Category Archives: Cybersecurity

voting machines, cybersecurity, Iowa caucusses

Iowa caucuses and the Shadow app: A lesson in critical infrastructure

On Monday 3 February 2020, Iowans caucused at almost 1700 precincts across the state to select their preferences among presidential candidates.  Three days after the Iowa caucuses, the final tallies for the Democratic presidential candidates remained incomplete.  The popular press blames a technical glitch in the Shadow app, but accountability resides with party leaders and the Shadow app executives who allowed technology that had not been previously fielded nor fully tested to be deployed as critical infrastructure.

Continue reading

Gatwick: attack of the drones

Authors – French Caldwell and Richard Stiennon

Key takeaways –

  1. Air transportation infrastructure is particularly vulnerable to non-lethal attacks by drones
  2. Regulatory controls alone will not stop drone attacks
  3. Attacks like the one at Gatwick this week are a serious reputational blow to the drone industry and rapidly growing drone control software and analytics vendor ecology
Continue reading

New cybersecurity laws are on the way

blogPost-cispaThis week, I joined the Silicon Valley Leadership Group for a visit to Capitol Hill. The group had asked me to share a few thoughts with congressional leaders on how cybersecurity policy affects cloud software companies like my own, MetricStream. We met with congressional leaders who are grappling with cybersecurity issues. House Majority Leader Kevin McCarthy, Homeland Security Committee Chairman Michael McCall, and Representative Patrick Meehan all demonstrated a depth of knowledge on cybersecurity, and how it is affecting businesses. They were focused mostly on cyber intelligence sharing between the federal government and industry, and between companies. To remove roadblocks to sharing, Congress is considering bills from the House and the Senate that will provide anti-trust liability protections to companies that voluntarily share cyber intelligence. Privacy advocates are justly concerned with sharing of information, and protections are being built into the proposed legislation. Whether those protections are adequate is a political issue that is not easily resolved, but regardless some form of a cyber intelligence sharing bill will likely pass this year.   There are several other cybersecurity policy issues remaining, and I expect this bill will break a logjam that has existed on critical infrastructure protection and data breach legislation. More legislation will follow in the current Congress, and that will be mirrored in the EU and other jurisdictions.

While new rules will confront GRC leaders with more requirements, frameworks engendered by those rules like the NIST Cybersecurity Framework are establishing the foundations on which digital business depends. The many opportunities from the digitalization of business can be realized when our GRC programs are robust enough to ensure our organizations’ resilience in the face of new cyber risks, and our ability to meet the new requirements of what is likely to be a rapidly evolving regime of cybersecurity regulations. CROs, CCOs, CIOs, and CISOs will need to work out their own policies for cybersecurity and privacy that account for the variations in laws between different jurisdictions around the world. Cyber risks do not respect geographic boundaries, and in fact bad actors take advantage of those boundaries to protect themselves from discovery and prosecution, seeking havens in locales where enforcement is weak. Companies also find themselves in the unenviable position of being in the midst of cyber wars, and these are wars that will not stop regardless of new rules. While industry, civil liberties, and government leaders work out national policies and new regulations on cybersecurity, it will take real leadership from GRC professionals to interpret these developments and keep their organizations ahead of the curve.



Obama Administration lays groundwork for cybersecurity information sharing



On 13 February 2015, President Obama issued “Executive Order — Promoting Private Sector Cybersecurity Information Sharing.” The primary objective of the order was to Information Sharing and Analysis Organizations and voluntary standards for information sharing by critical infrastructure companies. This is the third in a series of cybersecurity executive orders issued annually each February since 2013.

What you need to know

By establishing a regimen for the development of voluntary information sharing standards, this executive order is getting a head start on proposed cyber security legislation that the White House recently sent to Congress in January. The last attempt in 2012 to get a cybersecurity act through Congress failed, mostly due to intervention from privacy advocates and concerns about increasing regulatory burdens on critical infrastructure businesses.  However, following that failure, the President in 2013 issued “Executive Order — Improving Critical Infrastructure Cybersecurity.”   That order resulted in the Cybersecurity Framework, which has been accepted well by industry as a baseline standard for critical infrastructure protection. This new executive order is about as far as the executive branch can extend its authority without further legislation. With all the major cyber attacks since 2012, and with the Sony and Anthem hacks fresh in the minds of business executives, the public, and politicians, the resistance to new regulations should be less than it was in 2012.

Operators of critical infrastructure should:

1 – Participate in the development of the voluntary information sharing standards

2 – Identify information that can be shared without legal liability concerns

2 – Prepare for legislation that will provide legal protection for information sharing.


The Executive Order doesn’t change much for critical infrastructure companies – current cybersecurity policies should not be affected directly. It does not direct government agencies to review current regulations or make changes to them.  The executive order calls for consultation on voluntary standards. Depending on what comes out of voluntary standards and the Executive Order, companies could make voluntary changes to their policies based on them.

There are no requirements for companies to share information with the Information Sharing and Analysis Organizations that are established in this executive order. Sharing is voluntary and not mandatory. For companies that decide to share information, there are legal risks. Until there is legislation that provides more specific legal protections, this executive order is not likely to have much effect, other than laying the groundwork for an information sharing regime.

The window for legislative action is open. All the major hacks that have happened since 2012, especially Sony, received a lot of political attention, and also attention from boards of directors and CEOs. There are special interests who are concerned about privacy and civil liberties, and there are other special interests who are concerned about putting more regulatory mandates on companies.  As far as the latter, legislation on information sharing will be much less onerous than the cybersecurity audit rules proposed in the Cybersecurity Act of 2012. The time to bring all sides in Congress together is right now while what happened at Sony and Anthem are still fresh in the mind.