Streamlining enforcement authority to one supervisor per member state, and mandating companies to notify consumers of a data breach and report it to the appropriate supervisory authority within 72 hours from its discovery.
    4. Giving users the right to access previously released information, ask to receive such information back in a clearly written and easily transferable format, and have the functionality to be transferred to another data controller.
    5. Leveraging penalties for non-compliance to increase corporate data protection practices and responsibility for entities that capture and use customer data. Fines can be up to:
    • -10 million euros ($12 million) or 2% of a company’s global annual turnover (whichever is greater) for breaches; and
    • -20 million euros ($24 million) or 4% of a company’s global annual turnover (whichever is greater) for very serious breaches.


    One of the many pending questions that remains is: how will the GDRP affect small businesses?

    The Bad:

    Many organizations and even privacy experts are wondering whether the regulation is more about legal verbiage than transparency and clarity about what constitutes personal data, while business owners – especially those with smaller operations – are still asking how they can prepare and budget for the changes required by the new legislation. Reporting requirements, for example, could result in high volume of responses that may not be handled promptly by a small business with limited resources, and controllers could be held accountable for violations caused by their third-party vendors. Complying with this new regulation may also delay the development of new technologies and products, since most organizations will need to invest additional budget/effort to comply with the consent, data mapping, and cross-border data transfer requirements under the GDPR. This may require shifting important resources away from research and development into compliance efforts.

    Although it could be argued that this regulation was not realistic to security expectations and that it was drafted by the EU Parliament as a reaction to the increasing scale, scope, and volume of data breaches and violations of privacy rather than by IT and cybersecurity experts who understand data security, these are now the requirements that businesses will have to comply with if they want to continue doing business in Europe.

    The Ugly:

    Small and mid-size businesses are far from ready for the impending GDPR, and may have difficulties implementing it, especially if a company lacks the money and expertise needed to create a detailed security and privacy program. A quick look at most informational blogs and public forums regarding the GDPR shows that many small and medium-size organizations lack a clear understanding about this regulation and are still wondering whether the GDPR even applies to them (for example, see the conversation about the GDPR on the linkfluence blog). All companies that hold personal data on EU consumers must soon be able to demonstrate that they have updated their privacy policies and terms of service in order to comply with the GDPR or be ready to face hefty penalties.

    The Silver Lining:

    Despite the imperfections and the possible problems with implementing the GDPR for some, leaders in the SMB community can improve their security programs and stay under budget by being proactive and realistic about their capabilities. First and foremost, every organization should know what kind of data (e.g., PII, PHI, PCI, etc.) it stores, collect or process, where it is located, who has access to it, and how it is being protected. Second, organizations should understand the risks they are exposed to; assess their security measures and policies – including their incident response and business continuity plan(s); allocate appropriate human and financial resources to minimize cyber risks; and ensure that all their employees are trained and up-to-date about the GDPR and how to report a breach if it occurs. Third, they should be able to demonstrate due-diligence on their supply chain and certify all suppliers and contractors are also compliant with the GDPR to avoid setbacks. Lastly, a simple rule of thumb may be: if you do not need to store sensitive personal data related to EU consumers for legitimate business reasons, just erase it.

    One of the positive outcomes of this regulation is the potential for the GDPR to be a revolutionary standard for data protection and privacy rights, that other countries around the world may decide to follow in the future.

    For more tips and information on cybersecurity best practices, see: Understanding Cyber Threats – Lessons for the Executive Team.

  • Bitcoin Conference

    Pell Center Hosts first-ever Conference in Rhode Island on Blockchain, Bitcoin and Cryptocurrency

    Written by:
    Francesca Spidalieri, Senior Fellow for Cyber Leadership
          Darwin Salazar, Cyber Leadership Intern & Founder of the Salve Cybersecurity Club
    Inon Elroy

    Inon Elroy

    Senior corporate leaders, entrepreneurs, investors, government officials, military personnel, law enforcement, researchers, and faculty members from multiple organizations in New England and abroad, convened at the Pell Center at Salve Regina University on November 29, 2017 to participate in the first-of-its-kind conference in Rhode Island on Blockchain, Bitcoin, and Cryptocurrency. Senior officials such as the Israeli Economic Minister to North

    Mike Steinmetz

    America, Inon Elroy, the RI State Cybersecurity Officer, Mike Steinmetz, and representatives of the Consulate General of Israel were in attendance. The event, organized in partnership with the newly established Rhode Island-Israel Collaborative (RIIC), featured world-renowned experts from organizations at the forefront of these emerging technologies from the US and Israel, including the Israeli government, IBM, and Tel Aviv University.


    Avi Nevel

    Avi Nevel (left) & Jim Ludes (right)

    As Mr. Avi Nevel, CEO and President of RIIC, stated: “Israel is now leading in cutting edge technology in cyber and fintech innovation, and it was a pleasure for our organization to cooperate with the Pell Center to bring together top experts in these fields, with the hope of making Rhode Island and Israel a hub for blockchain technology involving Israeli and Rhode Island companies and academic institutions.”

