Las Vegas, NV – After two days of Black hat I now see the relationship between that event and DefCon. Black hat seems to be the place where IT security vendors try to convince the world that they can protect the Internet, whereas DefCon attendees clearly — whether they say it or not — are well equipped to slash through everything being sold at Black hat. It seems like it would make more sense for DefCon to come first and Black hat to follow, that way media, analysts and enterprise buyers could first find out the latest looming threats on display at DefCon and then be well equipped to ask Black hat exhibitors if their products could withstand the attacks.

For those who could not attend this year, there has been a lot of great coverage emerging and a few interesting photos as well. My favorite, one I shot today of the Mohawk hair cutting station on the middle of the main pavilion:

Interesting thing about IT security, it really is a lot like what you see on TV. A lot of well-dressed suites and highly educated men and women on the sales, marketing and business side with crazed technophiles puttint it all together behind the scenes.

Anyway, lots of great stories and photos are coming out of the event. Check out all of the usual IT haunts for coverage. I plan to post a more comprehensive wrap up tomorrow. Hopefully with some video.

Posted by Joe Franscella – 12-28-09 –

The appointment of Howard Schmidt to the position of White House Cybersecurity Coordinator is further indication that President Obama’s administration acknowledges that effective cybersecurity can mean the difference between life and death. The administration should look at cybersecurity in this way, after all, cyberspace provides criminals and terrorists with a platform to launch attacks against the US that could have fatal results.

Appointment of an official to a new position is only a first step though, the question remains, “what will Schmidt do?”

It makes sense for Schmidt to engage with private business to address cybersecurity problems and to close security gaps — the White House may be responsible for defending the nation but private enterprise produces the technology that fuels and defends cyberspace.

Schmidt will undoubtedly seek counsel from established IT security vendors, vendors that will use these counsel opportunities to sell him on the importance of influencing congress to pass legislation calling for regulations that their solutions can provide compliance for. But, will these traditional vendors’ solutions be enough to close security gaps that could lead to fatal outcomes?

Any strategy that relies on technologies supplied by established, major enterprises as the sole means of ensuring security in cyberspace will fail. Evidence to this is clear, in the last year there have been dozens of reports and news headlines that have revealed cyberattacks that have resulted in compromises to top-secret defense initiatives, power grids and other critical systems. It’s safe to assume that most of those breaches took place on networks founded on established technologies.

To reduce risk, Schmidt is going to have to move beyond traditional Washington politics that drive public-private efforts. He is going to have to open Washington’s collective mind to listen to more than just the major enterprises that have lobby dollars available to shape thought on Capitol Hill, and he is going to have to reach out to innovative small companies and startups that have developed game-changing security technologies.

So, how should Schmidt engage startups and other small and innovative technology vendors that typically don’t have budgets for lobby efforts?

Some steps Washington could take to reach startups and small IT security vendors in the quest to reduce risk are:

1.    Establishment of federal grants for small vendors and startups to fund lobbying efforts
2.    Sponsoring a federal “Demo Day (or Week)” that provides small vendors and startups with funding to cover the costs associated with demoing their solutions on a DC stage
3.    Establishment of federal grants for small vendors and startups that could be used to fund marketing efforts focused on the federal government
4.    The formation of a federal VC banking system that provides taxpayers with equity stakes in IT security startups and small enterprises

When it comes to protecting the nation against cyberattack, foresight needs to be 20/20. It would benefit the nation to identify security technologies that reduce risk prior to a tragedy as opposed to after one. The only way to do this is to take steps that facilitate connections between the federal government and innovators that have the potential to change the game.

“There is hacking,” says Legge. “Hackers are coming after the electrical grid all the time.” (Ed Legge is pokesman for the Edison Electric Institute (EEI), an association representing about 70 of the largest utilities which generate the bulk of the nation’s electricity through complex swatches of eastern- and western-distribution grids and management and control points called Independent System Operators)

What the security vendors said:

“The whole grid going down is the hardest one to believe,” says Eric Knight, senior knowledge engineer at Log Rhythm, noting the Wall Street Journal article lacked sufficient information “about why we should be panicking, per se.”

