• ONE WAY TO GET CYBERCRIMINALS TO FUND LAW ENFORCEMENT

    October 05, 2023

    Introduction by Larry Clinton As we explained in previous blogs (LINK), cybercrime is at an all-time high – and there are no signs that it is slowing down. Economic losses from cybercrime are estimated to be as much as $2 trillion annually—and increasing to as much as $10.5 trillion by 2025 – 10 trillion is […]

  • VIRTUAL CYBER ACADEMY WOULD SOLVE WORKFORCE ISSUE AND HELP REDUCE THE DEFICIT

    May 11, 2023

    An analysis of the proposal to create a national, virtual, cybersecurity academy shows that creating the academy would not only solve the federal government’s cybersecurity workforce problem in less than 4 years but would create savings that allows the program to pay for itself – and even contribute to reducing the federal budget deficit. The […]

  • Joint Letter from ISA and AGB to House and Senate Appropriations Committee

    April 09, 2023

    Dear Congressional Members of the House and Senate Appropriations Committees: We are writing to urge the House and Senate Appropriations Committees in the fiscal year (FY) 2024 appropriations bill to include $200 million for the Department of Defense Cyber and Digital Service Academy (the Academy) that was authorized in the FY 2023 National Defense Authorization […]

  • INDEPENDENT REVIEW OF FIXING AMERICAN CYBERSECURITY

    March 31, 2023

    A Review of Fixing American Cybersecurity, Edited by Larry Clinton and Foreword by Kiersten Todt This entry was posted in Book ReviewCybersecurity on March 30, 2023 by Steven Bowcut In an era of growing cyber threats and increasing data breaches, the need for robust cybersecurity measures has never been greater. Against this backdrop, Larry Clinton’s new book, “Fixing American Cybersecurity: Creating […]

  • SEC NEEDS A CYBER MODEL THAT WORKS

    March 30, 2023

    Writing in the February edition of Foreign Affairs CISA Director Jen Easterly called for “a new model” for cybersecurity.  A month later President Biden released a new national strategy for cybersecurity which he said would “realign incentives in favor of long-term investment. When releasing the new strategy acting WH Director for Cybersecurity Kemba Waldon said, […]

  • The SEC: The Elephant in the New National Cyber Strategy

    March 27, 2023

    The Biden Administration’s new National Cybersecurity Strategy is an important first step toward improving our nation’s cybersecurity. This strategy, unlike the numerous others that have been unveiled over the past 20 years, adopts ISA’s core argument that we cannot create a sustainably secure cyber system until we rebalance the incentives for cyber-attacks. ISA is not […]

  • FIRST DO NO HARM: THE MANTRA FOR NEW CYBER REGULATION

    March 15, 2023

    The traditional regulatory model – when applied to cybersecurity – is actually anti-security. For all the discussion around the Biden Administration’s new cyber strategy generating new regulations, this one simple fact remains. There is no evidence the cyber regs are working. The real question is not so much how much new regulations there ought to […]

  • Industry Leader: OMB Should Take Lead in Deconflicting Regs Under National Cyber Strategy

    March 13, 2023

    By Charlie Mitchell / March 13, 2023 Federal agencies should be required to clarify that proposed cybersecurity rules are not “duplicative or in conflict with existing regulations,” according to a key industry player on cyber, an idea embraced by former White House cyber coordinator Michael Daniel as a way to deliver on regulatory streamlining under President […]

  • WHY CYBER REGULATIONS IN NATIONAL STRATEGY MAY NOT WORK

    March 06, 2023

    The new National Cybersecurity Strategy released last week calls for intensified federal regulation on IT providers, while presumably shifting regulatory focus away from technology users (we will see what the regulatory agencies and the SEC has to say about that last part). The strategy asserts “regulation can level the playing field enabling healthy competition without […]

  • THREE QUICK STEPS TO IMPLEMENT THE NATIONAL CYBER STRATEGY (NOT WHAT YOU THINK)

    March 03, 2023

    There are probably various government agencies where regulators have already sharpened their virtual pencils preparing to write up some new regulations go along with the new National cybersecurity strategy released yesterday. Please put down your pens.  That is not where implementation of the new strategy needs to begin.  While much of the conversation about the […]

  • IS REGULATION THE ANSWER TO OUR CYBERSECURITY PROBLEM (PART I)

    March 01, 2023

    There is a is a common misconception that cybersecurity regulation has not been tried, and that, if only there was federal regulation of cyberspace, we would have a more secure environment. The facts don’t bear out this assertion.  In our next two posts, we will first lay out the empirical evidence that cyber regulation does […]

  • IS THE CYBERSECURITY PROBLEM ONE ABOUT TECH OR ECONOMICS?

    February 27, 2023

    Spoiler alert: It’s both.  However, virtually all of our efforts to address our cybersecurity problems have focused on the tech side and virtually none on the underlying economics of cybersecurity.  This has led to an unbalanced and ineffective government response in “providing for the common defense” in the cyber infrastructure. In their classic work, The […]

  • US CYBERSECURITY – OLD PRACTICES, NEW VISIONS

    February 24, 2023

    US cybersecurity policies have been inadequate for decades and need to be updated to counter the heightened digital and physical risks the nation faces from our adversaries today. The US cybersecurity effort over the past thirty years largely comes down to a series of modest, disjointed, incremental tactics. On the other hand, one significant rival, […]

  • From Pulitzer Prize winning author Byron Acohido on Last Watchdog.

    February 23, 2023

    The review (pasted below) is also available at AUTHOR Q&A: China’s spy balloons reflect a cyber warfare strategy America must counter https://www.lastwatchdog.com/ By Byron V. Acohido The attack surface of company networks is as expansive and porous as ever. Related: Preparing for ‘quantum’ hacks That being so, a new book, Fixing American Cybersecurity, could be a long […]

  • THE (ONLY) PATH FOR THE US TO WIN THE DIGITAL WAR WITH CHINA

    February 22, 2023

    In a series of posts over the past couple weeks (LINKS), we have documented how China has been successfully carrying out a concerted and multi-faceted digital program designed to re-make the post-WWII world order and redirect it toward China. The Chinese campaign is well conceived, integrated, generously supported, and largely covert, which is consistent with […]

  • CAN THE US MATCH CHINA’S MILITARY-CIVIL FUSION MODEL? WILL IT?

    February 20, 2023

    In recent posts, we have described how over the last 30 years China has smartly leveraged the vulnerabilities of the digital age to steal Western technology and, in so doing, leap-frog generations of R&D to become a world economic power. Not satisfied with their renaissance as an economic power, China leveraged massive government financial support […]

  • Huawei is Just the Tip of the Spear in Digital Aggression

    February 13, 2023

    In our last post we documented how Huawei technology, thanks to massive cross-subsidization from the Chinese government, was succeeding in deploying its telecommunications network around the world.  That is a story that is fairly well known in Washington policy circles.  However, Huawei is by no means the only technology threat China poses though its comprehensive […]

  • HUAWEI MAKES OFFERS YOU CAN’T REFUSE ADVANCING CHINA’S GOALS

    February 10, 2023

    China’s Digital Silk Road Strategy integrates technology, economics, and politics with the long-term goal of altering the post-World War II US- European world order. An assessment of China’s three wars strategy by the U.S. Department of Defense found that the CCP’s goals were to reclaim global status over the United States by weakening our alliances […]

  • CISA SAYS WE NEED A NEW CYBERSECURITY MODEL; THEY GOT THAT RIGHT!

    February 08, 2023

    Last week, Foreign Affairs magazine published an article written by CISA Director Jen Easterly and Asst. Director Eric Goldstein entitled “Why Companies Must Build Security into Products.” The central thesis of their article is we need a “new model” for cyber security because what we have been doing isn’t working. This is precisely the messaging […]

    | Link to Video Introduction

  • CISA’s Todt, in foreword to new book, cites need for industry incentives and strengthened partnerships

    January 31, 2023

    By Charlie Mitchell / January 31, 2023 CISA chief of staff Kiersten Todt provides the foreword to a new book on cybersecurity strategy by Internet Security Alliance leader Larry Clinton, saying a focus on economic incentives for industry cyber improvements is an essential part of a “a strong, actionable approach to industry/government collaboration.” “We need bold action […]

    |

  • THE INTERNET SECURITY ALLIANCE (ISA)

    January 03, 2023

    ISA’s Mission is to integrate advanced technology with economics and public policy to promote sustainably secure cyber system.  The ISA board, consistits of cyber leaders (typically CISO) from virtually every critical industry sector. Over 20 years ISA has created a comprehensive theory and practice for cybersecurity covering both enterprise risk managment and government policy. ISA’s […]

  • As cyber attacks increase, here’s how CEOs can improve cyber resilience

    November 17, 2022

    Major Findings · The Cyber Risk Principles developed by the ISA, NACD and the World Economic Forum help drive cyber resilience across industries. · Simulation-aided research from MIT CAMS shows that commitment to and adoption of the Cyber Risk Principles significantly improves cyber resilience. · Results also show that, commitment to these cyber risk principles […]

    | World Economic Forum, Centre for Cybersecurity

  • ISA PROPOSAL FOR A VIRTUAL CYBERSECURITY NATIONAL SERVICE ACADEMY

    July 18, 2022

    PREMISE ONE: CYBERSECURITY IS A NATIONAL DEFENSE IMPERATIVE Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so, too, have recent events made it clear beyond doubt that cyberspace is now a unique domain […]

  • THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 2

    May 31, 2022

    EXECUTIVE SUMMARY In our last post we made the case for a national, virtual, cybersecurity academy. In this post we will discuss the key points of our proposal and in our next post we will discuss the advantages of our proposal which we suggest as the only practical way for the USA to quickly, comprehensively, sustainably, […]

  • THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 1: A NATIONAL DEFENSE IMPERATIVE

                We need to stop talking about the issue of cybersecurity workforce development.  We need to properly frame the issue an imperative for national defense digital mobilization. Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in […]

  • IT IS TIME FOR A NATIONAL CYBER SERVICES ACADEMY

    Our service academies – West Point, Annapolis the Airforce and Merchant Marine Academies are the ultimate public private partnership. Government offers private citizens high quality education at no cost, and in return the graduates are obliged to provide three years of service to the government, and many stay on well-past that obligation. The system has […]

  • GUEST BLOG: China’s Digital Strategy Threatens U.S. National Security & Diplomatic Partnerships

    August 31, 2021

    By Sarina Krantzler, ISA Research Associate This post is the first of two blogs concerning China’s Digital Strategy. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If […]

  • ISA’s Clinton weighs in on need for cyber funding in legislation expanding broadband service

    April 09, 2021

    Internet Security Alliance president Larry Clinton is adding his voice to those calling for including a robust cybersecurity program in upcoming infrastructure legislation expected to address expanded broadband access as well as services in other critical industries. “President Biden’s massive infrastructure proposal — dubbed infrastructure for the digital age — includes a wide variety of […]

    | Inside Cybersecurity April 9, 2021

  • 5,000 Practitioners Sign Up for ISA “Rethink Cyber” Campaign

    Four months ago, the 22 sponsors of the Internet Security Alliance (ISA) launched an online campaign suggesting the need for the United States to rethink our approach to securing our cyber infrastructure. The theme seems to have growing resonance with both policymakers and the general cybersecurity community.

  • Lawmakers moving on cyber incident-reporting bills; industry hopes to nudge discussion away from regulatory mandates

    March 23, 2021

    Members of Congress are moving toward a legislative push for mandatory cyber-incident reporting by critical infrastructure operators, while industry groups are beginning to shape their arguments against establishing such a regulatory requirement in response to the SolarWinds and Microsoft Exchange hacks. A source close to the House Homeland Security Committee told Inside Cybersecurity: “We’re in the […]

    | Inside Cybersecurity March 23, 2021

  • Assessing the Latest Draft Cybersecurity Executive Order

    May 06, 2017

    The latest draft version of the Trump administration’s cybersecurity executive order is similar to the previous version and lays out a plan to secure U.S. federal government and critical infrastructure IT that could have come out of the Barack Obama White House, including modernizing federal IT. “That fact that they are focusing on IT modernization […]

    | Bank Info Security

  • NIST work on framework update quietly proceeds amid hubbub over Trump cyber agenda

    May 01, 2017

    The National Institute of Standards and Technology is diligently reviewing the nearly 130 comments from industry and other groups on a draft update to the framework of cybersecurity standards, as it prepares an analysis of that input in advance of a highly anticipated public meeting this month. That meeting will likely set the course and […]

    | Inside Cybersecurity

  • Industry raises concerns with NIST approach to supply-chain risks in cyber framework update

    April 26, 2017

    Industry groups across sectors are raising concerns with various aspects of the National Institute of Standards and Technology’s approach to managing supply-chain risks in a proposed update to the voluntary framework of cybersecurity standards. Specifically, groups say the NIST plan fails to take into account the interconnectedness of vendor services and downplays the potential effect […]

    | Inside Cybersecurity

  • Congress returns, but the real cybersecurity action is taking place off the Hill

    April 24, 2017

    Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland. “On the congressional front, […]

    | Washington Examiner

  • Business lobby pushes back on NIST Framework measurement plans

    April 13, 2017

    Business lobbying groups are pushing back on plans by federal scientists to add third-party measurement of cybersecurity to a voluntary framework designed to help private companies improve its defenses against hackers, cybercriminals and online spies. A draft proposed revision of the National Institute of Standards and Technology’s Cybersecurity Framework, to be known as version 1.1, […]

    | Cyberscoop

  • Internet Security Alliance: Framework metrics would help businesses prioritize efforts

    April 12, 2017

    The Internet Security Alliance is calling for metrics that allow businesses to prioritize their cybersecurity efforts based on the National Institute of Standards and Technology cybersecurity framework, while stressing the need for NIST and other agencies to continue promoting the voluntary, public-private partnership approach to cybersecurity. The comments come in response to a request for […]

    | Inside Cybersecurity

  • Metrics abound, but who should be required to measure cyber effectiveness remains a key question