    Just one day before the event, bitcoin experienced a meteoric increase from $9,800 to a high of $11,300 overnight, which brought much anticipation and curiosity for this conference.  (As of this writing, bitcoin is now trading at $15,800.)  This cryptocurrency was worth about $756 only last year. This exponential rise has sparked both interest and concerns about the technology behind it – blockchain – and all its possible applications across various industries including healthcare, banking, finance, legal, and even cybersecurity.

    Dr. Roey Tzezana

    Dr. Roey Tzezana

    The event was moderated by Dr. Roey Tzezana, a renowned Israeli futurist, and author of multiple books on the subject. In his opening remarks, he talked about blockchain technology and its potential disruption to societies and organizations in the future and its potential impact on the new world order looking 20-30 years down the road.

    Explaining the technology that underpins blockchain to non-IT experts is not an easy task. The conference keynote speaker, Ronen Siman-Tov, CTO of IBM’s AlphaZone Accelerator, described blockchain as a distributed ledger (or a permissionless distributed database or public record of transactions in chronological order) that is shared between participants across an established network. The technology is made up of a series of blocks with a new block added every time a new transaction is made. These transactions must be validated by entities within the blockchain network. No transaction can ever be erased from this chain of blocks making this technology tamper-proof, anonymous, and unchangeable which in turns brings a heightened sense of trust and security to every party involved in the network. This also makes it easier to go back and audit all transactions that have ever been executed within the network. In the words of Siman-Tov, “what happens in the blockchain, stays in the blockchain.”

    Ronen Siman-Tov

    Ronen Siman-Tov

    “Business will require four things in order for blockchain to work,” continued Siman-Tov, “a shared ledger, smart contracts, privacy, and trust.” He anticipates that blockchain will ultimately allow parties to make transactions without a third-party intermediary such as an accountant or lawyer, making it a trustworthy and cost-saving technology.

    Mr. Siman-Tov also explained in his GoLocal Live interview, that there are multiple potential uses for blockchain beyond the financial world and across numerous industries. For instance, the Food Safety Consortium is a current use case of a network based on blockchain and its main purpose is to help prevent food fraud and ensure product quality by tracing the food’s activity throughout the supply chain. Walmart, Nestle, Tyson, and Unilever are some of the key players in the Food Safety Consortium blockchain network. Many believe that what the internet did for communications, blockchain will do for transactions and that this technology will “create extraordinary opportunities for businesses to come together in new ways – creating new value, optimizing ecosystems, and reducing risks.”

    Dr. Chris Demchak

    Dr. Chris Demchak

    As with the internet and any other new technology, however, there are risks involved and some that have yet to be realized. Dr. Chris Demchak, RDML Grace M. Hopper Chair of Cyber Security Studies and Director of the Center for Cyber Conflict Studies (C3S) at the U.S. Naval War College, highlighted some of these potential pitfalls. She stated that “anything that can be coded, can be corrupted,” and one point of failure will still be the human factor. Since blockchain networks are written in code, the network is only as good as the programmer who develops it and, as we have learned with the internet, there will be vulnerabilities in the code that can be exploited by malicious actors. She also warned that blockchain may not be the right answer for everything and may not be widely useful beyond originating financial transactions. Another potential issue with blockchain is scalability. As more transactions are made on the blockchain network, it will become harder to process them and scale over time. This is a consequence of the fact that new ‘blocks’ will continue to be added on top of older ones (i.e. the size of the blockchain will confinue to grow), and that every fully participating node in the network must process every transaction, which in turns requires increased storage, bandwidth and computing power. This will lead to increasingly longer transaction-approval times. Multiple researchers and experts in the field are currently working on possible solutions, but until we figure out how to scale the blockchain, we will be limited to how fast and wide this technology can actually grow.

    As with all new technologies, there are still kinks to be worked out and patched, but many of these issues can only be realized through real-world implementation and application of the technology. With that being said, all the participants at the Pell Center event agreed that the cost-saving impact of blockchain will be significant for many industries.

    After the formal part of the program ended, attendants participated in a dedicated workshop for different industry sectors, including finance, healthcare, government, defense sector, and cybersecurity. They discussed the potential implementations of blockchain technology in their respective organizations and devised a preliminary strategy to adopt it.


    Panelists from left to right: Mike Steinmetz, Dr. Chris Demchak, Brian O’Connell, Mark Regine, & Dr. Roey Tzezana

    This conference was part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. The Rhode Island-Israel Collaborative (RIIC) is a new non-profit organization dedicated to fostering and strengthening trade, business, academic exchange, science, and research between the state of Rhode Island and Israel to mutually benefit their economies and communities. RIIC aims at building and supporting relationships between government organizations, businesses, entrepreneurs, investors, members of academia, and the research community in Rhode Island and Israel. This first conference was generously sponsored by the Newport County Chamber of Commerce, the Consulate General of Israel to New England, and Hinckley Allen.

