Saturday, December 21, 2019

CYBR 650 - Blog Post 3 - Blogs vs. Scholarly Publications for Cybersecurity


Even ten years ago the majority of post-high school education was done in-person at brick & motor universities across the country. If someone wanted to major in something as specific as computer security and auditing, they would most likely need to be co-located with that university to participate in the education it provided.  

The Internet changed things.

One report by Babson Survey Research Group indicates that 31.6% of all students now take at least one distance learning (ie online) course as part of their education.  (Babson, n.d.) This same report indicates that between 2012 and 2016 the number of students studying on campus has dropped by over a million students, or 6.4%.  Because of this reliance on distance learning, the reliance of physical books and publications used for resources has also dropped.  The use of online resources such as websites, blogs, digitized books has not only expanded, but is now becoming acceptable reference material for white papers, research reports and dissertations. 

I can attest from personal experience that old school professors did not accept online content as acceptable resources and required all references to be physical books, scholarly articles and empirical research.  (I got an F on a paper in 1995 where I referenced a discussion I had with a fellow student in Australia regarding recreation activities in that country when no other resources were available in my library). 

My term paper for CYBR545 on Business Email Compromise had 16 references in the final paper, 14 of which were from the current year (2019).  Because this was a newly-identified threat, no printed material was available on the topic.  But resources from the FBI, DHS and other reputable information sources provided valuable, near-real time details on this emerging threat. 

It could be argued that the curriculum for technology degrees (such as cybersecurity) is evolving faster than books can be printed.  Many of the books we use are from before 2015, which was when I ventured into Cybersecurity as a career, and much has changed since then.  Bellevue professors have been very accepting of online content as acceptable references, and not enforcing printed books and scholarly articles.  I would argue that technology websites, blogs, vendor websites and technical forums provide credible information pertinent to an advanced degree that should be considered an official resource.  While books from PhDs and peer-reviewed scholarly articles may have additional credibility based on the amount of research and vetting that is done for them, the industry-standard is to acquire cyber information from a multitude of online resources and is considered credible.  Just as Zillow transformed real estate and their Zestimate has become the publicly-acceptable standard for property estimates, the use of online resources has become the go-to place for credible information for cybersecurity news, information and intelligence. 

Websites which offer some high-quality facts, intelligence, topics, technology and commentary include:
-         Krebs on Security
-         Naked Security
-         Dark Reading
-         Hackaday Blog
-         The Hacker News
-         Threat Post
-         Security Week
-         CSO
-         IT Security Guru
-         Schneier on Security
-         Daniel Miessler
-         Google Online Security
-         Wombat Security
-         Errata Security
-         Kaspersky Labs
-         Security Bloggers Network
-         Sophos
-         Security Now podcast
-         Graham Cluley
-         The Security Ledger
-         Paul’s Security Weekly
-         AT&T Cybersecurity
-         Internet Storm Center

The truth is that books and peer-reviewed publications are not able to keep up with the speed of technology and the threats being brought upon our systems, networks and software.  I feel it is absolutely justified to continue to use these web-based sources as long as they are deemed credible by the cybersecurity community and are not biased based on foreign input such Kaspersky or vendor-specific technologies (Vaughan-Nichols, 2017).  Reliance on these sources may be the subject of information warfare, so there may be the need for oversight if disinformation begins to interject itself into the open news sources that open-source intelligence aggregators acquire their products from. 

Websites such as Purdue University’s OWL provides guidance on how to reference websites and other online content (https://owl.purdue.edu/owl/research_and_citation/apa_style/apa_formatting_and_style_guide/general_format.html)  This indicates that online content is worthy of being referenced, but those in academia are still skeptic about non-official publications and websites which may not be as mainstream as other well-known sites.  After going through the course on Information Warfare, I believe it’s important to review the websites for credibility before deciding to reference them in professional work or scholastic endeavors.  Truth be told, many blogs are purely subjective, even if the rationale is well-received.  Being used as a source in higher level education should be carefully done if the author intends to maintain credibility in the discipline. 

Technology is moving at the speed of light, so the ability to find, use and reference credible online resources is imperative to obtaining the most current information on topics pertaining to cybersecurity and information technology. 


References:

Higher Education Reports, (n.d.) Babson Survey Research Group.  Retrieved on December 21, 2019 from https://www.onlinelearningsurvey.com/highered.html
Top 40 Cyber Security News Websites for Information Security Pros. (Dec. 16, 2019).  Feedspot.  Retrieved on December 21, 2019 from https://blog.feedspot.com/cyber_security_news_websites
Vaughan-Nichols, S., (2017), Claims resurface that Kaspersky helped Russian intelligence.  ZDNet.  Retrieved on December 21, 2019 from https://www.zdnet.com/article/claims-kaspersky-works-with-russian-intelligence-resurface/



Posted by at No comments:

Wednesday, December 11, 2019

CYBR 650 - Blog Post 2


(Me having lunch with congressmen Tom Cole (left) and Mike Rogers (right))