    March 13, 2017

    The government has suggested many ways to use metrics to measure the effectiveness of cybersecurity investments, but who should be using these measurement tools – and whether doing so should be required – remains open questions that will affect the scope and movement of these plans. Industry remains somewhat divided on the role of metrics, […]

    | Inside Cybersecurity

  • Latest Executive Order Draft Promotes Risk-Based Approach

    March 08, 2017

    The latest version of the draft of a cybersecurity executive order from the Donald Trump White House would direct the federal government to take a risk-based approach to IT security and hold cabinet secretaries and agency heads responsible for the security of their organizations’ IT assets. The draft executive order also would require federal agencies […]

    | Bank Info Security

  • House bill requiring cyber audits by NIST could overhaul agency’s role

    March 02, 2017

    Having the National Institute of Standards and Technology audit other federal agencies’ cybersecurity practices is not a matter of NIST “stepping up” its game, as House Science Chairman Lamar Smith (R-TX) said this week – rather it would be a matter of dramatically redefining NIST’s role and relationship with other federal entities. The Science panel’s […]

    | Inside Cybersecurity

  • Bill Seeks Metrics for NIST Cybersecurity Framework

    February 28, 2017

    Legislation calling on the National Institute of Standards and Technology to develop outcome metrics to demonstrate the effectiveness of the NIST Cybersecurity Framework is scheduled to be considered – and likely amended – at a markup session of the House Science, Space and Technology Committee on March 1. The measure, known as the NIST Cybersecurity […]

    | Bank Info Security

  • Cyber Risk Management Guidance for Corporate Directors

    February 24, 2017

    Cyber risk management is an increasingly important challenge for organizations of all kinds and sizes. Corporate directors have a legal responsibility to ensure that their corporations have appropriate cyber risk management policies and practices and are prepared to respond effectively to cyber incidents. Corporate directors can obtain helpful guidance from regulators, industry associations and other […]

    | Lexology

  • Five Principles for Stronger Board Oversight of Cybersecurity

    February 17, 2017

    One of the most important jobs of the board is to challenge management and test their assumptions about strategy, the competitive environment, and associated risks and opportunities. Many directors would say that they are most passionate about this part of their role, and in today’s business environment it has never been more critical. Cybersecurity is […]

    | Brink News

  • IT Security Employment Soars to Record High

    January 18, 2017

    The number of people employed in the United States as information security analysts reached a record high in 2016, according to uncirculated employment data provided by the U.S. Labor Department’s Bureau of Labor Statistics. Based on the same household survey used to determine the monthly unemployment rate, BLS reports that 89,000 individuals last year were […]

    | Gov Info Security

  • Updated cyber ‘handbook’ for business leaders examines changing legal, threat landscape

    January 13, 2017

    The updated “Cyber-Risk Oversight” handbook for corporate directors released Thursday examines new legal and regulatory requirements and challenges faced by business, as well as the evolving and growing threat of cyber attacks. “The legal and regulatory landscape with respect to cybersecurity, including required disclosures, privacy and data protection, information-sharing, infrastructure protection, and more, is complex […]

    | Inside Cybersecurity

  • Boards of directors, managers at center of cybersecurity handbook for industry

    January 12, 2017

    The server room might be an obvious choice for a starting point when it comes to protecting your company’s cyber networks, but the National Association of Corporate Directors says the best place to begin is in the board room. The newest edition of the NACD’s Cyber-Risk Oversight handbook, released Jan. 12, advises private sector managers […]

    | Federal News Radio

  • Why risk management is critical in cybersecurity

    If you’re a federal cyber official, the advice in a newly revised handbook on corporate cybersecurity might sound familiar. The new National Association of Corporate Directors’ cybersecurity handbook says cybersecurity is a risk management issue, not an IT matter. The language echoes what top federal agency IT managers and cybersecurity officials have been saying about […]

    | FCW

  • Former DHS head urges Trump to see economic dangers from cyberattacks

    January 10, 2017

    Last week’s U.S. intelligence report tracing Russia’s cyber-meddling with the 2016 presidential election is a timely reminder of the cybersecurity risks that the government and private companies face, said Tom Ridge, the nation’s first secretary of Homeland Security. “President-elect Trump is entering into a world fraught with hazards as never before,” Ridge said in a […]

    | CIO

  • SC Magazine – Editor’s Choice Award for Outstanding Leadership in Cyber Security

    October 19, 2016

    ISA RECEIVES NATIONAL AWARD FOR CYBER SECURITY LEADERSHIP – SC Magazine – Editor’s Choice Award for Outstanding Leadership in Cyber Security” as RSA Conference

  • Farms Big and Small Prime Targets for Cyber Attacks

    April 18, 2016

    Public News Service Reports:  Officials from the FBI and the Justice Department held a roundtable recently at Iowa State University, emphasizing the seriousness of cyber attacks for a surprising target – the agriculture industry. It’s a subject familiar to Larry Clinton, president of Internet Security Alliance, an information security think tank. He says many of […]

    | Public News Service

  • Trump Leading The Democratic Candidate

    March 02, 2016

    PRESS RELEASE March 1, 2016 – Washington, DC TRUMP THE LEADING dEMOCRATIC CANDIDATE That’s democratic with a small d. The most under-reported story of Super Tuesday is certainly not that Donald Trump has seized hold of the GOP nominating process or the Party’s internal revolt — that story has been beaten to death. It is […]

  • Leading Figures in Cybersecurity and Privacy Advocate for an End to the War Between Privacy and Security

    February 22, 2016

    PR Newswire Reports: The ‘Digital Equilibrium Project’ works to bring differing views together in pursuit of a digital constitution to support a safer world for individuals, organizations and nations.  Cybersecurity, government and privacy experts are banding together as part of The ‘Digital Equilibrium Project’ to foster a new, productive dialogue on balancing security and privacy […]

    | PR Newswire

  • Obama Creating Federal Ciso Post

    February 09, 2016

    Bank Info Security Reports:  President Obama is creating the position of federal chief information security officer as part of a multifaceted initiative aimed at strengthening the nation’s IT security. Related steps include the formation of a public-private Commission on Enhancing National Cybersecurity, as well as a proposal to boost government cybersecurity spending next fiscal year […]

    | Bank Info Security

  • Cybersecurity underfunded, industry tells congress

    January 12, 2016

    GCN Reports:  Agency IT managers who believe they do not have the resources to adequately fight cybersecurity threats got some backing from industry experts who voiced the same concerns to Congress.  At a Jan. 8 hearing held by two subcommittees of the House Science, Space and Technology Committee, Larry Clinton, president and CEO of the […]

    | GCN

  • Schooling Uncle Sam

    January 08, 2016

    Politico Reports:  Here’s the cybersecurity three-step the federal government should be doing: Spend more on cyber, implement tougher cybersecurity policies and demand that senior officials pay more attention to the issue. Those are the first three of 10 recommendations Larry Clinton, president of the Internet Security Alliance, an industry group, plans to share with two […]

    | Politico

  • America is loosing the ‘Cyber Arms Race’

    The Daily Caller Reports: The federal government is falling behind in a “cyber arms race,” putting millions of taxpayers’ personal information at risk, digital security experts told a joint hearing of two congressional subcommittees Friday. Hackers ranging from hacktivists to state-sponsored attackers will continue threatening the federal government’s digital networks to steal personal information and state […]

    | The Daily Caller

  • Congress Set to Enact Cyberthreat Information-Sharing Law

    December 17, 2015

    GovInfoSecurity Reports: After years of failing to enact cyberthreat information-sharing legislation, Congress is poised to vote on a measure this week that would incentivize businesses to voluntarily share threat data with the federal government and with one another. The legislation, added to a 2,009-page omnibus $1.1 trillion spending bill, also would establish a process for […]

    | GovInfoSecurity

  • Internet Security Alliance president outlines cyber partnership best practices

    December 10, 2015

    Inside Cybersecurity Reports: A new study by Internet Security Alliance president Larry Clinton outlines 10 best practices for government-industry partnerships on cybersecurity, ISA announced Wednesday. The new study highlights work from a research program led by Clinton and the Department of Homeland Security and lays out best practices endorsed by the Partnership for Critical Infrastructure […]

    | Inside Cybersecurity

  • Industry wary of power grab by feds on cybersecurity

    December 07, 2015

    Washington Examiner Reports: The National Institute of Standards and Technology is launching a new initiative designed to energize industry-led efforts on cybersecurity amid concerns that federal and state regulators are increasingly eager to put their stamp on the issue. NIST, the highly esteemed agency headquartered in Gaithersburg, Md., is releasing a “request for information” about […]

    | Washington Examiner

  • Prospect of regulation hovers over cyber policy landscape

    SC Magazine Reports: As 2015 nears an end, the industry-led, standards-driven strategy on cybersecurity remains a potent policy force, while signs – and fears – of a more prescriptive regulatory approach pop up across the cyber landscape. The National Institute of Standards and Technology is pursuing ways of keeping the voluntary approach vibrant and viable, […]

    | SC Magazine

  • NIST process could help address cyber reg concerns in finance sector

    December 03, 2015

    Inside Cybersecurity Reports: Financial sector representatives are looking to an upcoming “request for information” on the federal framework of cybersecurity standards as a way to revitalize the voluntary, industry-led approach to cyber – and to head off conflicting regulatory moves. The National Institute of Standards and Technology is expected in the coming days to release […]

    | Inside Cybersecurity

  • ISA’s Clinton: Failure to implement executive order spurs regulatory push

    December 02, 2015

    Inside Cybersecurity Reports: Incomplete efforts to implement President Obama’s “visionary” 2013 executive order on cybersecurity have created a policy vacuum that some federal and state officials are moving to fill with regulations, according to Internet Security Alliance president Larry Clinton. Representatives from 27 industry groups attended a meeting on Monday with officials from the National […]

    | Inside Cybersecurity

  • Cyber security bill passes Senate muster

    November 18, 2015

    BusinessInsurance.com Reports: Passage of long-awaited cyber security legislation will be a limited but still-useful tool that encourages businesses and the government to share data by providing liability protection. However, experts are divided on the legislation’s ultimate effect on rates for cyber insurance. In a 74-21 vote in late October, the U.S. Senate approved The Cybersecurity […]

    | BusinessInsurance.com

  • DHS insurance report could inform development of cyber info-sharing standards

    October 08, 2015

    Inside Cybersecurity Reports: A federal report that proposes hacked companies share specific kinds of cyber incident data in a private-sector repository to help expand the nascent insurance market is drawing early praise from industry stakeholders tracking the development of cybersecurity information-sharing standards. The assessment – produced by a Department of Homeland Security advisory panel and […]

    | Inside Cybersecurity

  • Appetites for more: Government actions

    October 01, 2015

    SC Magazine Reports: Appetites for more: Government actions (10.1.2015) Cybersecurity is a technical challenge. But it also usually has a legal and regulatory aspect as well. Obviously, there is the legal framework under which organizations operate and under which cybercrimes are defined and, sometimes, prosecuted. Then, of course there are the complex interactions between government […]

  • Appliance takeover?: Internet of Things

    em>SC Magazine Reports: Had the recently departed filmmaker Wes Craven lived just a few years longer, the Internet of Things (IoT) might have provided him with the perfect fodder for one of his horror classics. After all, it has all the the potential to be the stuff that nightmares – or an episode of Phineas […]

    | SC Magazine Reports

  • DHS selection for info-share standards role praised, questioned

    September 04, 2015

    Inside Cybersecurity Reports: The Department of Homeland Security is earning praise for its decision to select a university as the standards-setting body for new cyber information-sharing entities, as some stakeholders say the function can best be delivered in a research and academic setting. But other stakeholders from industry groups and the info-sharing community said they […]

    | Inside Cybersecurity

  • DHS nears pivotal decision on standards body for new info-sharing entities

    August 10, 2015

    Inside Cybersecurity Reports: President Obama’s push to broaden the sharing of cyber threat data both within the private sector and between government and industry by urging companies and industries to establish new cybersecurity information-sharing hubs will soon reach a pivotal decision point when the Department of Homeland Security awards a key federal grant….SOURCE

    | Inside Cybersecurity

  • DHS Workshop Marks Key Phase of Obama’s Cyber Information Sharing Push

    July 27, 2015

    Inside Cybersecurity Reports: The Department of Homeland Security will convene a workshop in Silicon Valley this week to make headway on implementing President Obama’s executive order on improving the exchange of cyber threat data between government and industry, an effort that faces significant obstacles but has captured the interest of key private-sector stakeholders. The July […]

    | Inside Cybersecurity

  • ISA’s Clinton on List Of 100 Most Influential In Corporate Governance

    July 21, 2015

    Dark Reading Reports: The Internet Security Alliance (ISA) is proud to announce that it’s President and CEO, Larry Clinton, has been named to the “Corporate 100” which identifies the nation’s 100 most influential people in the field of corporate governance. Joining Clinton on the list are a wide range of luminaries including the 5 current […]

    | Dark Reading

  • Evolving Threat Landscape Demands Executives Understand Cyber Risk

    July 03, 2015

    Today.US Reports: In the wake of a number of recent high-profile, damaging cyberattacks—including the recent breach of the Office of Personnel Management, which compromised the sensitive information of millions of federal employees—executives and board members are gradually becoming aware of today’s cyber threats and the potentially devastating impact these can have on their organizations. However, […]

    | Today.US

  • Concerns over cyber security reach corporate boardrooms of Michigan manufacturers

    June 21, 2015

    MiBiz Reports: Manufacturing executives in West Michigan and nationwide worry that their computer networks could fall victim to security breaches similar to those that have plagued the retail sector in recent months. As industry extends its global reach and has come to rely more on digital data, cyber criminals have likewise become more innovative, adopting […]

    | MiBiz

  • ISA Featured on PBS, FOX Business, NYT, WSJ, CBS, CNN International, MSNBC, C-SPAN, CNBC & Other Media Outlets

    June 12, 2014

      As the issue of cyber security grows increasingly more salient, ISA has been featured in a number of high-profile print and television appearances over the past several years. Topics of discussion have ranged from hot-button issues of the day to long-standing policy implications. Some of these media appearances include USA Today, the PBS News […]

  • Bill Would Have Businesses Foot Cost of Cyberwar

    May 08, 2012

    By Tom Gjelten (National Public Radio (NPR) – Morning Edition) Business executives and national security leaders are of one mind over the need to improve the security of the computers that control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure. But they divide over the question of […]

  • Mitigating PHI Danger In The Cloud

    May 02, 2012

    By Rick Kam For all of its benefits, cloud computing poses very real dangers to covered entities responsible for safeguarding protected health information (PHI). The cloud model, which the IT industry has been embracing for its up-front cost savings and efficiencies for years now, is more recently being recognized by the healthcare realm for its potential […]

  • Cybersecurity Bill Passes, Obama Threatens Veto

    April 27, 2012

    The Cyber Intelligence Sharing and Protection Act, which has been revised several times over the past week, allows the government and private companies to share information with one another with the aim of warding off cyber threats.