    For more information on the Pell Center Cyber Leadership Project and future events, visit the RICCI webpage or contact the Pell Center at [email protected].

    For more information about the Rhode Island Israel Collaborative and future events, visit the RIIC webpage or contact the RIIC at [email protected].




  • Unlocked cybersecurity graphic

    The Equifax Breach is a Case Study in Why We Need a National Data Notification and Protection Law: Picks of the Week

    “The Time is Now for Congress to Act of a National Data Breach Notification Law” | The Hill

    “Equifax Breach Prompts Scrutiny, but New Rules May Not Follow” | The New York Times

    “The single most depressing thing about the Equifax breach” | The Washington Post

    It took over six weeks for credit bureau Equifax – one of the three major credit reporting firms in the U.S. – to disclose the massive data breach that potentially compromised confidential information of 143 million customers – or nearly half of the U.S. population. Aside from the reports on the company’s sloppy cybersecurity measures that made it a low-hanging fruit for hackers and its subsequent handling of what appears to one of the worst data breaches in recorded history, the fact that the company took so long to notify customers is appalling – but given the patchwork of data breach notification laws in the US and the still-too-common disregard for industry-wide cybersecurity standards, it was not all that surprising.

    Breached companies often choose to delay notification of hacks, putting customers at risk while avoiding consequences. While there may be legitimate reasons to delay informing consumers about a data breach, such as an ongoing criminal investigation by law enforcement or the need to assess the full scope of the hack and extent of the damage before letting consumers know and possibly causing panic, companies often wait to go public about a data breach because they fear the damages a hack will have on their reputation, customer trust, stock value, and overall revenues.

    In the case of Equifax, the company’s slowness first in patching a known vulnerability and then in effectively responding to the hack and notifying customers, combined with its high-level executives who apparently sold off almost $2 million worth of stocks days after the breach was discovered, shows a complete lack of leadership and real concern about customers’ privacy and security. Equifax has yet to disclose why it waited so long to inform customers about the breach and, in the meantime, two top executives have stepped down, the legal team and the Board are bracing for probes by the federal and state authorities and a slew of class-action lawsuits, and the CEO is preparing to testify before the U.S. Congress.

    What sets Equifax’s breach apart, however, has less to do with their undue delays or with the numbers of records breached – Yahoo’s data breach last year affected as many as one billion accounts – than with the high-value of the data exposed. The data that was accessed by still-unknown hackers includes a trove of names, birth dates, Social Security numbers, addresses, driver’s license numbers, and even credit card and bank account numbers. Even individuals that never used Equifax were affected. Indeed, consumers have almost no control over whether their information is absorbed into credit bureaus like Equifax, Experian, and Trans Union, and do not have to provide consent for them to use and process their personal data. If you ever applied for a mortgage, a credit card, a cellphone plan, or to buy a car, Equifax, or a similar company likely has your information which is used to rate your credit-worthiness to banks, home sellers, auto sellers and others.

    With so much personal information, criminals can easily impersonate you, take out new lines of credit in your name, file fraudulent tax returns, take out prescriptions, and craft even more sophisticated phishing emails and scams. This type of cyber risks are not isolated to Equifax, but this massive data breach revealed another inherent flaw in the U.S.: the over-reliance on Social Security numbers and the skewed credit reporting system that is in urgent need of reform. The wide use of SSNs in both government and private sectors, and the ease of using it to access highly-sensitive accounts, has made hacking systems such as credit reporting agencies even more appealing to cyber criminals.

    A breach of this proportion should serve as a warning both for policymakers and customers about what may lie ahead. Breaches will only continue to grow in number, volume, and sophistication. As more information becomes digitally available, our data becomes more at risk than ever.

    Unfortunately, companies are not incentivized to prioritize security, resiliency, and privacy, and there is little national oversight on how companies handle data. Indeed, most companies constantly collect and store data even just because they might want to use it sometime in the future – there is no law that forces them to only collect the bare minimum of data necessary, or that limits how long a company can store data, or that requires to encrypt everything they collect, or that imposes regular security audits. When it comes to notifying consumers that their data has been stolen, laws in the U.S. vary state to state and differ in how much time and how much information companies are required to divulge, and whether to notify other parties beside the affected people (such as state attorney generals, credit bureaus or regulators). Past calls in Congress to establish a nationwide standard have repeatedly fizzled. The result is a muddled patchwork of 48 different state laws governing data breach notification, and timing is only specified in eight states and varies anywhere from 10 to 90 days. Rhode Island’s law, for instance, requires notification to be made within 45 days from the discovery of a breach. Georgia – where Equifax is based – has no timeline specified for when a company must notify customers about a breach. Alabama and South Dakota don’t even have a data breach notification law on the books. For comparison, the European Union’s new General Data Protection Regulation, which comes into effect next year, requires that any data breach be reported within 72 hours.

