SC Magazine: The Brave New Cloud World

Clouds by their very nature are ethereal and hard to grasp. Combine this with the IT industry’s obsession with tacking the latest buzz-word anywhere it can get away with it and it’s not surprising that cloud computing has some people flummoxed.

What is clear though is that, however you choose to define the term, the cloud is subverting the established rules of the tech industry. However, fundamental change makes people nervous and one of the aspects of cloud computing which is raising concern is security.

While a lot of attention has been focused on whether online apps or hosted compute power are inherently more or less secure than their on-premises equivalents, less attention has been given to the changes that cloud is having on security products and services themselves.

For more go to SC Magazine

No spat here says US cybersecurity investigator

In an earlier post I flagged up the fact that the head of cybersecurity at the Department of Homeland Security (DHS) just happens to be at the same IT security show in London as someone who appeared to have made negative comments about his departments leadership.

I have managed to speak to both parties involved now, and one of them claims their relationship is not as antagonistic as it has been reported.

After one of his presentations at the RSA Conference Europe, I managed to catch-up with homeland security expert Paul Kurtz, who was recently quoted as saying that, “There really is no one in charge right now at DHS”.

Kurtz (part of a Center for Strategic and International Studies (CSIS) panel that is undertaking a review of cybersecurity with the aim of creating recommendations for the new US administration) appeared to have a negative view on the role the DHS is taking around cybersecurity strategy judging from this article. Unfortunately, the man charged with running the cybersecurity division of DHS – Robert Jamison –  was also attending RSA in London.

When I spoke with Kurtz, he claimed that my earlier post and presumably the CNET story, was misleading and that he and Jamison have worked in the same circles for a long time and that there was no personal animosity between the two of them. In fact, it turns out that they ended up going out for dinner at the event according to Kurtz. “It is not personal at all,” he said.

However Kurtz did admit that he felt there was a leadership issue at the DHS. “There is a legitimate question of who is in charge at the DHS, who is directing the traffic there? But that shouldn’t all be laid at the feet of Robert Jamison, that is unfair.”

For his part, when I spoke to Jamison yesterday, he didn’t disagree when I claimed that Kurtz had been critical of him but just gave me a kind of knowing smirk. One of this spokespeople also made it clear that the CSIS panel had not been very communicative with Jamison or his office in the course of investigations which Jamison’s people found obviously frustrating. Kurtz on the other hand maintains that the panel did meet with Jamison and communication channeles were open  – so who is right? Probably both but with different perspectives on “communication”.

But when it comes to his wider views on the performance of Homeland Security and it being the best place to coordinate US cybersecurity policy, Kurtz said that one of the options the committee is considering is pushing the responsibility into the White House. “There is a lot of thinking that given the complexity of the issue, the broad strategic policy and programme coordination should emanate from the White House,” said Kurtz.

That is not to say that the DHS wouldn’t have role in cybersecurity but possible only one on the same level as other departments such as Defence and Justice said Kurtz. The White House’s involvement would allow for a “broader perspective” beyond that one just one department and also encourage the involvement of the private sector, Kurtz added.

The report from the CSIS is due around a week after the election so we will just have to see what the findings are but if the rest of the panel follow Kurtz’s views then DHS under a McCain or Obama leadership could well find itself relegated to being just one contributor to cybersecurity strategy.

Even tech-savvy telcos can’t look after data

As if being crunched by credit wasn’t bad enough, some banks,and other firms, are facing more shame on Weds following the publication of a report from the information commissioner Richard Thomas.

We are used to seeing public sector organisations being lambasted for losing vital data – such as the HMRC incident last November – but this week Thomas is gunning for private companies claiming that around one quarter of the 277 breaches reported to his organisation in the last year concerned businesses.

More worrying is the fact that Thomas is set to get additional powers to fine companies over data breach issues.

Aside from banks, supposedly tech-savvy organisations such as telcos are also failing to keep control of their data according to Thomas. Over the past 18 months, four telecoms companies including Virgin Media, Orange have been warned over data management issues.

Thomas is set to speak this afternoon at the RSA Europe IT security show in Docklands this afternoon, and judging by the results of this report, he shouldn’t be short on stuff to say.

Safecode initiative fails to attract open source players

Industry group Safecode hasn’t managed to encourage any open source players to join in its mission to improve the inherent security of software despite being around for nearly a year.

Speaking at the RSA Security Conference Europe, in London, the organisation’s executive director Paul Kurtz admitted that although the foundation of the organisation was announced at last year’s show, the group hasn’t managed to add any open source players to its ranks so far.

For more go to Heise UK.