    | CNN

  • Cybersecurity Bill Passes, Obama Threatens Veto

    By David Goldman (CNN) NEW YORK (CNNMoney) — The House of Representatives, as expected, approved a controversial cybersecurity bill late Thursday, staring down a veto threat. But the fight to protect the United States from a cataclysmic cyber attack is far from over. The Cyber Intelligence Sharing and Protection Act, which has been revised several times over the past week, […]

  • Group Calls For Public-Private Alliance To Protect Cyberspace

    April 17, 2012

    By Andrew Feinberg (The Hill) As Congress turns its focus to cybersecurity matters, 26 major business and trade associations are seeking to remind lawmakers that cyberspace is “a bulwark of the global economy.” The group sent a letter Tuesday to House Speaker John Boehner (R-Ohio) and Minority Leader Nancy Pelosi (D-Calif.) urging action to protect “the […]

  • Militarisation of cyberspace: how the global power struggle moved online

    April 16, 2012

    Rise of cyber-attacks on critical infrastructure on both sides of Atlantic calls for creation of cyberweapons and new rules for use

    | The Guardian

  • MILITARISATION OF CYBERSPACE: How The Global Power Struggle Moved Online

    Rise of cyber-attacks on critical infrastructure on both sides of Atlantic calls for creation of cyberweapons and new rules for use By Nick Hopkins (The Guardian) Jonathan Millican is a first-year university student from Harrogate in North Yorkshire. He says he doesn’t think of himself as a “stereotypical geek”, but having been crowned champion in […]

  • Data Breaches Of Small Business, Including Doctor Offices, On The Rise

    April 05, 2012

    A report says cyber criminals are seeking what they consider easy targets. By Pamela Lewis Dolan Small organizations, including physician practices, represented the largest number of data breaches in 2011, according to Verizon’s annual Data Breach Investigations Report. The report examined 855 breaches across the globe that accounted for 174 million compromised records in 2011. […]

  • Debriefing The PHI Report: Determining The True Cost Of A Data Breach

    March 23, 2012

    DEBRIEFING THE PHI REPORT: DETERMINING THE TRUE COST OF A DATA BREACH By Jenny Laurello This week I had the chance to listen to a webinar highlighting the recently released report on The Financial Impact of Breached Protected Health Information. Released on March 5, the “PHI Report” has already been downloaded by more than 1,700 users, with its goal being […]

  • March 21 Free Webinar to Highlight Finding From The Financial Impact of Breached Protected Health Information

    March 21, 2012

    NEW YORK, — On Wednesday, March 21, 2012, at 2:00 p.m. ET, the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) will host a free webinar to help health care organizations assess security risks and help them build a business case to better […]

  • Cybersecurity Bill Faces Uncertain Future In Fight Over Regulation

    March 19, 2012

    By Gerry Smith (Huffington Post) WASHINGTON — It is a scenario that many officials in Washington say keeps them awake at night: a cyberattack against critical infrastructure. Many lawmakers believe the nation’s vital computer networks are vulnerable to such an event, which they say could lead to the collapse of the banking system, sustained blackouts or […]

  • Bluecross Blueshied of Tennessee Fined $1.5 Million

    By Integracon The Department of Health and Human Services is fining BlueCross BlueShield of Tennessee $1.5 million for the 2009 loss of 57 hard drives that contained unencrypted protected health information (PHI). In addition to the fine, the agency must submit to a 450-day corrective action plan.[1] In 2009, 57 hard drives were stolen from […]

  • New Report Highlights The Costs of Document Security Breaches for Healthcare Providers

    The American National Standards Institute has released a report emphasizing the business incentives for healthcare providers to improve their IT security, and the potential costs of failures to increase security protocols. The report notes that the healthcare industry’s move toward fully adopting electronic health records increases the opportunities for protected health information (PHI) to be […]

  • Healthcare Security Pros Need To Speak The Language Of Finance

    Experts say PHI protectors can’t pay for data protection because they don’t know how to make the business case for it. As the number of healthcare data breaches continues to snowball, executives put in charge of safeguarding protected health information (PHI) can’t keep up with the risks inherent with increased deployment of electronic health records […]

  • ANSI Releases Business Case For Safeguarding PHI Data

    March 16, 2012

    The American National Standards Institute (ANSI) has released a report on protected health information (PHI) security, namely, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, which offers a novel means of evaluating PHI at risk. The report would enable healthcare providers to conceive a business case for the investment […]

  • Nobody Cares About HIPAA

    March 15, 2012

    Compliance in many organizations is seen as only a costly inconvenience By Glenn S. Phillips Sometimes clarity comes out of the blue, including clarity about compliance issues. Recently I was meeting with friend and business associate Ben Drake. His company works with networking and data protection technology for a number of businesses. I mentioned how some organizations […]

  • FREE WEBINAR: How To Calculate The Cost Of A Data Breach And What To Do About It

    March 14, 2012

    Clearwater Compliance, a prominent HIPAA-HITECH compliance consultancy and software provider, announced today another upcoming free webinar entitled “How to Calculate the Cost of a Data Breach and What to Do About It.” Based on the new report recently published by ANSI and co-sponsored by Clearwater entitled “The Financial Impact of Breached Protected Health Information: A […]

  • 5 Things CIOs Need To Know About Funding The Protections Of PHI

    By Michelle McNickle With groups recently banding together to demand a tightening of security for protected health information, looking at the financial side of a breach has been put front and center. But according to Rick Kam, president and cofounder of ID Experts, there’s an aspect of protecting PHI that’s “not getting picked up,” and is […]

  • Data Theft Costs Tennesse Blue Cross Big Bucks

    Blue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information. By Nicole Lewis Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential […]

  • How To Calculate The Cost Of A Hospital Data Breach

    March 13, 2012

    By Ron Shinkman Although hospital operators know that a data breach can lead to significant consequences–lawsuits, loss of business and reputation–a new report by the American National Standards Institute (ANSI) can help them place a specific price tag on such mishaps. The report released last week includes a section on what it refers to as “PHIve”–a five-step process […]

  • 5 Best Practices for HIPAA Security

    March 12, 2012

    By Michelle McNickle The risk of protected health information being breached has grown dramatically within the past few years, and to combat the threat, the HIPAA Security Rule was created to provide organizations with administrative, physical, and technical guidelines to safeguard their electronic PHI. “The guidelines underscore a higher goal of the HIPAA Security Rule: helping […]

  • The Benefits And Limitations of Cyberinsurance

    March 09, 2012

    By Risk Management Magazine The Information Age. The Digital Age. The Computer Age. Whichever name you use, we’re in an era where many companies’ most valuable asset is information, from consumer buying habits to patient diagnoses to scientific data. At the same time, this asset also comes with a burden: companies are responsible for safeguarding the […]

  • OCR “Chomping On The Bit” To Audit Business Associates For HIPAA Hi-Tech Compliance

    By Jack Anderson CEO Compliance Helper Here is a quote from Rebecca Herold, CIPP, CISSP, CISM, FLMI, in the February 2010 edition of Compliance Today: “CEs are now accountable for more active validation of BA security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for […]

  • Data Breaches Put Patients At Risk For Identity Theft

    DATA BREACHES PUT PATIENTS AT RISK FOR IDENTITY THEFT By: Robin Erb DETROIT – Walk into a doctor’s office and chances are that some of your most private information — from your Social Security number to the details of your last cervical exam and your family’s cancer history — is stored electronically. Your doctor might […]

  • New ANSI Report Calls For Enhanced Security To Safeguard Protected Health Information

    Report is a call to action for healthcare to invest more to protect patient information To view the original article please click here. By Don Bailey Washington, DC, March 5, 2012: With the release today of The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, health care organizations now have […]

  • OR: Portland Psychiatrist Alerting Patients Personal Information Stolen

    By Dissent Nick Budnick reports: A Northwest Portland psychiatrist is putting out public notice that personal information of 480 current and former patients on a laptop was stolen from his office. A burglar broke into Dr. David Turner’s office last October, stealing the laptop and other items. Turner is now seeking current and former patients to […]

  • New Report Calls For Enhanced Security To Safeguard Protected Health Insurance

    By Steve Campbell With the release of the recent The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, health care organizations now have a new method to evaluate the “at risk” value of protected health information (PHI) that will enable them to make a business case for appropriate investments to better […]

  • Report Offers PHI Security Guidance, Metrics for Breach Cost Analysis

    March 08, 2012

    To view the original article please click here. By Brian Eastwood Since 2009, the number of Americans affected by data breaches caused by lax protection of health information (PHI) security stands at more than 19 million — roughly the population of the state of Florida.

  • Financial Impact Of Breached Protected Health Information Report Helps IT Pros Make The Business Case For Patient Data Protection

    By Ericka Chickowski As the number of healthcare data breaches continues to snowball, executives put in charge of safeguarding protected health information (PHI) can’t keep up with the risks inherent with increased deployment of electronic health records (EHRs) without enough financial backing to get the job done. And the only way that these PHI protectors can […]

  • PHI Project Release Report About Health Care Data Security

    PHI PROJECT RELEASE REPORT ABOUT HEALTH CARE DATA SECURITY On Monday, the PHI Project released a report about the state of data security within health care organizations titled, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security.” Key findings: Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, […]

  • Security Experts At A Loss For Words

    March 07, 2012

    By Abraham To view the original article please click here. No it is not your imagination. Security breaches are on the rise, particularly in healthcare. This is due to the fact that modern techniques are making more healthcare records available in electronic format. While this does wonders for efficiency and potential more accurate diagnosis and faster treatment […]

  • ANSI Publishes Report On Security Breaches

    By AuntMinnie.com Staff Writers The Identity Theft Prevention and Identity Management Standards Panel of the American National Standards Institute (ANSI) has published a 67-page report about the need for healthcare organizations to protect patient information from data breaches. The “Financial Impact of Breached Health Information” discusses the financial, legal, operational, clinical, and other repercussions of […]

  • Healthcare Security Pros Need To Speak The Language of Finance

    Experts say PHI protectors can’t pay for data protection because they don’t know how to make the business case for it By Ericka Chickowski, Contributing Writer, Dark Reading As the number of healthcare data breaches continues to snowball, executives put in charge of safeguarding protected health information (PHI) can’t keep up with the risks inherent […]

  • Rallying Support For Security Investments

    New Method for Quantifying Breach Costs, Justifying Spending By Howard Anderson Because winning the support of CEOs for any new project requires demonstrating a return on investment, information security professionals need to more precisely quantify the potential payoff of their suggested spending on technologies and training, according to a new report. Security specialists need help “putting […]

  • Healthcare Industry CIOs, CSOs Must Improve Security

    March 06, 2012

    By Thor Olavsrud Given that stolen medical records can bring $50 apiece on the underground market, the frequency and magnitude of data breaches involving electronic health records is increasing. In an effort to help CIOs and CSOs build a better business case for enhancing security, a group of standards and security organizations have issued a new […]

  • ANSI: Know The Impact Of A Breach Before It Occurs

    To view the original article please click here. As adoption rates rise, health IT makes protected health information (PHI) available to more organizations and entities, increasing the likelihood of data being improperly disclosed, lost or stolen. Despite the risks and costs of a potential data breach, many healthcare executives aren’t doing enough to support their organizations’ […]

  • REPORT: Securing Protect Health Information ‘Not Always A Top Priority’

    By Renee Boucher Ferguson A comprehensive new report released this week, outlines the fragile state of patient information security, offering up a five-step methodology to help healthcare CIOs and CEOs determine the right level of investment in technology, processes and policy to better protect patient information. In the report, three organizations–the American National Standards Institute (ANSI), The Santa […]

  • New Report Calls For Enhanced Security To Safeguard Protected Health Information

    5-Step Method Provides Health Care Organizations with Tool to Estimate the Overall Potential Costs of a Data Breach To view the original article please click here. ANSI, The Santa Fe Group/Shared Assessments Program Healthcare Working Group,and the Internet Security Alliance to Host Congressional Briefing Today; White House Cybersecurity Coordinator Howard Schmidt to Speak at Press Conference […]

  • Tightened Cyber Security Required For Digital Healthcare Adoption

    By Kris The U.S. government is encouraging healthcare organisations to utilise electronic healthcare records. However this will mean much more is required to be spent on Cyber Security. As “no organisation can afford to ignore the potential consequences of a data breach,” according to the American National Standards Institute. To view the original article please click here. […]

  • Healthcare Industry CIOs, CSOs Must Improve Security

    By Thor Olavsrud Given that stolen medical records can bring $50 apiece on the underground market, the frequency and magnitude of data breaches involving electronic health records is increasing. In an effort to help CIOs and CSOs build a better business case for enhancing security, a group of standards and security organizations have issued a new […]

  • VERIZON: Outside Threats Dominate Data Breaches

    By: Simply Security Outside attacks were most responsible for data breaches in 2011. To view the original article please click here. Verizon Business recently released some of the results of its 2012 Data Breach Investigations Report, which took into account around 90 of the 855 global breaches the company tracked last year. Among the most glaring results […]

  • Quantifying The Financial Risk Of Privacy Breach

    March 05, 2012

    How much should a company handling Protected Health Information (PHI)[1]spend to protect itself from a data breach?  Businesses typically use quantitative methods such as Net Present Value, Internal Rate of Return and Payback Period to make investment decisions.  But investments to prevent breaches of PHI have until now relied on compliance arguments and subjective judgments.  […]

  • Standards Body Releases E-Health Hack Calculator

    By Aliya Sternstein Faced with the reality that health care data breach legislation is unlikely to emerge, the American National Standards Institute on Monday set forth a financial reason for providers to protect their patients’ online privacy. To view the original article please click here. The cost of patient data losses during the past year ranged between […]

  • Study Blames Digital Health Data Breaches on Lack of Funding, Support

    By Chris Strohm WASHINGTON — Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found. Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the report released Monday by the nonprofit American National Standards Institute. Its members […]

  • 5 Steps To Estimate Potential Costs Of A Data Breach

    By  Kathleen Roney The American National Standards Institute, The Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance have announced a collaborative report which provides information for healthcare organizations to better understand and limit data breach risks and liabilities. To view the original article please click here. According to the report, healthcare organizations […]

  • Report Urges Health Care To Assess Financial Impact Of Data Breaches

    By Brian T. Horowitz As the Obama administration provides incentives for meaningful use of electronic health records (EHRs), efforts by the health care industry to secure patient data, or protected health information (PHI), have lagged behind, according to a new report by the PHI Project, an initiative of 100 health care leaders, including providers and insurance companies, as well […]