    Big hacks like the Equifax fiasco put into context just how much control organizations have over our personal information, how much information is regularly collected, and how valuable (and vulnerable) that information is. But as the digital world increasingly dictates where we work, play, and live our lives, we need to have control — or at the very least, basic knowledge — over what data is being collected about each one of us, where it is stored, who has access to it, and how it is being protected.

    While Congress debates the merits of the various proposals to establish a national data notification and protection law, if you were a victim of this latest enormous breach (assume you were!), here are a few things you should do to protect yourself:

    • Check your credit accounts immediately and regularly for any suspicious activity, and continue to monitor your credit card and bank accounts for the foreseeable future;
    • Set up a fraud alert;
    • Freeze your credit accounts – meaning no one can open an account (transfer money), buy a car, house or other big item – using your SSN, CC, bank account, etc.
    • Set up two-factor authentication on important financial accounts to deflect hackers with stolen information;
    • If you have children, enroll them into allclearid.com/ .
  • Ipad with HBO's Game of Thrones on the screen.

    Game of ‘pwns’: Cybersecurity Lessons from the latest HBO Hack – Picks of the Week

    Hackers Demand Millions in Ransom for stolen HBO Data | Associated Press

    Spoiler Alert: Hackers Are Gunning for Hollywood | Variety

     The HBO Hack Was Reportedly up to Seven Times Larger Than the Sony Hack | Vanity Fair

    It seems that no one can escape cyber threats or data breaches these days – everything from political parties to the King in the North – appear vulnerable to attack.

    The latest victim in a string of embarrassing and potentially highly damaging data breaches that have affected the entertainment industry in recent years is Home Box Office Inc., more commonly known as HBO. The HBO hack, first reported over the weekend, seems to be larger than initially believed, and the leaks have included internal documents, images, videos, and personal information of an HBO senior executive. Upcoming episodes from multiple shows – including Ballers, Insecures, and Room 104 – along with draft scripts of the popular Game of Thrones were also made available online. The network issued a take-down notice to Google, demanding links to the leaked information be removed, but in a new twist of events the hackers – who reportedly stole 1.5 terabytes of HBO shows and confidential corporate data – released a second dump of sensitive proprietary data and demanded a multimillion-dollar ransom from the network to prevent additional leaks.

    The group of hackers delivered its ultimatum through a swaggering five-minute video from “Mr. Smith” – the name that the group is using to identify itself – to HBO CEO Richard Plepler. In short, they asked to be paid the equivalent of their “6-month salary in bitcoin” within 3 days to stop the leaks, and claimed to earn upward of $15 million a year by blackmailing organizations whose networks they have penetrated.

    The hackers claimed it took them about 6 months to breach HBO’s network, and to have spent a half-million dollars per year to buy “zero-day” exploits that allowed them to break into their corporate networks through vulnerabilities not yet know to Microsoft and other software companies. They also bragged about HBO being the hackers’ 17th target and that only three previously victimized companies refused to pay. HBO is continuing to investigate the hacks and is working with police and cybersecurity experts, but it remains unclear how extensive the hack really was, how disruptive it will be to HBO’s business and employees, and whether the hackers will release the more explosive material they promised if the ransom isn’t met.

    So far, the HBO leaks have been limited and have fallen well short of the chaos inflicted on Sony Pictures Entertainment in 2014. In that cyber attack, a group of hackers known as the “Guardians of Peace,” allegedly associated with North Korea, leaked thousands of humiliating and damaging emails and personal information, including salaries and social security numbers, of nearly 50,000 current and former Sony employees. The group demanded that Sony halt the release of one of their major motion pictures that year – The Interview – threatening terrorist attacks and causing Sony to cancel the film’s premiere and mainstream release. Ultimately, the 2014 Sony hack resulted in the resignation of senior executive Amy Pascal and in a multi-million-dollar settlement with the studio’s employees.

    While the Sony hack definitely got the attention of executives across the entertainment industry, and while this and other major cyber incidents led to a shift in attitudes toward security, many experts argued that Hollywood studios were still not doing enough to prevent the next big data breach and warned that it was just a question of time before we would see another incident of the same or increased magnitude. Recommendations poured into Hollywood studios and cybersecurity companies flourished since, offering all kinds of technical solutions – from better firewalls to intrusion detection systems, network access control, cloud service security products, etc. The entertainment industry, however, has continued to focus on perimeter defenses instead of investing on risk mitigation strategies and more proactive measures, like using digital rights and content-management solutions to share and control how entertainment companies collaborate on content without putting it at risk of being compromised. These tools can increase the security of communications with external parties over secure channels, be they email, text, phone or instant messaging. Unified endpoint management solutions could also improve security and help control all IT endpoints, including desktops, laptops, mobile and even IoT devises. Finally, companies of all sizes and in all sectors should regularly train their employees on cyber hygiene and cybersecurity awareness, and bring “ethical hackers” to conduct penetration testing and simulate real-world attacks.

