Interesting piece in ComputerWorld about why companies don’t report security breaches-- the piece says it might hurt their reputation, and their business. The inverse of this is that security matters and that companies have incentives to get secure (this on the theory that eventually, most everything becomes public….).
The piece cites the 2004 CSI/FBI (see upper right of page) 9th Annual Computer Crime and Security Survey, which I find to be about the best set of statistics on security incidents. It has been tracking data consistently for years and shows trends over 5-6 years. Other interesting stats in the FBI study include: the other big reason people didn’t report is because ‘competitors would use to their advantage’ (Figure 21); 82% of companies preform security audits (Figure 17); the biggest $ losses are from targeted events -- DDoS, theft of IPR, and insiders (Figure 15); expenditure varies widely by sector — of course the risk varies widely by sector-- one size does not fit all (Figure 7); and most firms use Return on Investment (ROI), Net Present Value (NPV), or Internal Rate of Return (IRR) calculations to determine investments, with 55% using ROI (Figure 8). This survey is worth a look.
The ComputerWorld piece ends asking about whether mandatory disclosures of breaches provides disincentives to look for them… Interesting area….. Will look at this more later… Cheers.
Earlier I said I was looking forward to hearing the law enforcement vision of the USSS to stamp-out cyber crime…. Didn’t get to (although I hear it was meaningfully robust). Instead I spent time on spyware.
Spyware was discussed a lot at RSA. We announced that as part of our Adaptive Threat Defense next phase of the Self Defending Network, anti-spyware is covered (part of our Anti-X initiative, where X is spyware, DDoS, malware, other things you want to stop), Microsoft announced that it was providing anti-spyware (from their Giant acquire) on the desk top at no additional charge, and pretty much all the AV vendors had booths at the show explaining what they assured us were their very effective new anti-spyware technologies. This lines-up with AOL and other ISPs adding anti-spyware into their service for no or little additional fee. Lots of market action here.
Proposed spyware bills try aim to stop bad actors from doing devious things with spyware. The challenge has been how to define and stop the problem without chilling innovation. I previously have talked about our position on spyware on a VOD The problem is of course difficult in part because bad actors may be overseas, do spoof their identity, and may be unlikely to stop. Law enforcement here is key. Unintended consequences can have non-trivial effects, and we need to make sure that as people look for legislative approaches, we don’t inadvertently chill current and future innovations in things like network management, maintenance, security, and other areas that make the Internet and enterprise networks efficient, productive, global, safe, secure, and robust. Networks are becoming fully interactive, passing instructions and information constantly to maximize utility, quality of service, and function. These are good things…. Not spyware…. The work on these issues needs to continue….
Even though I didn’t get to hear the USSS tell us about the next Elliot Ness, earlier I did hear a raucous discussion about regulation and security — the RSA company wanted to have people with very different views -- and they were there. I have previously talked about security policy, both in text and VOD. My view is the the answer lies in market-driven innovation. Panel members at RSA who were open to some (undefined) kind of security requirements on ‘critical infrastructure sectors,’ like electricity, seemed to be under the impression that these sectors had few incentives to get secure. I’ve never subscribed to that. They talked about the Internet as if it were a public good, and were afraid of a ‘tragedy of the commons,’ in the traditional economic sense. My view is that it is not. Every piece of the network is owned by somebody — somebody with an incentive to get and stay secure. In electricity, for example, (where the Northeast blackout was used as an example of what could happen -- which was caused by a power line sagging into a tree), someone said companies in the electric industry have little incentive to get secure because security was only a cost -- again my view is different, first, going down does not go unnoticed, and second, the state electricity regulators at NARUC have said security is a positive thing and of course you can recover your investment, and in fact NARUC provided a road map for cost recovery through the rate-base, see the second report referenced on NARUC’s site. Certainly work needs to, and is, going-on regarding hardening SCADA systems, but it strikes me that the incentive issue is pretty clear. One panelist seemed to want ISPs to provide security, and in any case the market has driven AOL to roll-in AV to all its customers at no additional fee — which was followed by Earthlink, and then Net Zero to stay competitive with AOL. That has to have rolled-in about 30 million users in just the last 5 months. On the enterprise side, the Wall Street Journal reported in November that ATT/MCI/Sprint were competing against each other in the enterprise market based on security. Customers are asking for it, and ISPs are responding. Enough on that for now.
The big take away from RSA is the intensity of innovation. Someone who was there (and should know) said the vibe was like networking was 15 years ago. Fast, complex, fun and the place to be. That hit me as right. So long for now…..
The RSA conference is quite a show. There are hundreds of exhibitors in this huge hall. Lots of very cool stuff. The major themes seem to be moving from passive to active defense, baking security into the network, and automatic application of security policy management withing networks. All good things. It’s also easy to see that the engine of VC investment, investments in well over 300 companies since 1998, is in full swing here. You have to like the vibe.
There’s been a lot of talk of spam, spyware, phishing and carding. These are serious issues. But it’s always struck me that part of this story is ‘there’s nothing new under the sun.’ We’ve been dealing with illegal activity since the beginning of time. In the off-line world we call this theft, fraud, deceptive trade practices and extortion (and way back when -- ‘boosting on trains’ and ‘piracy on the high-seas’). The use of the net is a new tool to be sure, but I really think the underlying legal and moral principles here are the same. We really need to stamp this out. We’re going to hear from the head of the US Secret Service later today and I’m looking forward to seeing his plan. I hope it is fully robust. Let’s bring back Elliot Ness. This is global, a lot of the activity is coming from organized crime overseas, so I hope he’s got the Mutual Legal Assistance Treaty game down cold.
I was excited yesterday when John Chambers talked dynamically, broadly and deeply about the vision of self defending networks, adaptive threat defenses and infusing security into networks, including the application layer. He put it in both a broad and specific context, and I think people got it and were thrilled. Really worth a look at the presentation, link in post yesterday post by John Earnhardt.
Well, off to the conference…. More to come… Cheers…
Cisco President and CEO John Chambers this morning keynoted at the RSA Security Conference in San Francisco. He talked about the need of networks to be “self-defending” and intelligent in order to operate effectively in the new communications environment. He said that the network is a strategic business asset that has to be protected. SEE THE KEYNOTE HERE. (Free registration required).
News story on his keynote.
Cisco’s RSA Conference Online Press kit.
Cisco’s new self-defending network strategy..
The RSA Security conference organizers are clearly secure in their own relationships. The conference starts today (Valentine’s Day) in San Francisco and either a) attendees brought their significant others along to celebrate this most Hallmark holidays of Hallmark holidays; or b) attendees have an agreement just to celebrate anniversaries, birthdays and end of year holidays or c) attendees are “still looking to find that special someone” and prefer to have a conference to attend rather than face another Valentine’s day without a date. I’m guessing it is a combination of the three.
There will be plenty of Cisco participation (Cisco President and CEO John Chambers presents on Wednesday) and our own Adam Golodner will be blogging with some of his thoughts on the conference each day. More information on the conference here.