  • New Alliance Makes Case For Tighter Reins On Health Info

    Bernie Monegain, Editor To view the original article please click here. WASHINGTON – Several healthcare groups have joined together to demand a tightening of security for protected health information. And they’re making a financial case for it. With the release of “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” healthcare organizations […]

  • Health Organization Lagging In Ensuring Data Privacy, Security

    To view the original article please click here. Many health care organizations lack sufficient resources to adopt strong privacy and security protections for patient data, according to a report by a coalition of health care and data security groups, Modern Healthcare reports (Conn, Modern Healthcare, 3/5).About the ReportThe coalition includes the: American National Standards Institute; Internet Security Alliance; and Santa Fe […]

  • Formula Helps Health-Care Industry Estimate Cost Of A Data Breach

    Puget Sound Business Journal by Emily Parkhurst , Staff Writer In an effort to encourage executives of health care companies to take the threat of cybersecurity breaches seriously, President Barack Obama’s Cybersecurity Coordinator Howard Schmidt on Monday announced a way for companies to evaluate the financial risk of data breach. “When it comes to cybersecurity, we […]

  • Protect Health Data, Report Urges

    By John Pulley March 5, 2012 The time and money spent protecting personal health information from data breaches are well worth the investment, contends a new industry security report. The 67-page report, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” includes a five-step method that health care organizations can use […]

  • A New Report Examines The Financial Impact of Breaches Of Protected Health Information

    AND WAYS TO DEVELOP A BUSINESS CASE FOR ENHANCE PROTECTION OF THE INFORMATION. The free report is a collaborative effort of the American National Standards Institute, consultancy The Santa Fe Group, and the Internet Security Alliance, with input from more than 100 members of 70 organizations. The report offers up “PHIve,” a five-step method to […]

  • 5 Steps To Assess Health Data Breach Risks

    New report delves into the threats healthcare providers face for potential patient data breaches, and provides steps and tools to help assess those risks. By Marianne Kolbasuk McGee March 05, 2012 04:23 PM A new report outlines the financial costs of breaches of protected health data–and offers a five-step method for healthcare providers of any size […]

  • PHI PROJECT: Don’t Ignore Breach Consequences

    March 05, 2012 | Bernie Monegain, Contributing Editor Several healthcare groups have joined together to demand a tightening of security for protected health information. And they’re making a financial case for it. With the release of “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” healthcare organizations now have a new […]

  • 7 Keys To Understanding The Financial Impact Of Breached PHI

    March 05, 2012 | Michelle McNickle, New Media Producer To view the original article please click here. The recently released report, “The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security,” highlights the need for organizations to adopt a new method to evaluate the value of PHI, said the leaders of […]

  • Digital Health Data At Risk From Manager Support, Study Finds

    March 04, 2012

    By Chris Strohm – Mar 5, 2012 12:01 AM ET Insufficient funding and lack of executive support are mainly responsible for security breaches involving patients’ electronic health records, a study found. To view the original article please click here. Executives at health-care companies and providers must improve cost assessments to include payments from class-action lawsuits, said the […]

  • ANSI To Release Health Info Security Report

    February 29, 2012

    A March 5 news conference to unveil it will include Howard A. Schmidt, the White House cybersecurity coordinator, and Joe Bhatia, president and CEO of the American National Standards Institute. To view the original article please click here. Feb 29, 2012 Following the release of the new White House “Consumer Privacy Bill of Rights,” described as […]

  • Tax Breaks Considered To Improve Cybersecurity on Vital Networks

    February 14, 2012

    By Chris Strohm (Bloomberg) To view the original article please click here. Feb. 8 (Bloomberg) — Tax breaks and liability protection may spur banking, energy and telecommunication companies to improve cybersecurity on their computer networks, the chairman of a House technology panel said. Representative Greg Walden, an Oregon Republican, said today he will consider taking up […]

  • ANALYSIS: Government Must ‘Modernize’ Cyber Defense

    February 10, 2012

    By Jack Moore (Federal News Radio) Even as the House and Senate debate various proposals for cybersecurity legislation, the cyber environment is rapidly changing, one expert says. To view the original article please click here. Larry Clinton, the president of the Internet Security Alliance, testified before the House Energy and Commerce subcommittee Wednesday on the evolving cyber threat and […]

  • Feds Should Provide Industry With Cybersecurity Data And Incentives, Experts Testify

    February 09, 2012

    (Info Security) The US communications industry needs better information sharing, tax breaks, and liability protection from the federal government to improve cybersecurity, experts told a House panel on Wednesday. Entrust president and CEO Bill Conner highlighted the importance of public-private partnerships to share intelligence and inform the public. “The federal government needs to work more closely with […]

  • Experts Disagree On Focus Of Cybersecurity Legislation

    By Molly Bernhart Walker (FierceIT) Cybersecurity legislation is needed, agreed the panelists speaking Feb. 8 before the House Energy and Commerce subcommittee on communications and technology–but what that legislation should look like was a far more divisive issue. While the telecommunications industry is doing a good job of securing its infrastructure, other sectors need regulations […]

  • Security Experts Ask House For Light Regulatory Touch

    Technology industry representatives — looking to prevent an additional set of compliance requirements — urge House subcommittee to avoid new cybersecurity regulations to shore up the nation’s digital defenses. By Kenneth Corbin (CIO) WASHINGTON — Cybersecurity experts on Wednesday warned members of a House subcommittee against racing to legislation that would establish an overly burdensome […]

  • Cyber Regulation Lost In A Time Machine

    Jettisoning Old Ideas about Securing Vital IT Networks By Eric Chabrow (Gov Info Security) The concept of time supported contrary views on the need for more stringent government regulations to protect the nation’s critical information infrastructure. For Larry Clinton, chief executive of the industry lobbying group Internet Security Alliance, regulation is so last century and other factors […]

  • Entrust President and CEO Outlines Cybersecurity Dangers

    February 08, 2012

    CONNER SPEAKS DURING CONGRESSIONAL SUBCOMMITTEE HEARING Entrust executive provides insight into cybersecurity attacks targeting vulnerable small businesses, enterprises via the Internet DALLAS, Feb. 8, 2012 /PRNewswire/ — Entrust Inc. President and CEO Bill Conner was invited as an expert speaker to the U.S. Subcommittee on Communications and Technology’s cybersecurity hearing in Washington D.C. Wednesday. The invitation to participate in the hearing, […]

  • THE CIRCUIT: Amazon and Viacom Strike A Deal

    CYBERSECURITY HEARING, SPRINT EARNINGS By Hayley Tsukayama (The Washington Post) Amazon and Viacom: Amazon and Viacom announced Wednesday that they had entered into a rights agreement that will bring content from MTC, Nickolodeon, Comedy Central, TV Land and VH1 into Amazon’s streaming video catalog. The deal, announced Wednesday by Amazon, will add about 2,000 titles to […]

  • House Subcom Serious About Cybersecurity

    Experts Say Threat is Growing, as Roles of MSOs,Other ISPs in Battling Attacks By Mike Reynolds (Multichannel) The concerns of House Democrats and Republicans about cybersecurity was made clear in a Hill hearing Wednesday unusually free of the partisan divides that often surface in hearings in the House Communications Subcommittee. During the hearing on “Cybersecurity: […]

  • Legal, Policy Frameworks Can Hamper Cybersecurity

    By William Jackson (GCN) Tools are available to counter many of the threats to today’s digital infrastructure, but a legal and policy framework created for an analog world often hampers their implementation, a panel of industry representatives told a House panel. There was some disagreement among the panelists testifying Feb. 8 before subcommittee of the […]

  • Cybersecurity Experts: Major Telecom Providers Are Secure

    By Gautham Nagesh (The Hill) The major telecom providers have done a good job securing their networks and don’t require further regulation by the government, experts testified Wednesday. James Lewis, the director of the Center for Strategic and International Studies, said telecom companies have addressed cybersecurity on a level that other sectors have not. “The […]

  • OVERNIGHT TECH: Telecom Subpanel Tackles Cybersecurity

    February 07, 2012

    By Brendan Sasso and Gautham Nagesh THE LEDE: The House Energy and Commerce telecom subpanel will hold a hearing Wednesday morning on the cybersecurity threat to the nation’s communications networks. The House has recently begun to move on cybersecurity legislation that would enhance information sharing between the government and private sector about cybersecurity threats and […]

  • SAAS, APTS And Asymmetric Risk The Spotlight As Security Threats

    February 03, 2012

    By Bernard Golden (CIO-IN) I had the opportunity to speak at a new security conference last week, Security Threats 2012. I presented on the topic of balancing business benefits with risks in the cloud (more on that later), but the event touched on a wide range of pertinent IT topics, provoking stimulating discussions of some […]

  • Senate Cyber Legislation Facing Industry Resistance Over Cost

    January 31, 2012

    By Eric Engleman and Chris Strohm Jan. 31 (Bloomberg) — A Senate measure aimed at compelling operators of vital U.S. utility and other networks to strengthen cybersecurity drew resistance from some business groups concerned that the bill would raise companies’ costs. Responses to draft versions of the legislation have included “hard pushback” from trade groups […]

  • Security Software Program Essentials

    December 11, 2011

    COMPUTER INTERNET SECURITY SOFTWARE PROGRAM By Ona (Apollomozi) Using your laptop and a reliable Internet connection could be the best combination for an ideal enterprise opportunity. You don’t want increase too much capital for your enterprise venture. With just a reliable Internet connection and laptop system (which, due to vast availability and utilization, change into […]

  • Internet Security Alliance Gathers At NAM

    December 07, 2011

    By Matthew Lavoie (Shopfloor) Chairman of the House Intelligence Committee Mike Rogers (R-MI) stopped by the NAM headquarters today address the board of the Internet Security Alliance.  He shared the details of H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011 a bill he sponsored with Ranking Member Dutch Ruppersberger (D-MD) that was […]

  • Internet Security Alliance Endorses Cyber Security Legislation

    November 18, 2011

    By Anthony Freed (InfoSec Island) To view the original article please click here. Internet Security Alliance President Larry Clinton praised the new direction on cyber security legislation that was signaled in a pair of new letters from Senator Majority Leader Harry Reid (D-NV) and 4 key Senate Republican leaders. “I note with great enthusiasm Majority Leader […]

  • RSA: Internet Security Alliance President Larry Clinton

    July 02, 2011

    By Anthony Freed (InfoSec Island) Larry Clinton is President and CEO of the Internet Security Alliance (ISA). Infosec Island provides ISA members with additional news and information links via their daily email updates. ISA is a multi-sector industry group created by the former Chairman of the U.S. House Committee on Intelligence and Carnegie Mellon University. […]

  • Trade, Civil Liberties Groups Urge Cybersecurity Incentives

    March 09, 2011

    Grant Gross (IDG News ), PC World, 03/09/2011 To view the original article please click here. The U.S. government should look to incentives as a way to encourage businesses to adopt better cybersecurity practices, instead of creating mandates, recommends a new paper from four trade groups and a civil liberties group. ConcernAlthough some cybersecurity experts have […]

  • Industry Groups Push For Security Incentives, Not Laws

    Angela Moscaritolo, DC Magazine, 03/09/2011 Instead of imposing additional security regulations, the U.S. government must work with the private sector to develop incentives that motivate companies to voluntarily adopt security best practices, a coalition of industry associations and civil liberties groups recommended in a white paper released Tuesday. The paper, crafted by members of the […]

  • ADVANCED PERSISTENT THREAT: Industrial Strength Hacking

    February 08, 2011

    Expert Voices Thought Leader: Sounil Yu By Sounil Yu (Booz Allen Hamilton) Why did you choose Booz Allen? Actually, Booz Allen chose me via the employee referral program. But I knew Booz Allen was a prestigious firm, so I was pleased to have been chosen. My old company was an accounting organization that offered consulting, […]

  • ARTICLE 12/9/10

    December 09, 2010

    To view the original article please click here. PRO-WIKILEAKS CYBERATTACKS SHOW GROWING THREAT By Oren Dorell and Jack Gillum (USA TODAY) A cyberattack by supporters of WikiLeaks against the MasterCard and Visa websites foreshadows a new generation of increasingly dangerous assaults on the Internet, security experts say. “This will serve to inspire other bad guys,” said Rob Rachwald of […]


 

Audio and Radio Appearances:

    THOUGHTS ON SECURITY BY DESIGN/DEFAULT FOR WORLD ECONOMIC FORUM 

    Posted on November 20, 2023 at 8:05 am

    Larry Clinton’s opening statement Last week I was honored to attend the World Economic Forum’s annual cybersecurity conference and lead a session on the demystification of the economics of secured by demand/default (watch the introduction above). I want to thank, and congratulate, the Forum creating this session. This topic lies at the very essence of […]


    WHITE HOUSE SHOULD LOOK TO BOARD’S GUIDENCE ON AI AND CYBERSECURITY – PART 2 

    Posted on October 31, 2023 at 6:00 am

    The founder of the organization I am honored to lead was Dave McCurdy, the former Chair of the House Intelligence Committee.  Based on his long career in government Dave liked to say, “government does two things well, nothing and over-react.”  We are clearly, and rightfully, out of the” do-nothing” phase of government’s involvement in AI.  […]


    WHITE HOUSE SHOULD FOLLOW BOARD’S GUIDANCE ON NEW AI EXECUTIVE ORDER 

    Posted on October 30, 2023 at 9:08 am

    Introduction by ISA President Larry Clinton There is tremendous anticipation regarding the imminent release of a sweeping new Executive Order (EO) on the use of Artificial Intelligence form the Biden White House (LINK). Although the EO holds potentially game-changing reach, it needs to be understood in the context that government is largely playing catch-up on […]


    THE KEY TO UNDERSTANDING SYSTEMIC CYBER RISK IS MARKET PENETRATION

    Posted on October 26, 2023 at 10:04 am

    Introduction by ISA President Larry Clinton The SolarWinds’ Orion software attack – which occurred nearly three years ago — had devastating impact that organizations are still facing today. Recent reports estimate that government agencies and private organizations will spend $100 billion over the next few years investigating the incident and remediating the damage done in […]


    COMMERCIAL ECONOMICS ARE INSUFFICIENT TO DEFEND CRITICAL INFRASTRUCTURE FROM CYBER ATTACKS  

    Posted on October 24, 2023 at 12:58 pm

    Introduction by ISA President Larry Clinton Critical Infrastructure in the United States is facing a substantial risk of cyber attacks at all times due to the imbalance of risk assessment between the public and private sectors. Until this disparity is mitigated, the United States will never be adequately protected on all sides from cyber attacks.  […]