    As Alex Manea, CSO of BlackBerry, noted: “if Game of Thrones has taught us anything, it’s that enemies will always try to find and exploit our biggest weaknesses, be they physical, mental or in this case digital. And just as in the hit HBO show, our goal isn’t to make our defenses impenetrable, it’s to make them strong enough that hackers simply move on to easier targets. In the end, enterprises and individuals who adopt this approach to risk management will have the best chance to survive the digital winter.”

    The HBO hack has shown us that there is no such a thing as perfect cybersecurity, but that are multiple proactive solutions and training opportunities that can be adopted to add layers of security and make us more difficult targets to penetrate. What the network will decide to do next to resolve the case is hard to guess. For now, at least fans seem to remain loyal to the cable network that has brought them their favorite show, which recently saw its best-ever live ratings with more than 10.2 million viewers despite the recent hacks and multimillion-dollar ransom demand. – Senior Fellow Francesca Spidalieri

  • Map of the United States with large lock in the center to represent cyber security

    As U.S. States Join Forces to Boost Cybersecurity, Federal Government Slashes U.S. Leadership in Cyberspace

    “38 Governors Sign ‘a Compact to Improve State Cybersecurity’” | Government Technology

    “Tillerson to Shut Cyber Office in State Department Reorganization” | Bloomberg

    “Top State Cyber Official to Exit, Leaving a Myriad Questions” | Politico

    Rhode Island recently hosted the National Governors Association (NGA) meeting, during which 38 state governors pledged to make cybersecurity a top priority and agreed to further develop statewide plans to enhance cybersecurity governance, prepare and defend their states from cyber incidents, and grow the nation’s cyber workforce.

    The NGA meeting, which drew high-profile speakers such as Vice President Mike Pence and Canadian Prime Minister Justin Trudeau, kicked off with a panel discussion on cybersecurity and concluded with the announcement of a “Compact to Improve State Cybersecurity.” The joint declaration emerged after a year-long initiative spearheaded by Virginia Governor Terry McAuliffe—who is also the NGA’s Chairman—called Meet the Threat, which sought to create guidelines that could be applied across states to promote cybersecurity. Governor McAuliffe had previously argued that instead of waiting for the federal government to act, states should assume a larger role in promoting cybersecurity, and suggested that his colleagues think of their IT defense as “a health issue, an educational issue, a public safety issue and an economic issue, as well as a democracy issue.” This is similar to what I have written about before—states cannot wait for the federal government to provide responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.

    Rhode Island Governor Gina Raimondo joined 37 other governors in signing the compact and reaffirmed her commitment to combat cyber and homeland security threats. “Much of the work this compact talks about is already under way here in Rhode Island,” said Mike Steinmetz, Rhode Island’s first cybersecurity officer and principal advisor for homeland security. “It is critical that we work together with our state partners and with national resources in the intelligence, public safety and information technology communities to enhance our resiliency.”

    The governors’ agreement, which drew bipartisan support, included provisions to: boost cybersecurity employment by working with colleges to increase the number of related degree programs; place veterans into cybersecurity training programs or cyber-related jobs; encourage colleges and universities to seek the designation as NSA-DHS National Centers of Academic Excellence in Information Assurance and/or Cyber Operations; organize a framework for information sharing by partnering state homeland security and information technology representatives with critical infrastructure and key resources operators; incorporate the National Guard into states’ “cyber response plans” and work with state lawmakers to determine when the Guard should be activated in the event of a cyberattack. As evidence of its strong cybersecurity posture, Rhode Island has already begun to address all of such efforts.

    Unfortunately, the commitment by these states to work collaboratively with their local and federal partners to enhance their defenses against cyber threats was overshadowed by news that the federal government was potentially downgrading the role of U.S. leadership in cyberspace and its commitment to international cyber-related issues. Shortly after the NGA meeting, Christopher Painter—the State Department’s coordinator for cyber issues and top cyber diplomat—announced that he would leave his job at the end of the month. Painter had been leading American delegations to international cybersecurity meetings for several years, negotiating joint agreements with other countries on issues ranging from protecting critical infrastructure to developing international norms of state behavior in cyberspace. In addition, Secretary of State Rex Tillerson is considering closing the State cyber office, merging it with another office, or downgrading the cyber coordinator’s rank. As Jason Healey, visiting scholar at The Hoover Institution at Stanford University pointed out, eliminating or downgrading the State Department’s dedicated cyber mission “would mean the United States would be the only major country without a lead diplomat to discuss cyber norms and trying to reduce the ever-escalating cyberattacks we see around the world.” The U.S. was the first country to create a high-level diplomat role addressing cybersecurity issues, and dozens of other countries have since followed suit. “It is not just a shame if the U.S. were to surrender that leadership, but would mean the future internet will have more Russian and Chinese characteristics,” Healey added.