US Homeland Security spat comes to London

What are the chances. You get away from Washington for a few days and escape the criticism that your division of Homeland Security has been getting for not doing its job, only to find that one of your main critics is at the same event that you are at in London.

Well that it is the slightly unfortunate position that DHS Undersecretary Robert Jamison has found himself in at the RSA Conference Europe in London this week. Members of an cybersecurity oversight commission have been very publicly criticising the role of the DHS in managing the country’s cyber defences including claims that there is basically no leadership around the issue.

As head of the cybersecurity division at DHS, Jamison is probably going to take that personally, well he can’t fail to really when confronted by statements such as: “There really is no one in charge right now at DHS”.

And who made that very direct criticism? None other than cyber commission member Paul Kurtz, who just happens to be at RSA too. Kurtz is here pushing his own iniative to promote secure approaches to software development – Safecode – launched at last year’s show. I am not sure if the two security gurus have bumped into each other, but I am guessing that right now even the cavernous halls at Excel don’t feel big enough.

Having chatted to Jamison, it seems that the commission hasn’t been very good at actually getting in touch with his department. The commissions main mission is to prepare a report for the next administration around cyberthreats/security policy – but according to a Jamison’s office, the commission has made very little attempt to get in touch with the body that has been doing the job for the last few years.

I will try and get in touch with Kurtz and find out his side of things and report back…

For more go to CNET.

RSA: Downturn will stifle IT innovation


Keynote RSA Europe 2008
Keynote RSA Europe 2008


Increased regulation triggered by the crisis in the banking sector could encourage governments to introduce more regulations that could divert IT resources away from innovation, according to RSA boss Art Coviello. Speaking at the first day of the RSA Security Conference Europe in London, Coviello told the audience of IT professionals that IT innovation was key to lifting struggling economies out of the current financial downturn. But that process could be derailed by an increased legislative burden combined with fear over costly IT mistakes in tough economic conditions.

For more go to Heise UK.

Industry expects e-crime unit to ‘knock on doors’

I just completed this analysis piece for ZDNet UK around the new Police Central E-crime Unit (PCEU). Thanks to Geoff Donson from Telecity Group for the background and quotes and for the cooperation of Janet Williams from ACPO for answering some tricky questions:

The rise of e-crime is no longer news. But could UK law-enforcement agencies have done more to prevent internet and IT-related crime reaching a value of £6bn per year, the latest figure reported by the Department for Business, Enterprise & Regulatory Reform?

The announcement last month of theformation of the new Police Central e-Crime Unit (PCeU) will be seen by some as an admission that the April 2006 decision to roll the former National Hi-Tech Crime Unit (NHTCU) into the more strategic Serious Organised Crime Agency (Soca) was a mistake.

The amalgamation was viewed by some as a distraction from the job at hand, just as computer-related crime was becoming more sophisticated and prevalent.

“We had a splendid, long relationship with the NHTCU, but that doesn’t appear to be re-emerging in Soca,” David Roberts, chief executive of industry body the Corporate IT Forum, told last year. “A lot of the difficulty with Soca is the period of silence [since its formation], which is such a stark contrast to the NHTCU, who were really visible and proactive.”

Asked whether the creation of the PCeU is an acknowledgement that the government got it wrong when it absorbed the NHTCU into Soca, Janet Williams, Metropolitan Police deputy assistant commissioner for the Specialist Crime Directorate, who is heading up the development of the new unit, said that, ultimately, it is not a question she can answer.

“That is a political question and I don’t do those,” she said. “I think police officers should just get on with it.”


Levels of IT crime on the up in the downturn?

This interview I did with the chief executive of RSA Security Art Coviello has just been posted on SC Magazine:

SC was granted an exclusive interview with Art Coviello, RSA president and executive vice president of EMC. He spoke to Andrew Donoghue on whether organisations should be compelled to disclose data breaches and whether he expects to see general levels of IT related crime increase during the tough economic times ahead.

 You are a bigger supporter of the idea of data breach notification regulations but some people – such as Microsoft UK’s chief security advisor and former FBI agent Ed Gibson – have questioned whether they are really a good idea?

 Consumers have every right to know that there personally identifiable information has been compromised. If that personally identifiable information has been breached, you need to go public and explain that. Data breach regulations engender the following kinds of behaviour: ‘Wow, I could be embarrassed if this happens. Wow, I could be subject to subject to liabilities if this happens. Wow, I could suffer significant loss of reputation if this happens. Therefore I need to take appropriate action to make sure this doesn’t happen in the first place’. There is no technology that has been purchased just an awareness on the part of the company that they need to do something, they need to do the right thing. 

You can find the full interview here