    FOR THE CYBER PUBLIC-PRIVATE PARTNERSHIP TO WORK THE REGULATORY MODEL NEEDS TO BE REFORMED 

    Posted on October 20, 2023 at 5:02 am

    Introduction by ISA President Larry Clinton Biden Administration’s National Cybersecurity Strategy (NCS) rightfully “recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.”  Unfortunately, this “essential” goal is undermined in the very same document. Alongside announcing plans to scale public-private partnerships, the Biden Administration also proposes a number of […]


    DO CYBER REGULATIONS IMPROVE SECURITY? (SPOLIER ALERT: NO) 

    Posted on October 18, 2023 at 4:59 am

    Introduction by ISA President Larry Clinton Many people new to the cybersecurity issue often suggest that what is needed is a strict regulatory model.  However, as Richard Clarke and Robert Knake, two of the most experienced and well-respected experts in the field of cybersecurity, point out in their book The Fifth Domain, “There is a […]


    CYBERSECURITY REGULATION: DOING THE SAME THING AND FAILING  

    Posted on October 17, 2023 at 8:54 am

    Introduction by ISA President Larry Clinton Although Albert Einstein probably never said “The definition of insanity is doing the same thing over and over again and expecting a different result,” it’s still a pretty incisive comment that unfortunately applies to cybersecurity regulation. Our current cybersecurity process is insane.  The fact is that the traditional cybersecurity […]


    LESSONS PRIVATE SECTOR CAN TEACH THE GOVERNMENT ON FIGHTING CYBERCRIME

    Posted on October 6, 2023 at 10:43 am

    Introduction by Larry Clinton As we have documented past blogs (LINK, LINK), we are fighting an uphill battle against increasingly sophisticated cybercriminals. In fact the new national strategy to secure cyber space essentially says that only the most sophisticated private companies have any hope of preventing cyber-attacks.  This means we must increasingly rely on our […]


    ONE WAY TO GET CYBERCRIMINALS TO FUND LAW ENFORCEMENT

    Posted on October 5, 2023 at 5:08 am

    Introduction by Larry Clinton As we explained in previous blogs (LINK), cybercrime is at an all-time high – and there are no signs that it is slowing down. Economic losses from cybercrime are estimated to be as much as $2 trillion annually—and increasing to as much as $10.5 trillion by 2025 – 10 trillion is […]


    WHAT CAN PINK DO FOR CYBER? 

    Posted on October 4, 2023 at 11:37 am

    Introduction by Larry Clinton I expect virtually everyone who might be reading this blog knows that October is Cybersecurity Awareness month. But I doubt the total number of people in the Unites States who know October is “our” month rises above five figures. Of course, awareness that we have a cyber security problem is virtually […]


    TIME TO MODERNIZE THE MILITARY’S ROLE IN CYBER CRIME DEFENSE  

    Posted on September 21, 2023 at 8:28 am

    The release of the Department of Defense’s (DOD) 2023 Cyber Strategy could not have come at a better time. The first DOD Cyber Strategy since 2018, it shows the DOD recognizes the scale of the cyberthreats facing our nation and are looking to build a forward-facing posture in our nation’s cyber defense.   The digital age […]


    POSSIBLE MARKET INCENTIVE PROGRAMS TO PROMOTE SECURITY BY DESIGN AND DEFAULT

    Posted on September 20, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton Last week we discussed the foundational principles (LINK) and best practices (LINK) that can be followed to implement the Biden Administration’s Secure by Design and Default (SDD) proposal. In this third and final blog on SDD, we will dive into the most important part of any proposal: how to […]


    HOW CORPORATE BOARDS LOOK AT ARTICIFIAL INTELLIGENCE AND CYBER SECURITY (Part II)?

    Posted on September 19, 2023 at 7:49 am

    AI is the new black, in two senses.  First, AI is clearly the fashion of the day as AI week on/Capitol Hill has now turned into AI month and may well have an extended “season.” The other sense in which AI is the new black is that in many ways it is an ominous, and […]


    HOW DO CORPORATE BOARDS LOOK AT ARTIFICIAL INTELLIGENCE AND CYBER SECURITY?

    Posted on September 18, 2023 at 7:35 am

    According to Politico it’s unofficial AI week on the Capitol Hill, as lawmakers in the House Oversight cyber subcommittee and the Senate Homeland Security and Governmental Affairs committee are capping off their first few days back by asking federal agencies: what are  you  doing with AI? A key element of Congressional oversight, as it is […]


    HOW TO DO SECURITY BY DESIGN AND DEFAULT – 10 BEST PRACTICES  

    Posted on September 15, 2023 at 5:00 am

    In yesterday’s blog, (LINK) we highlighted the Biden Administration’s positive step towards rebalancing the economics of cybersecurity. By shifting the narrative away from “blaming the victim” of cyberattacks, we are moving in the right direction to creating a market economy of products with cybersecurity embedded in their very design. However, this won’t be easy. For […]


    STOP BLAMING THE VICTIM: 7 PRINCIPLES SECURE BY DESIGN & DEFAULT 

    Posted on September 14, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton The reality is that we are losing the fight to sustainably secure our cyber networks – and losing badly. This means we need to change the way we have been approaching the issue. That begins by stopping the blame game focusing on the victims of cyber-attack and beginning to […]


    THE VIRTUAL CYBERSECURITY ACADEMY—FREE CYBERSECURITY FOR THE GOVERNMENT!

    Posted on September 13, 2023 at 5:00 am

    You read that right.  By creating a national virtual cybersecurity academy we would fill the current 35,000 federal cybersecurity workforce gap in 4 years thus measurably enhancing our country’s security. Moreover, because academy graduates would replace the current independent contractors the government is hiring while receiving salaries equivalent to that of graduates of the traditional […]


    CREATING A VIRTUAL CYBERSECURITY ACADEMY SHOULD BE OUR TOP PRIORITY 

    Posted on September 12, 2023 at 5:00 am

    Introduction by ISA President Larry Clinton The federal government spends roughly $70 billion a year on our cybersecurity.  The very first billion ought to go to funding a virtual cybersecurity academy.  The reason, as we outlined in our previous post (read here), is that we are wasting much of the current $70 billion spent because […]


    THE MOST IMPORTANT ISSUE IN CYBERSECURITY DOESN’T GET THE ATTENTION IT DEMANDS 

    Posted on September 11, 2023 at 8:37 am

    What is the single most important public policy issue in cybersecurity?  Hint: the answer is the same as if we asked what is the single greatest vulnerability to our cyber systems?  It’s people.   We don’t have nearly enough properly trained cybersecurity professionals. Current estimates are that we have 700,000 cybersecurity jobs we can’t fill (world-wide […]


    OMB CAN QUICKLY STOP REDUNDENT WASTEFUL HARMFUL CYBER REGULATIONS 

    Posted on September 8, 2023 at 5:00 am

    In yesterdays’ post we praised the new national cybersecurity strategy for properly placing the harmonization of cybersecurity regulations as issue 1.1.1 in its new implementation plan. Streamlining regulations is one of the fastest, most efficient, and frankly easiest, ways to unleash significant amounts of scarce cybersecurity resources to more effective uses.   We also criticized the […]


    BIDEN CYBER IMPLEMENTATION PLAN: GREAT FIRST STEP –STUMBLES ON SECOND STEP (PART 1)

    Posted on September 7, 2023 at 5:00 am

    President Biden’s National Cybersecurity Strategy (NCS) and subsequent Implementation Plan (NCSIP) got off to a great first step by recognizing the need for cybersecurity harmonization as initiative 1.1.1. The Administration is properly prioritizing this initiative because addressing it will, comparatively quickly and effectively, enhance our nation’s cybersecurity by freeing up between 40%-70% (depending on the […]


    TWENTY-FIVE WAYS TO ENHANCE CYBERSECURITY WITHOUT NEW REGULATIONS 

    Posted on September 6, 2023 at 9:59 am

    Absent a few notable exceptions, traditional regulation has not worked to improve our cybersecurity.  There are multiple reasons why it generally doesn’t improve security and is often actually counterproductive which we (ISA) describe in our recent book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press 2023) so, we won’t detail them […]


    STREAMLING CYBERSECURITY REGULATION: AN ELEGANT SOLUTION

    Posted on July 24, 2023 at 9:48 am

    In science and public policy, a principal goal is to develop an elegant solution. Elegance is generally defined as the simplest statement that most completely solves the problem. The quintessential example of scientific elegance is Einstein’s explanation of the theory of relativity E=mc2. Beautiful. The Biden Administration has just released its proposal to address the […]


    Cyber Director Position Remains Vacant: ISA Urges a New Strategy for Cybersecurity

    Posted on July 5, 2023 at 10:24 am

    In an increasingly interconnected world, cybersecurity has become a paramount concern for governments, businesses, and individuals alike. The Government Accountability Office (GAO) recently published an article titled “Cybersecurity: Actions Needed to Address Challenges and Improve the Federal Government’s Management of Cybersecurity Risks,” shedding light on the critical issues facing our nation’s cybersecurity efforts. To address […]


    ISA APPLAUDS DOD EFFORTS TO HELP SMALL COMPANIES ON COLLECTIVE DEFENSE — MORE WORK ON INCENTIVES NEEDED 

    Posted on June 28, 2023 at 11:16 am

    BY LARRY CLINTON AND ANNA MISKELLY  As the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program rulemaking looms over the defense industrial base (DIB), the Pentagon released a two-page fact sheet highlighting free services offered to companies to help reach compliance. Services such as Project Spectrum and the Blue Cyber Initiative focus on small businesses, targeting […]


    Congress Taking Steps to Address the Biggest Technological Threat of Our Time

    Posted on June 23, 2023 at 11:12 am

    By Larry Clinton and Sarah Harmon This past week, the House Armed Services Committee approved amendment language for the proposed 2024 National Defense Authorization Act (NDAA) to bolster our country’s cybersecurity and emerging technology programs next year. These changes aim to improve the U.S.’s ability to compete with China across several technology sectors, with a […]


    QUESTIONS FOR THE BOARD TO CONSIDER IN USING AI

    Posted on May 26, 2023 at 11:04 am

    It took Netflix two and a half years to reach 1 million users.  Facebook did it in 10 months. Chat GPT did it 5 days. Just as the Internet fundamentally disrupted business plans a decade ago, so, too, is generative artificial intelligence now changing the world – only at a far accelerated pace. Management teams […]


    VIRTUAL CYBER ACADEMY WOULD SOLVE WORKFORCE ISSUE AND HELP REDUCE THE DEFICIT

    Posted on May 11, 2023 at 5:34 pm

    An analysis of the proposal to create a national, virtual, cybersecurity academy shows that creating the academy would not only solve the federal government’s cybersecurity workforce problem in less than 4 years but would create savings that allows the program to pay for itself – and even contribute to reducing the federal budget deficit. The […]


    CHINA BEATING US ON TECH STANDARDS – BIDEN NATIONAL STRATEGY NEEDED

    Posted on May 9, 2023 at 8:31 am

    What could possibly be less sexy than setting technical standards? It’s a tough question, I’ll give you a minute. Maybe, writing about setting technical standards? But it’s one of those jobs that absolutely HAS to be done. Obviously, the technical standards are the building blocks of the digital world. If the standards are not done […]


    RSA REPORT ON SECURE BY DESIGN — WE NEED AN HOV LANE

    Posted on April 26, 2023 at 8:00 am

    One of the many activities at RSA this week has been a series of meetings on how exactly CISA can implement the big idea in the Biden Administration’s new national cybersecurity strategy, shifting the focus on cyber from the user to the providers of cyber technology. Much of the talk around the new strategy has […]


    WHAT IS BEST FOR SEC ON CYBER? OLD STYLE REGS OR NACD MODEL?

    Posted on April 5, 2023 at 9:41 am

    To begin with, we know the cyber risk oversight model described in the NACD-ISA Cyber Risk Handbook actually enhances cybersecurity.  We also know there is no proof the SEC proposed regulations, which have already been tried in multiple venues, will enhance cybersecurity or protect investors.  In fact, the NACD-ISA handbook is the only set of […]


    INDEPENDENT REVIEW OF FIXING AMERICAN CYBERSECURITY

    Posted on March 31, 2023 at 9:14 am

    A Review of Fixing American Cybersecurity, Edited by Larry Clinton and Foreword by Kiersten Todt This entry was posted in Book ReviewCybersecurity on March 30, 2023 by Steven Bowcut In an era of growing cyber threats and increasing data breaches, the need for robust cybersecurity measures has never been greater. Against this backdrop, Larry Clinton’s new book, “Fixing American Cybersecurity: Creating […]


    SEC NEEDS A CYBER MODEL THAT WORKS

    Posted on March 30, 2023 at 9:29 am

    Writing in the February edition of Foreign Affairs CISA Director Jen Easterly called for “a new model” for cybersecurity.  A month later President Biden released a new national strategy for cybersecurity which he said would “realign incentives in favor of long-term investment. When releasing the new strategy acting WH Director for Cybersecurity Kemba Waldon said, […]


    The SEC: The Elephant in the New National Cyber Strategy

    Posted on March 27, 2023 at 11:28 am

    The Biden Administration’s new National Cybersecurity Strategy is an important first step toward improving our nation’s cybersecurity. This strategy, unlike the numerous others that have been unveiled over the past 20 years, adopts ISA’s core argument that we cannot create a sustainably secure cyber system until we rebalance the incentives for cyber-attacks. ISA is not […]


    FIRST DO NO HARM: THE MANTRA FOR NEW CYBER REGULATION

    Posted on March 15, 2023 at 9:17 pm

    The traditional regulatory model – when applied to cybersecurity – is actually anti-security. For all the discussion around the Biden Administration’s new cyber strategy generating new regulations, this one simple fact remains. There is no evidence the cyber regs are working. The real question is not so much how much new regulations there ought to […]


    WHY CYBER REGULATIONS IN NATIONAL STRATEGY MAY NOT WORK

    Posted on March 6, 2023 at 10:21 am

    The new National Cybersecurity Strategy released last week calls for intensified federal regulation on IT providers, while presumably shifting regulatory focus away from technology users (we will see what the regulatory agencies and the SEC has to say about that last part). The strategy asserts “regulation can level the playing field enabling healthy competition without […]


    THREE QUICK STEPS TO IMPLEMENT THE NATIONAL CYBER STRATEGY (NOT WHAT YOU THINK)

    Posted on March 3, 2023 at 10:00 am

    There are probably various government agencies where regulators have already sharpened their virtual pencils preparing to write up some new regulations go along with the new National cybersecurity strategy released yesterday. Please put down your pens.  That is not where implementation of the new strategy needs to begin.  While much of the conversation about the […]


    IS REGULATION THE ANSWER TO OUR CYBERSECURITY PROBLEM (PART I)

    Posted on March 1, 2023 at 9:23 am

    There is a is a common misconception that cybersecurity regulation has not been tried, and that, if only there was federal regulation of cyberspace, we would have a more secure environment. The facts don’t bear out this assertion.  In our next two posts, we will first lay out the empirical evidence that cyber regulation does […]


    IS THE CYBERSECURITY PROBLEM ONE ABOUT TECH OR ECONOMICS?