    While the cybersecurity environment continues to deteriorate with cyber threats growing in scope, volume, and sophistication, and as geopolitical tensions remain high with slow progress on the diplomatic front, it remains unclear how the Trump Administration—which has yet to fill many of the vacant roles with major cybersecurity responsibilities—plans to approach all these important cyber challenges both domestically and internationally. President Trump’s Executive Order on Cybersecurity, for example, directed government agencies to further study the problem and requested those agencies to produce several related reports in the coming months, but did not clarify how the Administration will prioritize competing interests. These reports will require agencies to dedicate limited and shrinking resources to drafting those reports, which may distract from their current cybersecurity activities and operations. Painter’s departure, moreover, will likely complicate the State Department’s task of delivering an international cyber strategy to the President by late September as part of the executive order.

    While the President began his tenure at a time of considerable cyber insecurity facing both state and federal agencies, public and private organizations—and an associated growing public awareness of these issues—he has yet to demonstrate an understanding of what is at stake and a willingness to take a leadership role in addressing these challenges. – Senior Fellow for Cyber Leadership Francesca Spidalieri

  • Clippings of computer crime headlines with computer mouse cord wrapped around a globe

    When Ransomware Becomes the Smoke Screen for Real Disruption: Picks of the Week

    “Ransomware Remixed: The Song Remains the Same” | Lawfare

    “Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons” | The New York Times

    “Global Cyber Attack Likely Cover for Malware Installation in Ukraine” | Reuters

    In the past month, malicious actors have twice used cyberweapons stolen from the National Security Agency (NSA) against countries around the world in a series of escalating cyber attacks that have targeted hospitals, banks, transportation systems, and even nuclear sites. The latest wave of attacks featured a similar hacking tool – Eternal Blue – that was used in the WannaCry attacks that crippled tens of thousands of machines worldwide in May. The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the NSA and leaked online in April by a group called the Shadow Brokers.

    As The New York Times reported, “the NSA has kept quiet, not acknowledging its role in developing the weapons [but that] the calls for the agency to address its role in the latest attacks has grown louder, as victims and technology companies cried foul.”  White House officials have also deflected questions on the issue, arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. The growing concern is whether US intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands, and there have been numerous calls for the NSA to help halt the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

    While the US intelligence agencies do have the largest stockpile of so-called cyberweapons that have become the weapon of choice against the Iranian nuclear program, North Korea’s missile launches, and Islamic State militants, they have also developed an interagency decision-making process to disclose known software vulnerabilities directly to vendors (like Microsoft, in the case of WannaCry). This so-called Vulnerability Equities Process (VEP), however, is not codified into law and continues to be biased in favor of intelligence and law enforcement practitioners, thus leaving products and consumers vulnerable to attacks and affecting users on a massive scale.

    Although there is evidence to suggest that North Korea was responsible for the WannaCry ransomware attacks and that the attacks this week against targets in Ukraine were the work of Russian hackers, in both cases the attackers used tools stolen from the NSA to exploit vulnerabilities in Microsoft software. Officials now fear that the potential damage from the theft of these cyberweapons could go much further, and that the NSA’s own weaponry could be used to destroy critical infrastructure in the United States or in allied nations. Indeed, attackers and cyber criminals have already retrofitted these tools to steal credentials from American companies, pilfer digital currency, disrupt services, and even destroy property.

    The latest wave of ransomware attacks are now believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely or installing new malware intended for future sabotage. And while WannaCry had a kill switch that was used to contain it, the attackers that hit Ukraine this week made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.

    Unfortunately, as long as software manufacturers continue to develop poorly engineered products full of flaws in their computer code, opportunities will abound to create openings for digital weapons and spy tools, and the NSA is not likely to stop hoarding software vulnerabilities any time soon. And as long as people and companies fail to properly patch their systems and adopt cybersecurity best practices, more sophisticated and damaging attacks of this kind will be likely.

  • Local executives engaged in cyber tabletop exercise

    Pell Center Hosts Cybersecurity and Healthcare Exercise Ahead of Real-Life Global Cyber Attack

    Senior leaders and security professionals from over 30 healthcare organizations in New England, as well as representatives of the R.I. Department of Health, R.I. Office of the Health Insurance Commissioner, R.I. Commerce Corporation, Newport County Chamber of Commerce, and law enforcement agencies convened at the Pell Center at Salve Regina University on May 10, 2017 to participate in a cybersecurity tabletop exercise focused on specific challenges and potential responses to growing cyber threats in the healthcare industry.

    In a ripped from the headlines twist that preceded the recent “WannaCry” attack, the exercise started with a ransomware attack and continued with a series of cyber intrusion scenarios, such as disruption of services, email spoofing, phishing attacks directed at patients, DDoS attacks, and data exfiltration created to identify weaknesses common in the healthcare industry. The scenario involved real-world cascading effects, including consequences for the provision of healthcare, outcry from patients, and media fallout for the organizations that fall victim to such attacks. The exercise was designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies, mitigation techniques, and incident responses. Participants worked together on a range of timely and important cyber-related issues, including: incident response and prioritization, data leakage considerations, digital forensics investigations, crisis management, legal and regulatory compliance, and cyber liability insurance. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    This event, co-sponsored by SecureWorks, PreparedEx, and the Newport Country Chamber of Commerce, was part of the Pell Center’s Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. Congressman Jim Langevin joined this group of senior leaders for a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.

