Category: IT Security

Clouds by their very nature are ethereal and hard to grasp. Combine this with the IT industry’s obsession with tacking the latest buzz-word anywhere it can get away with it and it’s not surprising that cloud computing has some people flummoxed.

What is clear though is that, however you choose to define the term, the cloud is subverting the established rules of the tech industry. However, fundamental change makes people nervous and one of the aspects of cloud computing which is raising concern is security.

While a lot of attention has been focused on whether online apps or hosted compute power are inherently more or less secure than their on-premises equivalents, less attention has been given to the changes that cloud is having on security products and services themselves.

For more go to SC Magazine

In an earlier post I flagged up the fact that the head of cybersecurity at the Department of Homeland Security (DHS) just happens to be at the same IT security show in London as someone who appeared to have made negative comments about his departments leadership.

I have managed to speak to both parties involved now, and one of them claims their relationship is not as antagonistic as it has been reported.

After one of his presentations at the RSA Conference Europe, I managed to catch-up with homeland security expert Paul Kurtz, who was recently quoted as saying that, “There really is no one in charge right now at DHS”.

Kurtz (part of a Center for Strategic and International Studies (CSIS) panel that is undertaking a review of cybersecurity with the aim of creating recommendations for the new US administration) appeared to have a negative view on the role the DHS is taking around cybersecurity strategy judging from this article. Unfortunately, the man charged with running the cybersecurity division of DHS – Robert Jamison –  was also attending RSA in London.

When I spoke with Kurtz, he claimed that my earlier post and presumably the CNET story, was misleading and that he and Jamison have worked in the same circles for a long time and that there was no personal animosity between the two of them. In fact, it turns out that they ended up going out for dinner at the event according to Kurtz. “It is not personal at all,” he said.

However Kurtz did admit that he felt there was a leadership issue at the DHS. “There is a legitimate question of who is in charge at the DHS, who is directing the traffic there? But that shouldn’t all be laid at the feet of Robert Jamison, that is unfair.”

For his part, when I spoke to Jamison yesterday, he didn’t disagree when I claimed that Kurtz had been critical of him but just gave me a kind of knowing smirk. One of this spokespeople also made it clear that the CSIS panel had not been very communicative with Jamison or his office in the course of investigations which Jamison’s people found obviously frustrating. Kurtz on the other hand maintains that the panel did meet with Jamison and communication channeles were open  – so who is right? Probably both but with different perspectives on “communication”.

But when it comes to his wider views on the performance of Homeland Security and it being the best place to coordinate US cybersecurity policy, Kurtz said that one of the options the committee is considering is pushing the responsibility into the White House. “There is a lot of thinking that given the complexity of the issue, the broad strategic policy and programme coordination should emanate from the White House,” said Kurtz.

That is not to say that the DHS wouldn’t have role in cybersecurity but possible only one on the same level as other departments such as Defence and Justice said Kurtz. The White House’s involvement would allow for a “broader perspective” beyond that one just one department and also encourage the involvement of the private sector, Kurtz added.

The report from the CSIS is due around a week after the election so we will just have to see what the findings are but if the rest of the panel follow Kurtz’s views then DHS under a McCain or Obama leadership could well find itself relegated to being just one contributor to cybersecurity strategy.

As if being crunched by credit wasn’t bad enough, some banks,and other firms, are facing more shame on Weds following the publication of a report from the information commissioner Richard Thomas.

We are used to seeing public sector organisations being lambasted for losing vital data – such as the HMRC incident last November – but this week Thomas is gunning for private companies claiming that around one quarter of the 277 breaches reported to his organisation in the last year concerned businesses.

More worrying is the fact that Thomas is set to get additional powers to fine companies over data breach issues.

Aside from banks, supposedly tech-savvy organisations such as telcos are also failing to keep control of their data according to Thomas. Over the past 18 months, four telecoms companies including Virgin Media, Orange have been warned over data management issues.

Thomas is set to speak this afternoon at the RSA Europe IT security show in Docklands this afternoon, and judging by the results of this report, he shouldn’t be short on stuff to say.

Industry group Safecode hasn’t managed to encourage any open source players to join in its mission to improve the inherent security of software despite being around for nearly a year.

Speaking at the RSA Security Conference Europe, in London, the organisation’s executive director Paul Kurtz admitted that although the foundation of the organisation was announced at last year’s show, the group hasn’t managed to add any open source players to its ranks so far.

For more go to Heise UK.

What are the chances. You get away from Washington for a few days and escape the criticism that your division of Homeland Security has been getting for not doing its job, only to find that one of your main critics is at the same event that you are at in London.

Well that it is the slightly unfortunate position that DHS Undersecretary Robert Jamison has found himself in at the RSA Conference Europe in London this week. Members of an cybersecurity oversight commission have been very publicly criticising the role of the DHS in managing the country’s cyber defences including claims that there is basically no leadership around the issue.

As head of the cybersecurity division at DHS, Jamison is probably going to take that personally, well he can’t fail to really when confronted by statements such as: “There really is no one in charge right now at DHS”.

And who made that very direct criticism? None other than cyber commission member Paul Kurtz, who just happens to be at RSA too. Kurtz is here pushing his own iniative to promote secure approaches to software development – Safecode – launched at last year’s show. I am not sure if the two security gurus have bumped into each other, but I am guessing that right now even the cavernous halls at Excel don’t feel big enough.

Having chatted to Jamison, it seems that the commission hasn’t been very good at actually getting in touch with his department. The commissions main mission is to prepare a report for the next administration around cyberthreats/security policy – but according to a Jamison’s office, the commission has made very little attempt to get in touch with the body that has been doing the job for the last few years.

I will try and get in touch with Kurtz and find out his side of things and report back…

For more go to CNET.

 

 

Increased regulation triggered by the crisis in the banking sector could encourage governments to introduce more regulations that could divert IT resources away from innovation, according to RSA boss Art Coviello. Speaking at the first day of the RSA Security Conference Europe in London, Coviello told the audience of IT professionals that IT innovation was key to lifting struggling economies out of the current financial downturn. But that process could be derailed by an increased legislative burden combined with fear over costly IT mistakes in tough economic conditions.

For more go to Heise UK.