    Posted on February 27, 2023 at 10:14 am

    Spoiler alert: It’s both.  However, virtually all of our efforts to address our cybersecurity problems have focused on the tech side and virtually none on the underlying economics of cybersecurity.  This has led to an unbalanced and ineffective government response in “providing for the common defense” in the cyber infrastructure. In their classic work, The […]


    US CYBERSECURITY – OLD PRACTICES, NEW VISIONS

    Posted on February 24, 2023 at 7:52 am

    US cybersecurity policies have been inadequate for decades and need to be updated to counter the heightened digital and physical risks the nation faces from our adversaries today. The US cybersecurity effort over the past thirty years largely comes down to a series of modest, disjointed, incremental tactics. On the other hand, one significant rival, […]


    From Pulitzer Prize winning author Byron Acohido on Last Watchdog.

    Posted on February 23, 2023 at 8:57 am

    The review (pasted below) is also available at AUTHOR Q&A: China’s spy balloons reflect a cyber warfare strategy America must counter https://www.lastwatchdog.com/ By Byron V. Acohido The attack surface of company networks is as expansive and porous as ever. Related: Preparing for ‘quantum’ hacks That being so, a new book, Fixing American Cybersecurity, could be a long […]


    THE (ONLY) PATH FOR THE US TO WIN THE DIGITAL WAR WITH CHINA

    Posted on February 22, 2023 at 8:00 am

    In a series of posts over the past couple weeks (LINKS), we have documented how China has been successfully carrying out a concerted and multi-faceted digital program designed to re-make the post-WWII world order and redirect it toward China. The Chinese campaign is well conceived, integrated, generously supported, and largely covert, which is consistent with […]


    CAN THE US MATCH CHINA’S MILITARY-CIVIL FUSION MODEL? WILL IT?

    Posted on February 20, 2023 at 9:50 am

    In recent posts, we have described how over the last 30 years China has smartly leveraged the vulnerabilities of the digital age to steal Western technology and, in so doing, leap-frog generations of R&D to become a world economic power. Not satisfied with their renaissance as an economic power, China leveraged massive government financial support […]


    Huawei is Just the Tip of the Spear in Digital Aggression

    Posted on February 13, 2023 at 7:53 am

    In our last post we documented how Huawei technology, thanks to massive cross-subsidization from the Chinese government, was succeeding in deploying its telecommunications network around the world.  That is a story that is fairly well known in Washington policy circles.  However, Huawei is by no means the only technology threat China poses though its comprehensive […]


    HUAWEI MAKES OFFERS YOU CAN’T REFUSE ADVANCING CHINA’S GOALS

    Posted on February 10, 2023 at 10:00 am

    China’s Digital Silk Road Strategy integrates technology, economics, and politics with the long-term goal of altering the post-World War II US- European world order. An assessment of China’s three wars strategy by the U.S. Department of Defense found that the CCP’s goals were to reclaim global status over the United States by weakening our alliances […]


    CISA SAYS WE NEED A NEW CYBERSECURITY MODEL; THEY GOT THAT RIGHT!

    Posted on February 8, 2023 at 9:05 am

    Last week, Foreign Affairs magazine published an article written by CISA Director Jen Easterly and Asst. Director Eric Goldstein entitled “Why Companies Must Build Security into Products.” The central thesis of their article is we need a “new model” for cyber security because what we have been doing isn’t working. This is precisely the messaging […]


    CHINA’S DIGITAL STRATEGY IS THE THREAT BALLOONS & TIKTOK ARE TACTICS

    Posted on February 6, 2023 at 10:46 am

    In the past few weeks, China’s surveillance balloon and the ubiquity of TikTok have created substantial concern in Washington, as well they should. However, these are simply among the most obvious tactics China is using in its competition with the West. For the US to be adequately responsive we need to be more aware of […]


    CISA’s Todt, in foreword to new book, cites need for industry incentives and strengthened partnerships

    Posted on January 31, 2023 at 7:37 am

    By Charlie Mitchell / January 31, 2023 CISA chief of staff Kiersten Todt provides the foreword to a new book on cybersecurity strategy by Internet Security Alliance leader Larry Clinton, saying a focus on economic incentives for industry cyber improvements is an essential part of a “a strong, actionable approach to industry/government collaboration.” “We need bold action […]


    FIXING AMERICAN CYBERSECURITY WITH A STRATEGIC PARTNERSHIP AND TOOL-KITS

    Posted on January 30, 2023 at 9:18 am

    I’m delighted to announce that this week the Internet Security Alliance will launch its Fixing American Cybersecurity campaign. The campaign is based on three new publications. First ISA’s public policy book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press) [Link: available for pre-release purchase on Amazon] which will be released this […]


    INTERNET SECURITY ALLIANCE TOP 25 HIGHLIGHTS OF 2022

    Posted on January 3, 2023 at 7:26 pm

    Independent research conducted by MIT finds the consensus cybersecurity principles and practices laid out in the NACD-ISA Cyber Risk Oversight Handbooks “demonstrates that organizations that use the consensus principles can significantly improve their cyber resilience without raising costs” and organizations who “follow the principles are predicted to have 85% fewer incidents.” This confirms previous research by PWC. […]


    THE INTERNET SECURITY ALLIANCE (ISA)

    Posted on at 7:25 pm

    ISA’s Mission is to integrate advanced technology with economics and public policy to promote sustainably secure cyber system.  The ISA board, consistits of cyber leaders (typically CISO) from virtually every critical industry sector. Over 20 years ISA has created a comprehensive theory and practice for cybersecurity covering both enterprise risk managment and government policy. ISA’s […]


    MIT Research Documents Effectiveness of Consensus Cyber Risk Oversight Principles

    Posted on November 17, 2022 at 7:19 am

    Geneva, Switzerland/November 16/As the World Economic Forum’s annual Cybersecurity Summit concluded today research conducted by MIT Cybersecurity at MIT Sloan (MIT CAMS) found that the cyber risk oversight principles (consensus principles) developed by the Forum in conjunction with the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD) “demonstrates that organizations that […]


    As cyber attacks increase, here’s how CEOs can improve cyber resilience

    Posted on at 6:53 am

    Major Findings · The Cyber Risk Principles developed by the ISA, NACD and the World Economic Forum help drive cyber resilience across industries. · Simulation-aided research from MIT CAMS shows that commitment to and adoption of the Cyber Risk Principles significantly improves cyber resilience. · Results also show that, commitment to these cyber risk principles […]


    ISA PROPOSAL FOR A VIRTUAL CYBERSECURITY NATIONAL SERVICE ACADEMY

    Posted on July 18, 2022 at 11:12 pm

    PREMISE ONE: CYBERSECURITY IS A NATIONAL DEFENSE IMPERATIVE Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so, too, have recent events made it clear beyond doubt that cyberspace is now a unique domain […]


    TOP TEN REASONS FOR A VIRTUAL CYBERSECURITY SERVICE ACADEMY (Part 1)

    Posted on May 31, 2022 at 11:27 am

    In a series of recent posts, we have noted the time has come for us to create a national virtual cyber service academy, modeled on our traditional military academies, but updated for the digital age (link). We subsequently detailed the public policy argument for this academy (link) and outlined a governance model for it (link).  […]


    THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 2

    Posted on at 11:21 am

    EXECUTIVE SUMMARY In our last post we made the case for a national, virtual, cybersecurity academy. In this post we will discuss the key points of our proposal and in our next post we will discuss the advantages of our proposal which we suggest as the only practical way for the USA to quickly, comprehensively, sustainably, […]


    THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY, PART 1: A NATIONAL DEFENSE IMPERATIVE

    Posted on at 11:19 am

                We need to stop talking about the issue of cybersecurity workforce development.  We need to properly frame the issue an imperative for national defense digital mobilization. Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in […]


    IT IS TIME FOR A NATIONAL CYBER SERVICES ACADEMY

    Posted on at 11:15 am

    Our service academies – West Point, Annapolis the Airforce and Merchant Marine Academies are the ultimate public private partnership. Government offers private citizens high quality education at no cost, and in return the graduates are obliged to provide three years of service to the government, and many stay on well-past that obligation. The system has […]


    INGLIS PROPOSES CYBER SOCIAL CONTRACT: GREAT IDEA! NOW LET’S TALK TERMS

    Posted on February 23, 2022 at 11:55 am

    By Larry Clinton In the latest edition of Foreign Affairs, the US Director for Cybersecurity, Chris Inglis and Harry Krejsa, propose that the government and industry forge a new paradigm – a cybersecurity social contract. Naturally, the Internet Security Alliance applauds this move toward a new paradigm. We do so for two reasons, first and […]


    Regulation of Cybersecurity Has Been Tried and It Doesn’t Work

    Posted on January 21, 2022 at 12:11 pm

    By Larry Clinton The focus of the current series of posts is to suggest the need for new directions in cybersecurity policy.  Put succinctly, it’s not just that we need to do cybersecurity better – it’s that we need to do cybersecurity differently. Why? Because we are getting killed out there. Cybercriminals generate roughly $2 trillion […]


    Playoffs Time: What Can Cyber Policymakers Learn from the NFL?

    Posted on January 17, 2022 at 1:07 pm

    This blog series began by asserting that in the new year, given the obvious ineffectiveness of our current cyber policies it’s time for policymakers to begin focusing on issues that might really matter in terms of creating a sustainably secure system.  We then moved forward to identify two major areas where government could really make a […]


    New Year’s Cyber Resolution: Modernize Cyber Law Enforcement

    Posted on January 14, 2022 at 11:48 am

    By Larry Clinton In this series of posts, we have been arguing that now is a time to rethink our efforts to create a sustainably secure cyber ecosystem.  The core notion of this rethinking would be to, finally, begin focusing more on programmatic changes that will truly impact the security of cyberspace, as opposed to the […]


    New Year’s Cyber Policy Resolution #1: Get Serious About Workforce Development

    Posted on January 10, 2022 at 11:29 am

    By Larry Clinton Last week, we discussed that we needed to make a New Year’s resolution to start talking about things that really matter for cybersecurity. One area that really matters if we’re serious about improving our cybersecurity is addressing the current workforce shortage. We can never create an adequately secure our cyber systems unless […]


    A NEW YEAR’S CYBER RESOLUTION: LET’S START TALKING ABOUT THINGS THAT REALLY MATTER

    Posted on January 3, 2022 at 11:51 am

    By Larry Clinton, President and CEO, Internet Security Alliance I have to say I’m disappointed the language requiring more stringent timelines for reporting cyber events to the government didn’t make it into the National Defense Authorization Act (NDAA). I’m not disappointed because I have strong feelings one way or another about that provision – to […]


    The Coronavirus Pandemic Has Created Novel Cybersecurity Challenges — But It May Also Give Us a Solution to the Cybersecurity Workforce Problem

    Posted on May 7, 2020 at 11:26 am

    By Josh Higgins, Senior Director of Policy and Communications The COVID-19 pandemic has created many new challenges for companies — such as managing a remote workforce, adopting new suppliers and cloud services, and a vastly expanded cyber-threat landscape — as the world works to maintain productivity through primarily virtual means. However, despite all these new […]


    Coronavirus Creates New Insider Cyber Threat and How to Treat It

    Posted on April 6, 2020 at 11:41 am

    Instantaneous, Unplanned, Digital Transformation Creates Massive Cyber Risk By Larry Clinton Insiders are generally identified as the locus of about half of successful cyber-attacks. The 2020 edition of the Cyber-Risk Oversight Handbook published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) last month (available free of charge here). identifies the […]


    ISA Board of Directors Offers Cybersecurity Best Practices for COVID-19 Crisis

    Posted on April 2, 2020 at 10:56 am

    The outbreak of coronavirus globally has created a new reality vastly increasing how much business is done online: While this new virtual reality is essential to sustaining business during the pandemic, it is critical that corporate boards are also aware of the increased cybersecurity threat from this intensified, and often unplanned, utilization of technology. As […]


    Top Ten Reasons Why Cybersecurity Is Like Coronavirus

    Posted on March 16, 2020 at 4:47 pm

    By Larry Clinton I’m not saying cybersecurity and the coronavirus are exactly the same. The defining characteristic of the cyber threat is that we have conscious and deliberate actor’s carefully crafting attacks. The coronavirus has no conscience, no plan. At the same time, notwithstanding differences, these domains are both attacks on our cultures, and when […]


    Cyber Principle Two for Boards: Know Your Legal Obligations

    Posted on March 11, 2020 at 10:48 am

    This is the second in a series of blogs distilling the cybersecurity advice for boards of directors contained in the new Cyber-Risk Oversight 2020 Handbook published by the National Association of Corporate Directors and the Internet Security Alliance. By Larry Clinton In 2015, ISA, along with Georgia Tech, the New York Stock Exchange, and Palo […]


    The First Principle of Cybersecurity — It’s Not an “IT” Issue

    Posted on March 2, 2020 at 10:37 am

    By Larry Clinton At last week’s RSA Conference, the National Association of Corporate Directors (NACD) in partnership with the ISA published Cyber Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards. This is the third in a series of cyber-risk handbooks ISA and NACD have partnered on since 2014, and like the previous […]


    WHAT I HEARD AT THE G-20 CYBERSECURITY DIALOGUE THIS WEEK

    Posted on February 5, 2020 at 12:47 pm

    WHAT I HEARD AT THE G-20 CYBERSECURITY DIALOGUE THIS WEEK This week I was honored to be one of the 17 outside experts (3 Americans including myself) asked to address the official G-20 Cybersecurity Dialogue in Riyadh, Saudi Arabia. This meeting was designed to assist the G-20 Digital Economic agenda for this fall’s full G-20 […]


    What I’ll Tell the G20 Cybersecurity Dialogue Meeting in Riyadh Today

    Posted on February 3, 2020 at 7:16 am

    By Larry Clinton I’m honored to be one of about 15 outside speakers who have been asked to address the G20 Cybersecurity Dialogue — part of the G20 Digital Economy Task Force — at their invitation–only meeting in Riyadh. I’m delighted that the world’s largest economies are launching an effort to look at our cybersecurity problems […]


    Solarium Commission Off to a Good Start: What’s Next (Part II)

    Posted on January 9, 2020 at 10:30 am

    Cyberspace Solarium Commission Co-Chair Sen. Angus King (I-ME) has “leaked” to us that the Commission is virtually unanimous in the desire to see government process for cybersecurity overhauled. As we discussed in this space yesterday, that is a great, if not exactly novel, idea. But as the old saying goes, every great idea eventually devolves […]


    ISA: Solarium Commission is Off to a Good Start, Now What?

