ISA congratulates CISA’s National Risk Management Center, and Director Kolasky for this vitally needed initiative.  The SolarWinds attacks have brought to everyone’s attention the need

In previous posts we have argued that the traditional regulatory model is ill-suited to address the nature of threats we see in cyberspace. It is too slow, too reactive, static and it sets minimums when what we need is a dynamic model equipped to grow with the ever-evolving threat.

If anything characterizes the 21st century it is speed and change. A generation ago people most typically had one phone in their house for their lifetime. Now we change phones (smart phones) every couple of years – at least. Waiting a FULL TWO SECONDS for a computer, or app, to download is, let’s face it very annoying.

Doing the same thing over and over and expecting different results is the definition of insanity. —Albert Einstein

In the early blogs in this series we illustrated that one of the major reasons not made substantial progress in securing cyberspace over the past 30 years is that we have generally thought of cyber risk primarily in technical/operational terms, and largely ignored the economic causes for most cyber-attacks.

Recognizing the industry interplay, DHS recently moved to a new model based on an industry determined function-based framework. Taking a functional view widens the lens to move closer to this interconnected, multi-industry reality. Under the leadership of the Cybersecurity
& Infrastructure Security Agency (CISA), has a comprehensive program to:

The world was caught by surprise in May 2017 by the WannaCry ransomware attack. In June of the same year, a more damaging attack – NotPetya – infected many major global corporations leading to IT infrastructure damage and business disruption. The two events caused over $10 billions of economic loss and serve as a dramatic reminder of the potential for cyber-attacks of a systemic nature to cause damage at scale.

The Russian attack on the SolarWinds software is destined to impact thousands of government and private sectotor entities. However its real significance may lie in not the extent, or even the damage of this specific attack, but rather in the way this cyber attack was carried out

Naturally, and appropriately Congress is beginning its review of the attack on SolarWinds software which will possibly be the broadest and most damaging in history. We won’t know the details of the harms for months or years.

The man who founded the organization I work for, the Internet Security Alliance, was Dave McCurdy. Mr. McCurdy was the former Chair of the House Intelligence Committee. Dave was fond of reminding people, “Congress does two things well: Nothing and overreact.”

President-elect Joe Biden’s response to the Russian cyber-attack, that could turn out to be the most serious security breach since World War II, was his vow that “I will not stand by idlily in the face of cyber assaults on our country”

If the dramatic Solar Winds hack of multiple critical US government and key private sector, systems proves anything, it is that we need to substantially rethink our approach to cyber security.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

By Scott Algeier, IT-ISAC Executive Director The IT-ISAC is happy to support National Cyber Security Awareness Month once again. For more than 15 years, National

The Russian attack on many US government cyber systems reported Sunday in the New York Times is being called on of the most sophisticated attacks we have seen.

There are actually many lessons to be learned from the largest and most sophisticated cyber-attack to date reported in the New York Times Sunday, but perhaps the most basic is that what we are doing now to protect ourselves in cyberspace isn’t working. We need to rethink our approach to cybersecurity.

I was the optimist, I said I could stretch to a 1.5 out of 10. My fellow panelist Mark Montgomery, Executive Director of the Congressional Solarium Commission, wasn’t as generous. He said it’s just a 1 out of 10. No argument from me.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

– Sun Tzu, the Art of War

In a major speech yesterday, President-elect Biden said that notwithstanding the great work that had been done to create a vaccine for COVID-19, it was his responsibility to “level” with the populace about how we still had a long difficult and dangerous winter ahead of us.

In earlier posts we documented that China through their comprehensive digital policies – largely articulated in their Belt and Road and Digital Silk road initiatives — has launched a comprehensive program to embed their technologies around the world. We have also indicated that this program has already succeeded throughout much of the world placing the west in general, and the USA in particular at a substantial geo-political disadvantage.