                I was invited to participate in the Reagan National Defense Forum this past Saturday located at the Ronald Reagan Library in Simi Valley, Ca.  (10 miles from my house).  The forum brings together some of the most significant players and contributors in the world of national defense and security in the nation.  Being on the VIP guest list entitled me personal access to many of these individuals both in person as well as to sit in intimate panel discussions.  For those of us in national defense, it’s surreal to hang out at cocktail hour with 4-star generals, members of congress and chit-chat about everything from security policy to football.  In a single day, I personally saw or talked with include:
-          Dr. Mark Esper (Secretary of Defense)
-          Rob O’Neil (National Security Advisor)
-          Jim Mattis (former Secretary of Defense)
-          Jeff Bezos (Founder, CEO of Amazon.com)
-          Brad Smith (President, Microsoft)
-          Leon Panetta (former Director CIA, former Secretary of Defense)
-          Dana Deazey (DoD CIO)
-          Karl Rove (former deputy White House Chief of Staff, Bush 43)
-          ADM Paul Nakasone (Commander US CyberCOM)
-          ADM Michael Gilday (Chief of Naval Operations CNO)
-          Gen. David Goldfein (Chief of Staff, Air Force)
-          Gen David Berger (Commandant, US Marine Corps)
-          Gen James McConville (Chief of Staff, US Army)
-          Congress (Tammy Duckworth, Adam Smith, Mac Thornberry, Liz Cheney, 20 others)

                Promoted as a forum for national security, I’ve observed the panel discussions this year and last year starting with the topic of security, readiness, lethality and quickly meandering into cybersecurity and nation-state sponsored threats.  This was true for every forum.  Discussing national security at the highest levels now includes cybersecurity and the realization that the cyber threat is just as significant as potential kinetic warfare.  China, Russia, Iran and North Korea were popular topics by all the major players and all panels defaulted to discussing how the cyber threat affects the overall wellbeing and way of life for the United States.
                Sitting through 10 hours of panels, fireside chats and personal discussions with a few of these key individuals, it became apparent that the underlying topic for our national security is nation-state sponsored cyber threats.  Below I highlight some of the significant speakers and presentations.



                Lunch keynote speaker Secretary of Defense Dr. Mark Esper showed fluent knowledge and experience in security and highlighted many cyber-relevant situations which the National Defense Strategy supports defending against.  It was refreshing hearing his take on the NDS and emphasized that continuing resolutions (CRs) will negatively affect the military and encouraged congress (30 of which were in attendance) to pass the budget and help meet the goals set forth in the NDS. 


                Amazon founder and CEO Jeff Bezos had some memorable quotes and advice.
                To earn trust – do hard things well, over and over and over again” This was in regards to things like stating they would do next day shipping with Amazon Prime, or offering AWS or video services.  It wasn’t easy, but he proved to others they were able to do it, and do it over again.  This builds trust in the brand and enterprise.   He also had advice on decisions indicating there were two types:
1.       Highly-consequential, irreversible, one-way decisions
2.       Normal decisions which can be reversed without dire consequences
Bezos mentioned that we use the hard decision-making process for situations such as #2 causing us to over-think and add too many people to the decision-making process when it’s not necessary.  Understand the situation, use critical thinking, keep the quorum small and make fast decisions if not irreversible and highly-consequential. 
                Mr. Bezos also discussed his ”disagree & commit” methodology which he encourages leaders to adopt as a way of progressing in the decision making process.  (see here:  https://www.inc.com/justin-bariso/it-took-jeff-bezos-only-three-words-to-drop-the-best-advice-youll-hear-today.html)  Also, he highlighted the importance of being robust and nimble which somewhat translates to resilience and agility in the form of program acquisition and decision making.

                I was very impressed with Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment.  Unlike some high level officials, Secretary Lord is very familiar with new technologies and recent policy and while responsible for all DoD acquisition, encouraged the group to “fail small, fail fast and move forward”.  She said readiness and modernization should be hardware enabled and software defined and the laborious acquisition process the DoD is stifled by will need to be revamped to compete with our foreign advisories in the 21st century.  She is also familiar with the Cybersecurity Maturity Model Certification (CMMC) and indicated that 1st tier contractors (Lockheed, Northrup, GD, Boeing, etc) will need to help support lower tier contractors become compliant with this standard.  We should expect to see more news of it within by March 2020. 

                I had a chance to briefly chat with DoD CIO Dana Deazey and asked him if he noticed that all the panel discussions started off discussing high-level defense readiness and acquisition but ultimately included discussions about cybersecurity.  I asked him if perhaps the next Reagan National Defense Forum could include a panel specific to cyber threats and readiness in the DoD and he said, “that’s a good idea.  I’ll bring it up to them.”  Not sure if that was sincere or not, but since he said it was his first time at the NDF, I indicated this was the case for most of the panel discussions. 

                During the happy hour the night before, I had a chance to speak with General Mattis about how the cyber threat has increased since his time in the military.  He indicated how the DoD has been aware of cyber threats for a while, but only really seeing it posing a national security threat the past decade, and much more in the past few years.  He then reiterated that position later on in the day while discussing a variety of topics with Leon Panetta.  Both very wise.




                There was a panel discussion that filled the house – the Chief of staff of the Air Force and Army along with the Commandant of the Marine Corps and the Chief of Naval Operations held a panel to discuss national security and how each of the forces were supporting it.  All were fluent in how the cybersecurity threat is now a top tier concern for all these leaders and they indicated more support and direct involvement in making sure each service was baking cybersecurity into their acquisition, product line and culture. 


                National Security Adviser Rob O’Neil was also there, but his canned 15-minute speech was a partisan tribute to Donald Trump.  Many of the comments he made pushed republican agenda items and perpetuated the false narrative of a successful presidency, contradicting many of the positions previous speakers took.  Very disappointing and the snickering from the audience was very noticeable and his statement made many people uncomfortable. 
                Overall the 2019 RNDF was very successful and the folks at the Reagan Presidential Library did a fantastic job coordinating the speakers, the guests, security, food and refreshments and media.  I look forward to being there next year. 

Full videos of all panels can be located here:  https://www.youtube.com/playlist?list=PLHNOi2zcxo7tPPwgTEaF421osdMepdJKk
Posted by at No comments:
Subscribe to: Comments (Atom)