    Stunningly, just two days after the Pell Center exercise, the world woke up to the news that “WannaCry,” a new, self-propagating ransomware allegedly stolen from the National Security Agency (NSA), was spreading across thousands of computers around the globe and affecting multiple different entities and industries. The malicious software infected more than 300,000 computers across nearly 150 countries and was dubbed the largest “ransomware” attack on record. Some of the world’s largest institutions and government agencies fell victim, including the Russian Interior Ministry, German transport giant Deutsche Bahn, French automaker Renault, US shipper FedEx, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computers and network systems are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    Governments, companies, and security experts from around the world raced to contain the fallout from this audacious global cyberattack amid fears that if they did not succeed or paid the ransom demanded, data would be lost forever. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack was a wake-up call for many organizations in the healthcare sector and set off fears that the effects of the continuing threat will be felt for months, if not years. The following week, a new flaw was found in widely used networking software leaving tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old to be patched or fixed. And while the WannaCry ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine, and especially of the threats the use of legacy equipment, lack of cybersecurity professionals in hospitals, and hyper-connectivity of medical devices and hospital networks pose to patient safety.

    With an eye towards mitigating similar cyberattacks and increasing preparedness and resilience to cyber risks, the Pell Center will continue its cybersecurity and healthcare event series this fall with additional seminars, panel discussions, and workshops. In light of the WannaCry attack and the Pell Center’s recent cybersecurity exercise, we also provided a series of tips and recommendations to participating organizations, including to ensure that all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; create backups of all important files; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations. Experts from PrepareEx also stressed the importance of conducting more cross-functional crisis management exercises that include the senior leadership team from within organizations, and maintaining well-exercised and regularly updated crisis management and incident response plans.

    For more on RICCI and our upcoming events, click here.

  • Map with yellow pin stuck in Doha, Qatar

    Easy Hack May Spark Next Middle Eastern Conflict: Picks of the Week

    The Hack that Caused a Crisis in the Middle East Was Easy | Motherboard

    News Agency Hack Blamed for Diplomatic Meltdown in Qatar | CSO Online

    US Suspects Russian Hackers Planted Fake News Behind Qatar Crisis | CNN

    Will Qatar’s Diplomatic Exile Spark the Next Great War? | Foreign Policy

    A cybersecurity incident at the Qatar News Agency (QNA) may have been the cause behind the sudden diplomatic break between Qatar and multiple Gulf Cooperation Council (GCC) states, including Bahrain, United Arab Emirates (UAE), Saudi Arabia, Egypt, Libya, and Yemen.

    The Qatari government reported that hackers were able to breach their state-owned news agency as well as their Twitter account, subsequently planting a fake news item attributed to Qatar’s emir, Sheikh Tamim bin Hamad Al Thani, purportedly making controversial comments in support of Iran, Hamas, Hezbollah, and Israel, and questioning the political future of U.S. President Donald Trump. The fake news piece was immediately picked up by Saudi and Emirati media and widely broadcasted, while internet access to Qatari media was blocked so that the official denial from Qatari officials could not be read. The move laid the groundwork for the subsequent crisis. Indeed, Bahrain severed diplomatic ties with Qatar shortly after the fake news was widely spread, and within minutes of their announcement, four other GCC states followed suit and announced that land, sea, and air routes had also been cut off. Yemen, Libya, Mauritius, and the Maldives later followed suit and Qatari nationals are now being expelled from some countries in the Arab alliance. The crisis has only escalated since, and could have manifold economic and political effects for the Middle East – as well as alter the course of the region’s many conflicts.

    Qatar is working with the FBI and the British National Commission for Combating Crime (NCA) to investigate the incident, but the damage has already been done and tensions with GCC members continue to mount. Russian hackers are accused, once again, to have been the perpetrators of this latest cyber intrusion and to have planted the fake news story on the Qatar’s state news agency website that led to the split between Qatar and the other Arab nations. Motherboard has reported that the “crisis was sparked by a hack that anyone could have done […] given that the station affected had terrible [cyber]security in place.” U.S. officials have expressed increasing concerns about Russian cyber-hacking measures’ believed to have been used to interfere in the 2016 presidential election, and then used again against American allies. Similar alleged hacks and instances of dissemination of false news articles have occurred in France, Germany, and elsewhere during elections.

    To make matter worse, Qatar-based satellite news network Al Jazeera seems to be the latest victim of an ongoing cyberattack campaign. On Thursday, Al Jazeera stated on its website that its entire Qatar-based network was experiencing “systemic and continual hacking attempts” and that it had been hit by a “cyber attack on all systems, websites, and social media platforms.” The Al Jazeera hack, if related to the series of events that have cascaded in short order since the first handful of Arab countries cut off diplomatic ties with Qatar this week, could further destabilize the situation.