    Posted on January 8, 2020 at 9:32 am

    In 2016 the ISA published a 12-step program for Congress and the new Administration to address the growing cybersecurity threat. Number 4 on the list (after act with greater urgency, spend more money, and understand cybersecurity is not just about IT) was that “Government needed to get organized to reflect the digital age.” Yesterday the […]


    Global Consensus of Industry to Address Cyber Reaches Asia, Is Government Far Behind?

    Posted on October 31, 2019 at 11:42 am

    by Larry Clinton Yes, they are.  While corporate boards of directors worldwide are developing programs to increase own their understanding of the cyber threat and taking action to address it, the government equivalent of corporate boards – legislators, agency heads, and the like – seem content to tell others what to do while not seriously […]


    U.S., German, and Latin American Boards and Cybersecurity: Similarities and Differences

    Posted on October 28, 2019 at 10:00 am

    by Larry Clinton In a field seemingly overpopulated with remarkably similar programs on cybersecurity, the Organization of American States, of all places, will host a unique program at their Washington, D.C. headquarters on November 8. OAS, along with the Cyber Security Council of Germany and the Internet Security Alliance, will discuss the findings of a […]


    WHAT CAN PINK DO FOR CYBER?

    Posted on October 2, 2019 at 8:49 am

    by Larry Clinton I expect virtually everyone who might be reading this blog knows that October is Cybersecurity Awareness month. But I doubt the total number of people in the Unites States who know October is “our” month rises above five figures. Of course, awareness that we have a cyber security problem is virtually unanimous. […]


    SOMETHING TO BE AWARE OF THIS OCTOBER

    Posted on October 1, 2019 at 10:24 am

    by Larry Clinton I have opined in the past, somewhat tongue in cheek, that Cyber Security Awareness Month may be a bit outdated—is there really anyone unaware that we have a cyber security problem in 2019? Perhaps Cybersecurity understanding month is a bit timelier and more needed. However, in the spirit of the cyber season […]


    CYBERSECURITY COMES TO LATIN AMERICA

    Posted on September 30, 2019 at 1:43 pm

    by Larry Clinton On Friday I was honored to provide the closing keynote speech at the Organization of American States’ (OAS) Cybersecurity Symposium in Santiago, Chile. The purpose of the event was to unveil and release the first Cyber-Risk Oversight Handbook for Corporate Boards targeted for the entire Latin American region. The Handbook is part […]


    DHS Taking Steps in the Right Direction on Cyber Risk Management

    Posted on August 12, 2019 at 11:03 am

    by Larry Clinton Perhaps the one thing virtually everyone in the cybersecurity field agrees on is that, notwithstanding many laudable efforts, we are losing the fight to secure cyberspace. Illustrative of this reality, the Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Chris Krebs, has wisely commented we need a new […]


    Mandatory Cybersecurity Training for Congress: What Kind of Training?

    Posted on July 31, 2019 at 9:52 am

    by Larry Clinton Last week, the bipartisan Select Committee on the Modernization of Congress issued a list of two dozen recommendations designed to “make Congress more reflective and responsive to the American people.” One recommendation stands out as particularly timely, visionary and practical: “Making cybersecurity training mandatory for Members.” Finally, a cybersecurity mandate that makes […]


    Capital One Breach Highlights the Danger of Insider Threats

    Posted on July 30, 2019 at 1:27 pm

    by Josh Higgins When companies think about cybersecurity threats, they often think of a hacker in some far-off place using sneaky tactics to gain access to their systems. However, Capital One’s announcement Monday of a major data breach highlights another major, yet often overlooked, cyber threat: The insider. Similar to other cyber incidents, the newly […]


    Accountability in Cybersecurity is a Two-Way Street

    Posted on July 29, 2019 at 11:48 am

    The biggest story in cybersecurity this past week was the eye-popping $5 billion dollar (that’s billion with a B) fine the FTC placed on Facebook for not adequately fulfilling its responsibilities to protect its consumer’s data. Probably just as painful to Facebook, and its CEO, as the fine itself is having to publicly acknowledge their […]


    Regulators: Don’t Make the Same Cyber Mistakes Over Again

    Posted on July 19, 2019 at 2:27 pm

    It’s not news that cyber-attacks are increasing both in number and sophistication and that the increasing criticality of the attack methods demands increased attention especially with respect to critical infrastructures. Also, due to the uniqueness of information systems, the speed with which attack methods and technologies change the traditional regulatory model has been deemed to […]


    MAN BITES DOG: State Regulators Want Cyber Reg Reform

    Posted on June 26, 2019 at 1:31 pm

    Yesterday Congressman Cedric Richmond, Chair of the House Homeland Subcommittee on Cybersecurity, Infrastructure Protection and Innovation announced in the wake of the recent ransomware attacks on local jurisdictions like Atlanta and Baltimore that he is going to propose a series of legislative efforts to assist the municipalities because “we can’t expect under-resourced, understaffed, state and […]


    Brush with Greatness: A Chat with a Man Who May Be the Tipping Point Toward Effective Cybersecurity

    Posted on June 21, 2019 at 10:47 am

    by Larry Clinton The greatest cyber risk an organization can have is doing a faulty cyber-risk assessment. This is one of the key insights from Doug Hubbard’s paradigm-shifting book “How to Measure Anything in Cybersecurity Risk”. While in Chicago this week to do a series of Master Classes on the Economics of Cyber Risk for […]


    Corporate Directors Take the Next Step on Cybersecurity: Where’s Congress?

    Posted on June 18, 2019 at 11:27 am

    by Larry Clinton In Chicago this week the National Association of Corporate Directors (NACD) will host the first in a series of nationwide events on the economics of cybersecurity. The courses start with a brief discussion of the now well-known existence of cyber-attacks on enterprises. However, they quickly move beyond the problem and instruct board […]


    We Need Sensible Cybersecurity Regulations – More Is Not Necessarily Better

    Posted on June 12, 2019 at 11:08 am

    by Larry Clinton When the ISA published the Cybersecurity Social Contract three years ago, one of the facts we documented was that some in critical industries were being forced to divert between 30%-40% of their scarce cybersecurity resources to largely redundant regulatory compliance. This fact highlights the twin maladies of undermining efforts to strengthen cybersecurity without improving either […]


    Experts from GE and FIS Help Students Deal with the Inevitable: Cyber Attacks

    Posted on June 6, 2019 at 11:00 am

    Once upon a time, industry experts would caution students and conference attendees that with cyber-attacks, it was not a question of if, but when. That adage has now matured into a more modern version: There are only two types of companies — those who know they have been successfully compromised, and those that don’t know […]


    Cyber Experts Will Help Wharton Students Address the “Most Vexing Challenge”

    Posted on June 5, 2019 at 10:56 am

    The insider threat has become one of the biggest threats in the realm of cybersecurity. Despite the amount of risk posed by insiders, corporate executives often lack the awareness of the threat to adequately address it. That is why the Internet Security Alliance’s upcoming course on cybersecurity at the ABA Stonier Graduate Program at the […]


    The EU Privacy Law is Not Working, But Why?

    Posted on May 30, 2019 at 10:06 am

    by Larry Clinton In 2016 the European Union enacted arguably the most stringent privacy law in the western world. Following a two-year transition, the law went into full effect last May. Although advocates had suggested the stringent penalties in the General Data Protection Regulation (GDPR) would deter individual privacy invasions and reduce market domination from […]


    European corporate boards agree to create European adaptation of Cyber-Risk Oversight Handbook

    Posted on May 28, 2019 at 11:26 am

    by Larry Clinton This week the board of directors of the European Confederation of Directors Associations (ecoDa) agreed to work with the Internet Security Alliance (ISA) on a European adaptation of the Cyber-Risk Oversight Handbook originally published by the National Association of Corporate Directors in the U.S. This agreement indicates further progress that corporate boards […]


    Washington Can Help States Face Cybersecurity Threats by Harmonizing Regulations

    Posted on May 15, 2019 at 12:52 pm

    by Dan Lips The National Governors Association is meeting in Louisiana this week for its biannual cybersecurity summit. An important topic of consideration is how Washington can help state governments by harmonizing regulations. Doing so would let states focus their attention on confronting worsening cybersecurity threats, rather than answering federal auditors. “On any given day, […]


    Congress Needs Training in Cybersecurity — The Right Kind of Training

    Posted on May 14, 2019 at 10:17 am

    by Larry Clinton   Kudos to Representatives Kathleen Rice (D) and John Katko (R) for their bipartisan legislation requiring Members of Congress to receive training in cybersecurity. Give congressional representatives an IT tool and they can secure the nation for a day — maybe. Teach Congress how to truly understand and manage cyber risk and we […]


    U.S.-Japanese Cyber Collaboration Needs to Include the Private Sector

    Posted on May 9, 2019 at 12:26 pm

    by Larry Clinton While much of the attention on President Trump’s upcoming visit to Japan will focus on North Korean nuclear issues, a critical, if under-reported, element of the visit will be to bolster U.S.-Japanese cyber defenses. In a speech to the Hudson Institute last week, U.S. Ambassador to Japan William Hagerty acknowledged the importance […]


    Annual FBI Internet Crime Report Finds $2.7 Billion in Losses in 2018

    Posted on April 29, 2019 at 2:41 pm

    Internet-enabled crime was responsible for $2.7 billion in losses in 2018, according to the FBI’s annual Internet Crime Report. The data confirms industry concerns about growing cybersecurity threats. The FBI’s Internet Crime Complaint Center (IC3) reported an increase in the number of complaints from 301,580 in 2017 to 351,000 in 2018, or more than 900 […]


    Should we start regulating cybersecurity in the supply chain? Not so fast.

    Posted on April 26, 2019 at 11:30 am

    Supply chain has become the hot topic in cybersecurity inside the Beltway in recent months – and for good reason. The British Standards Institution just this week released a new report on the supply chain identifying cybersecurity as one of the greatest security threats within the supply chain. The federal government has also taken notice to […]


    ISA Top 2018 Highlights

    Posted on January 28, 2019 at 9:00 am

    ISA appointed industry co-chair (DHS is government co-chair) of the Policy Leadership Working Group charged by DHS Asst. Secretary for Cyber Security Jeanette Manfra with articulating the details of a Collective Cybersecurity Defense Model the Trump Administration wants to promote for cybersecurity. Policy Leadership Working Group produces a joint government-industry white paper defining the Collective […]


    We need a new approach to cyber risk assessment

    Posted on September 21, 2018 at 12:47 pm

    “Garbage in, garbage out.” For years, cyber risk assessments have often revolved around checklists of standards and practices that IT professionals can use to check off what they’ve done, but that model is insufficient, producing results that are hindering cybersecurity. ISA President Larry Clinton, at the Command and Control conference on Friday, September 21, called […]


    At DEFCON, DHS Gets it Right on Cyber – We Need to Rethink Incentives

    Posted on August 14, 2018 at 10:09 am

    When DHS Assistant Secretary for Cyber Security Jeanette Manfra addressed the hackers at the annual Las Vegas showcase for modern wizardry, she didn’t focus on standards and bots. She talked about how digitization changes everything and the need to look at cybersecurity through an economic lens. She got it exactly right. “For the first time […]


    Happy New Year: We Need a New Approach to Cybersecurity

    Posted on January 2, 2018 at 11:05 am

    By Larry Clinton   We all know we are losing the battle to secure cyber space – badly. Maybe our New Year’s resolution ought to be to recognize this fact and come up with a new approach to the problem. The old ones don’t seem to be working.   Specifically, we should consider moving away […]


    Is it Time to Sunset Cybersecurity Awareness Month?

    Posted on October 2, 2017 at 11:28 am

    Sunsetting Cyber Awareness Month.blog.1017October 2, 2017 By Larry Clinton Raise your hand if you know anyone who is unaware that we have a cybersecurity problem. In a field where we are often desperate for any sign of success, I think we can spike the football on the issue of cybersecurity awareness. Understanding the cybersecurity problem? […]


    Enabling better Cybersecurity Information Sharing with Small and Medium-sized Partners

    Posted on September 1, 2017 at 12:11 pm

    By Jeff Brown “Information sharing” is one of the most powerful tools organizations can use against cyber threats that can erupt without warning and cause disruption worldwide. Once an organization—any organization, whether public or private sector—spots the tell-tale patterns of a new attack, alerting other organizations of these warning signs can help halt the spread […]


    Cybersecurity and the Resilient Mindset

    Posted on July 17, 2017 at 10:37 am

    By Cindy Fornelli If you spend some time around the issue of cybersecurity, it won’t be long before you encounter the notion of resilience. “Cyber resilience is a public good,” observed a 2017 white paper from the World Economic Forum. A 2013 Presidential Policy Directive declared that “it is the policy of the United States […]


    Petya Provides Context for Briefing Council on Foreign Relations

    Posted on June 29, 2017 at 10:00 am

    It appears the dust was just settling from the global impact of the WannaCry ransomware attack when a new culprit Petya (or not Petya) struck. Among the disturbing characteristics of these attacks is their vast international impact. Desperate for a silver lining, this happens to be a great backdrop for my previously scheduled briefing digital […]


    Maintaining Cybersecurity During Mergers & Acquisitions

    Posted on June 27, 2017 at 10:56 am

    Mergers and acquisitions are risky times. Headlines treat the combination of companies as job done after the announcement, but insiders know combining operations is no easy task. These days, add cyber risk to the list of prime considerations companies should weigh before, during, and after any M&A decision. Companies involved in transactions are often prime […]


    Board Directors Need to Have Discussions on Which Risks to Avoid, Which Risks to Accept, and Which to Mitigate Through Insurance

    Posted on June 22, 2017 at 11:06 am

    Total cybersecurity is an unrealistic goal. Cybersecurity is a continuum requiring strategic decision-making about where and how to spend security dollars. Attempting to guard every system equally is a recipe for exhausting the budget on low-priority systems. And it’ll result in bad security, since the company’s crown jewels will lack the sophisticated protections they need. […]