“This should come as a surprise to no one,” says Patrick Peterson, chief security researcher at Cisco, adding, “The truth is slowly coming out.”

Shane Buckley, CEO at Rohati, says he’s worries that “a number of utilities outsource development to Eastern Europe, Russia and China,” and cyberspy attacks could originate through outsourcing. (Disclaimer: I represent Rohati).

These stories hit hard and fast but I doubt they are over. It will be interesting to see how this plays out.

Network World’s Tim Greene launched his Cloud Security Alert newsletter today with a look at What is a cloud? Wrote Tim:

“So the cloud is a physical place, perhaps owned and controlled by some other entity, and it contains computing resources that are available pretty much on demand for a price. Simple enough, but there are plenty of variations.”

He goes on to explain it further, leaving the reader with a basic deffinition, something of value in today’s (excuse me for this nest description) “foggy cloud environment.”

In terms of cloud deffinitions, I also like the one in Gartner’s 2008 paper: Tutorial for Understanding the Relationship Between Cloud Computing and SaaS

In the paper, Gartner defines cloud computing as: a style of computing where massively scalable ITenabled capabilities are delivered as a service to external customers using Internet technologies. One IT-related function can be a software application. If the software application is written in such a way that it is “massively scalable,” then SaaS is considered a form of cloud computing (SaaS).

Posted by Joe Franscella

When learning about the system, the first thing that stuck out to me was how primitive, from a technological standpoint, it was. There were no alarms that alerted the power company when the power went out, it relied on calls from end users; the ultimate advance in handling downed high voltage power lines were rubber gloves and boots; and meters were still being read by service men and women who traveled door to door.

Deregulation was really what began to kick off a technological revolution in the industry and the Internet became the vehicle that allowed the market to be open to independent power and services vendors. California created the Independent Systems Operator (CalISO), a wholesale power clearinghouse that HQ’s in a state-of-the-art control center no doubt built on an IP infrastructure, independent technology vendors began to flood the market with “cost-effective” meter reading devices that operated through cellular relays and the Internet, and companies like Enron and Duke Energy played on the wholesale market through Internet-based trading floors. Fast forward to 2000, I was out of the power industry but heavily immersed in the middleware business as a communications manager for a major supplier. In addition to providing EAI for ERP vendors like SAP, one of the company’s primary markets was energy. It supplied much of the middleware that integrated trading applications.

In ’97 and 2000, the world was abuzz with integration and Internet-enabled technologies that were fueling the IT revolution for sure; no one was talking about security though. I can distinctly remember PeopleSoft’s (now Oracle) VP of marketing talking about the importance of 8′s pure HTML design during the big launch, but I can’t once recall him mentioning security.

Fast forward to today. The Wall Street Journal, CNN, Network World, CNET and SC Magazine have all printed features about a recent report that points out that cyber spies have infiltrated the US power grid via the Internet, leaving behind software (malware and bots I guess) that can feed back information and even allow them to disable the system.

As a communications manager with a power company in ’97, I read through hundreds of pages of deregulation related materials, as a communications manager with a middleware company I was immersed in Internet-based EAI daily, I can say with some degree of confidence that no one saw the security threats coming.

It will be interesting to see where this story heads. Could this be what sparks the next Microsoft-sized technology innovation wave? If a bot, malware, worm or something along these lines leads directly back to a foreign government’s intelligence agency, will that be what really forces technology to develop based on security first? It’s one thing to hack a defense system and get some information about defensive strategy of weapons development, being able to shut down the power is an entirely different matter. Imagine, all of the sudden, the power supply to Manhattan, San Francisco, Chicago, LA and Dallas shutting down – all at the same time. Remember the Road Warrior sequel Mad Max Beyond Thunder Dome — who really rules Bartertown?

Posted By Joe Franscella