    Whether the alleged hackers are linked to Russian crime syndicates or government agencies, and whether the Trump Administration will be able to interject and defuse what many consider the most dangerous diplomatic crisis in the region in decades remains to be seen. What seems incredible, however, is that even with heightened awareness regarding fake news, easily-hackable social media accounts, and questionable journalism, an apparently unsophisticated cyberattack against a news agency can lead to significant diplomatic problems and potentially trigger an even larger international incident.

  • The words "cyber attack" in newspaper print

    ‘WannaCry’ Ransomware Attack was a Wake-up Call: Picks of the Week


    New WannaCry Cyber Attack Could Target Tens of Thousands of Home Computers | Newsweek

    Hacking Attack Has Security Experts Scrambling to Contain Fallout | The New York Times

    Services Interrupted as Hospitals Push Fixes to WannaCry Ransomware Exploit | Forbes

    Governments, companies, and security experts from around the world raced to contain the fallout from last week’s audacious global cyberattack amid fears that if they did not succeed, data would be lost forever unless ransom demands were met. The efforts came less than a day after malicious software (“WannaCry”) that was stolen from the National Security Agency (NSA) infected more than 300,000 computers across nearly 150 countries in one of the largest “ransomware” attacks on record. Some of the world’s largest institutions and government agencies were affected, including the Russian Interior Ministry, FedEx, German transport giant Deutsche Bahn, and the Spanish telecommunications firm Telefónica. Healthcare organizations were hit particularly hard given that their computer networks are often older, unpatched, and lack strong cybersecurity measures. The British National Health Service was one of the largest institutions affected, with ambulances and doctors’ offices impacted in 45 of its hospitals, cancellation of non-vital surgeries, and certain hospital operations shut down.

    This ransomware began with unsolicited emails, which are typically designed to trick the user into clicking a link or downloading an attachment. Once the link is clicked or the attachment opened, the ransomware leverages a known flaw in Microsoft Windows and begins to replicate itself and spread around whatever computer network that individual computer is connected to.  In addition, the ransomware forces the computer to run the malicious code that encrypts  all sorts of files – once those files are encrypted and locked-away from the user, the attacks then ask for a ransom payment (often in Bitcoin) to release the data. While a British cybersecurity researcher inadvertently found a way to stop the ransomware from spreading after less than 48 hours, the attack has set off fears that the effects of the continuing threat will be felt for months, if not years. This week, a new flaw found in widely used networking software could leave tens of thousands of other computers and additional medical devices potentially vulnerable to a similar attack, and many of those computers are feared to be too old be patched or fixed. And while the latest ransomware attack was certainly not the only internationally scaled cybersecurity threat in recent years, this attack’s consequential impacts served as a stark reminder of the significant vulnerabilities at the intersection of technology and medicine.

    With an eye towards mitigating similar cyber attacks and increasing preparedness and resilience to cyber risks, the Pell Center conducted a cybersecurity tabletop exercise just three days before the WannaCry attacks, focusing specifically on the challenges and potential responses to growing cyber threats in the healthcare sector. The exercise included a similar ransomware attack to the WannaCry one, in addition to a series of other cyber intrusion scenarios (i.e., disruption of services, email spoofing, phishing attack directed at patients, DDoS attack, data exfiltration) created to identify weaknesses common in the healthcare industry. The exercis was also designed to show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and also to explore possible remedies and incident responses. The overall objective was to provide healthcare organizations and state agencies with greater insight into the specific cybersecurity issues they face and to explore possible responses and mitigation strategies that could lead to industry-driven solutions.

    Various stakeholders participated in this event, including over 60 healthcare providers, practitioners, and insurers,  as well as representatives of the RI Department of Health, RI Office of the Health Insurance Commissioner, and law enforcement agencies. The event targeted not just IT administrators and technicians, but also senior managers, security directors, CISOs, CIOs, communication, and HR personnel who all have important roles and responsibilities during a cyber incident. In light of the WannaCry attack and our cybersecurity exercise, we recommend that organizations ensure all software and anti-virus programs are up-to-date; patch operating systems as soon as updates are available; align security controls with the risk and impact to the organization; prioritize responses and resources; educate all employees about malicious content and how to identify and avoid it; limit employee access to resources that aren’t necessary for daily workflow; and join forces with trusted third parties, internal staff, law enforcement, and security organizations.

    This event was part of the Rhode Island Corporate Cybersecurity Initiative (RICCI), an ongoing effort aimed at bringing together senior leaders from various sectors in Rhode Island who can affect change and make the state more secure and resilient to cyber threats. In addition, Congressman Jim Langevin (RI-D) joined the group a keynote address on the future of the healthcare law and on best practices to strengthen the cybersecurity posture of healthcare organizations.