    Directors Need to Set the Standards and Expectations for Management to Establish Well-Staffed and Well-Funded Cyber-Risk Framework

    Posted on June 20, 2017 at 10:44 am

    Much like any response plan, a cybersecurity framework is only successful if it is well-staffed and well-funded. Otherwise, it simply will not be able to adequately handle the stresses caused by a breach. In a world where malware and ransomware are increasing both in frequency and severity – Wannacry, for example, affected 200,000 computers in […]


    Boards Need Access to Adequate Cybersecurity Expertise – And Need to Give it Adequate Time on Meeting Agendas

    Posted on June 19, 2017 at 12:56 pm

    Cyber literacy can be considered similar to financial literacy – not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business. As we all know, cybersecurity is very much a moving target. The threats and vulnerabilities change almost daily, and the […]


    Boards Need to Be Aware of Evolving Cyber-Legal Landscape

    Posted on June 14, 2017 at 10:24 am

    Boards of directors face several versions of risk from cyber breaches. Obviously, there is the risk of loss or manipulation of the data. There is also a risk of reputational loss. However, regardless of the actual data or reputational impacts boards need to be concerned about legal risks that can occur unrelated to the other […]


    HHS Points The Way Forward For Improved Cybersecurity

    Posted on June 12, 2017 at 11:35 am

    Last month President Trump issued an Executive Order on cybersecurity that called on all federal agencies to assess their status on information security and for the leadership to take steps required to mediate threats. Last week the Department of Health and Human Services (HHS) released its Healthcare Industry Cybersecurity Task Force report, which provides a […]


    Cybersecurity Principle Number 1 for Boards – It’s Not Just About “IT”

    Posted on June 2, 2017 at 12:07 pm

    It has now become clear that cyber-risk needs oversight at the board of directors level. The problem is that most corporate boards are comprised of “digital immigrants” — people not born into the digital world they now inhabit — and therefore need to learn how to understand cyber-risk. That educational process has been undertaken by […]


    Metrics? What Metrics? Finding the Missing Link to the NIST Cybersecurity Framework

    Posted on May 31, 2017 at 11:00 am

    The NIST Cybersecurity Framework (NIST CSF) is one of the cornerstones – and most popular features – of US government policy to strengthen our nation’s cybersecurity. The hottest topic at the recent NIST workshop aimed at updating and refining the CSF was the development of metrics. Many experts believe that for the CSF to properly […]


    Reform the Defense Supply Chain to Face the Realities of Conflict in the Digital Age

    Posted on March 7, 2017 at 11:04 am

    For centuries, we’ve operated under the principle that nations are sovereign within their own borders, with traditional rules of war clearly stating that combatants need to be identifiable military targets. Acting on this principle, a functioning government has traditionally had to raise a force more powerful than any potential rival, either internally or externally, when […]


    Why Isn’t There An Academy Awards Ceremony for Cybersecurity

    Posted on February 27, 2017 at 11:20 am

    Let me spare you the suspense, because we don’t deserve one. Most people who have become aware of cybersecurity in the past few years think we are talking about credit cards, passwords, and firewalls. Really? I give these rookies a pass. The real fault lies which those of us, including myself, who have been toiling […]


    Seven Basic Cybersecurity Measures As Revealed By Wisdom Of The Crowd

    Posted on February 21, 2017 at 4:52 pm

    Individual experts offer good advice, but when many people agree on practical steps necessary for better cybersecurity, their consensus carries more weight, at least so long as cybersecurity lacks outcome-based, objective metrics. Accordingly, here are the most important things small and medium-sized organizations should do, according to a survey the Internet Security Alliance did of […]


    Movement in the Right Direction on Cyber Security

    Posted on January 30, 2017 at 11:24 am

    While the bulk of mainstream news coverage on cyber issues has been focused on macro issues such as Russian involvement in our electoral process, there have been less noted initial signs of progress on the more traditional cyber concerns such as the protection of critical infrastructure, theft of intellectual property and securing of personal data. […]


    Cybersecurity Takes its Place in the Boardroom

    Posted on November 30, 2016 at 11:54 am

    Those recognized by the National Association of Corporate Directors in its annual compilation of 100 most influential individuals and organizations have achievements in fields such as governance, transformation or oversight. Cybersecurity hasn’t typically figured among them – until recently. NACD is recognizing Internet Security Alliance CEO Larry Clinton for the second consecutive year in its […]


    10 Cheap Tricks to Improve Our Cybersecurity: Part I

    Posted on September 6, 2016 at 12:36 pm

    On September 15, 2016, the Internet Security Alliance will publish a 400 page, 17 chapter, book containing 106 recommendations for the incoming Administration and Congress. One of the recommendations is that, frankly, we need to invest more in cyber defense. We are chasing a $500 billion to $1 trillion dollar a year issue with about […]


    IMPACT OF BREXIT VOTE ON CYBER SECURITY: Private Sector Needs To Act Responsibly

    Posted on June 25, 2016 at 12:31 pm

    While I don’t see, much if any, short term operational impacts to cyber security from the Brexit vote, I do think the vote underlines the need for the private sector develop strong partnerships to secure the cyber systems they own and operate independent from government structures. I feel pretty sure not a single UK voter […]


    The Next Administration Needs To Pick Up The Pace

    Posted on May 27, 2016 at 12:40 pm

    By: Larry Clinton, CEO/President THE NEXT ADMINISTRATION NEEDS TO PICK UP THE PACE – A LOT – ON CYBERSECURITY The Pentagon’s 2015 annual report says that most DoD systems are subject to low to mid-level cyberattacks and our defense systems are basically subject to compromise whenever an adversary chooses to do so. If the world’s […]


    Government Needs To Get Its Own Act Together With Respect To Cybersecurity

    Posted on May 20, 2016 at 5:00 am

    By: Larry Clinton, CEO/President Last week, I commented that given we have spent much of the last decade developing a consensus on an overall approach to cybersecurity as articulated in both the House GOP Task Force on Cybersecurity and President Obama’s Executive Order 13636, the one thing we don’t need from the newly appointed President’s […]


    Dear Cyber Commission, We Don’t Need a New Plan

    Posted on May 13, 2016 at 5:00 am

    By: Larry Clinton, CEO/PRESIDENT A wise person once said every great plan eventually dissolves into actual work. What we need right now is actual work on cybersecurity. We have spent much of the past decade, and particularly the last 5 years, coming to a consensus on the best approach to improve our overall cybersecurity. Back […]


    Major Indian Trade Group Seeks Alliance with ISA

    Posted on July 11, 2014 at 3:53 pm

    In November of 2013, Larry Clinton, the President and CEO of the ISA, traveled to India to speak about cyber security issues in the international context. Mr. Clinton traveled to Chennai, India where he spoke with T. K. Ramachandran, a member of the board of governors and the secretary of the ICT Academy of Tamil Nadu […]


    DHS Under Secretary Spaulding inserts ISA recommendations on cyber risk into new National Infrastructure Protection Plan

    Posted on June 12, 2014 at 3:02 pm

    The National Infrastructure Protection Plan (NIPP) established a strategic direction for coordinating the nation’s critical infrastructure protection and resilience initiatives. The new National Plan built on the previous Plan from 2009, and reflects major changes in risk, policy, and operating environments, reflecting “a significant evolution in critical infrastructure risk policy.” This evolution reflects movement toward […]


    White House Releases “Cyber Space Policy Review” — ISA is Most Cited Source

    Posted on June 11, 2014 at 5:20 pm

    Released in 2009, the Cyber Space Policy Review was the Obama Administration’s assessment of U.S. policies and structure for cybersecurity. Drawing heavily from the Internet Security Alliance as a resource, the paper outlined a path forward to creating a reliable and resilient digital infrastructure. Covering resources including the Cyber Security Social Contract, white papers, and […]


    ISA Hosts Conference on Cyber Security at White House Featuring DHS Secretary

    Posted on at 5:13 pm

    The Internet Security Alliance hosted an invitation-only event at the White House on economic issues related to cyber security featuring DHS Secretary Janet Napolitano. The session allowed guests to engage with the DHS secretary in a robust question and answer session in a more intimate setting. The DHS Deputy Under Secretary for Cybersecurity for the […]


    ISA takes Lead Role in Construction of NIST Framework

    Posted on at 4:58 pm

    In response to the February 2013 executive order released by President Obama, titled “Improving Critical Infrastructure Cybersecurity”, the National Institute of Standards and Technology (NIST) has undertaken the vital task of developing a new set of guidelines and standards to promote better cyber security practices in both the public and private sector. Known as the […]


    Obama’s Cybersecurity Executive Order 13636

    Posted on at 1:37 pm

    In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which formalized the Administration’s adoption of principals proposed by the Internet Security Alliance. The Executive Order departed from the regulatory model that the Administration previously embraced that would have granted the Department of Homeland Security extensive authority to mandate cyber security standards […]


    NACD Asks ISA For Best Practices Guide

    Posted on June 10, 2014 at 4:49 pm

    <h3>NACD asks ISA to create best practices guide for corporate board of directors</h3> The National Association of Corporate Directors (NACD) asked ISA to put together a guide of best practices for corporate directors. With input from the ISA Board of Directors, and in close collaboration with AIG, ISA was tasked to identify best practices in […]


    ISA Criteria For Assessing The Cybersecurity Exec Order

    Posted on February 20, 2014 at 1:40 pm

    Click Here for Full Document   EXECUTIVE SUMMARY – ASSESSING PRESIDENT OBAMA’S EXECUTIVE ORDER ON CYBER SECURITY Upon realizing that comprehensive cyber security legislation to address the nation’s growing cyber security problem was unlikely to pass the Congress, President Obama issued an Executive Order on the subject in February 2013. The Order marked a watershed moment […]


    Media Asks ISA To Comment On WH Cyber Order

    Posted on October 11, 2013 at 12:41 pm

    ISA on CNBC On February 13, 2013, following the release of the Obama Administration’s Executive Order, CNBC’s “Power Lunch” asked ISA President Larry Clinton to appear on the show to discuss how the Executive Order will impact the private sector and solicit ISA’s view on its implications.  To watch the segment, please proceed to ISA […]


    “Cyber Czar” Praises ISA on Health Care Program

    Posted on July 5, 2012 at 3:00 pm

    In an unusual move, the White House’s cyber security lead, the so called “Cyber Czar,” Howard Schmidt joined the ISA, ANSI, and the Santa Fe Group at the National Press Club  for the launch of the ISA’s most recent publication in its Financial Risk Management Program: “The Financial Impact of Breached Protected Health Information – […]


    ISA Testimony Leads To Bipartisan Cyber Incentives Effort

    Posted on at 2:27 pm

    ISA’s long-standing efforts to create an economically viable and sustainable approach to cybersecurity reached a milestone following an unusually collaborative and non-partisan hearing before the House Energy and Commerce Subcommittee on Communications and Technology on February 8, 2012. After the hearing, Chairman Greg Walden (R-OR) and Ranking Member Anna Eshoo (D-CA) formed a bipartisan Task […]


    ISA Leads Effort W/DHS To “Reboot” Ind-Govt Partership

    Posted on at 2:06 pm

    Since the crafting of the National Infrastructure Protection Plan (NIPP), the ISA has taken a lead role in seeking a viable partnership between government and industry to address the unique problems in defending integrated cyber systems against increasingly sophisticated attacks. ISA outlined a re-drafted model in its Cyber Security “Social Contract” (2008) and “Social Contract […]


    ISA Briefs FDIC On ISA’s Financial Cyber Risk Program

    Posted on at 2:02 pm

    Starting in 2006, the ISA began its program on the Financial Management of Cyber Risk, which resulted in the first of its publications on this subject: “The Financial Impact of Cyber Risk – 50 Questions Every CFO Should Ask.” ISA’s and follow-up publication, “The Financial Management of Cyber Risk – An Implementation Framework for CFOs,” […]


    ISA and Michael Chertoff Keynote World Nuclear Security Event

    Posted on at 2:00 pm

    The World Institute of Nuclear Security (WINS) contacted the ISA in late 2011 for assistance in developing an incentive-based model for nuclear facility security that is global in scale. In conjunction with this request, ISA President Clinton, along with DHS Secretary Michael Chertoff, was asked to keynote the WINS international nuclear security conference in Vienna, […]


    ISA Briefs Congress On Information Sharing

    Posted on at 1:55 pm

    Information sharing is one of the most important tools in implementing a sustainable system of cybersecurity. However, the traditional information sharing models have been proven generally to be of limited effectiveness in that many organizations cannot devote the resources to participate in an Information Sharing and Analysis Center (ISAC) and because many of the traditionally […]


    ISA Briefs NATO Cyber Centre For Excellence

    Posted on at 1:52 pm

    While many of ISA’s member companies are U.S.-based, virtually all of them are multi-national and operate internationally. Because of this and the nature of the problem, itself, ISA has always taken an international approach to cybersecurity (2 of the past 5 ISA Board Chairs have hailed from European headquartered organizations). Shortly after ISA reiterated and […]


    ISA Releases Cyber Supply Chain Roadmap

    Posted on at 1:50 pm

      The ISA launched its first supply chain program in 2005, in conjunction with ISA Founding Partner Carnegie Mellon University. Since then, ISA has released a series of reports on managing the IT supply chain for security purposes with ever greater specificity. In 2007, ISA released its report with Carnegie Mellon on the nature of […]


    House GOP Task Force Report On Cybersecurity Adopts ISA Recommend

    Posted on at 1:47 pm

    In the 112th Congress, a high-level task force convened by House Speaker John Boehner (R-OH) endorsed the approach laid out by ISA in the Cyber Security Social Contract. When the House GOP Task Force on Cyber Security convened, ISA was the first witness called to provide recommendations.The House Republican Task Force Report on Cyber Security, […]


    ISA Hosts White House Event on Cybersecurity And Economy

    Posted on at 1:40 pm

    On June 6, 2012, the Internet Security Alliance hosted an invitation-only event at the White House on economic issues related to cyber security. DHS Secretary Janet Napolitano was the featured speaker, providing opening comments and engaged the invited guests in an open and robust question and answer session. Mark Weatherford, the DHS Deputy Under Secretary […]


    Transcript: Is The Web Becoming Less Secure? – PBS News Hour

    Posted on December 12, 2010 at 2:13 pm

    In the wake of the Gawker Media hacking over the weekend, Jeffrey Brown gets a wider perspective about the vulnerability of online information and the danger of further cyberattacks from James Lewis of the Center for Strategic and International Studies and Larry Clinton of the Internet Security Alliance. To view the video of this exchange, […]