Cyber Security: No Pain, No Gain

July 15, 2015

By Hans Holmer

Senior Cyber Strategist, Technical Counterintelligence Center

INTELLIGENT DECISIONS

Leaders of companies frequently find themselves at a loss for how to lead in the cyber arena.  Typically, from the C-Suite point of view,  “cyber” appears to be a technology problem rather than a people problem–and the technology moves way too quickly for us ordinary mortals to keep up.  Too often the “people aspect” of cyber security is overlooked and, yet, it is one of the most critical areas, where leaders can do their company and their employees the most good.  In fact, cyber security is like exercise: No pain, no gain.

For example, the traveling executive is likely to be the senior leader who travels the world carrying electronic devices that hold crucial company intellectual property and proprietary data.  He or she is also too busy to deal with painful security requirements that interfere with work and their computer has just the sort of data that are of critical value to the business… and to competitors or even foreign governments.  It doesn’t take a genius to know that a number of countries are gaining access to US intellectual proprietary and patented information by cyber means.  As of mid-2014, Bloomberg estimates that more than $445 billion worth of intellectual capital was lost this way. (http://www.bloomberg.com/news/articles/2014-06-09/cybercrime-remains-growth-industry-with-445-billion-lost )

So how can companies protect their traveling executives and lead their business in cyber security?  By demonstrating that cyber security is business resiliency. That data protection is important enough to put above the pain of “not doing things the way you’ve always done them.”  By proving that you are willing to accept pain to secure their data when traveling. All the data show that changing our behavior is the key to stopping breaches, hacks, and data loss.

  • Take the time to install every security update and patch. Almost all intrusions depend on software vulnerabilities for which patches have been issued but not installed.  Computers that connect inside and outside the corporate network are particularly at risk because users rarely are willing to let the update process detract from work demands.  So if traveling senior executives demonstrate how protecting their computer is critical to the business and demand that their computers maintain the highest levels of security, this alone would be a major step forward in corporate cyber leadership.
  • Use a designated computer for foreign travel. This reduces the amount of intellectual property within the computer and, in turn, reduces the chances that the computer can introduce malware when returned to the corporate network. It also prevents the disclosure of corporate log-in credentials overseas.
  • Keep computer, phones, and other devices in your sight at all times.  Sure, it can be painful.  But not as painful as the loss of intellectual property, competitive advantage, and lost business.

When corporate leadership demonstrates that cyber security is important and that useful countermeasures are worth the pain, it sets the priorities for the rest of the organization.  By taking the lead in secure technology use while traveling abroad, senior leadership can set the tone for the entire corporation and enjoy increased cyber security practices.  In the process of learning to use  technology securely, everybody benefits.  It’s a win for leadership and for cyber security.  Not only does it demonstrate that mitigating risks while traveling is important, but also that protecting company data on the corporate network is important.  The same countermeasures that secure a travel computer will secure a corporate network. Doing one but not the other is nothing more than a waste of time.  Cyber security is very much an all-or-nothing kind of problem; it’s “data ecology.” The entire network as well as all the employees need to actively participate.  And it starts at the top.

 

Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions.  He can be reached at hholmer@intelligent.net or 703.599.4735.

Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence  and over 40 years in computers and similar technologies.


Cyber: Lightning or potholes?

May 8, 2015

By Hans Holmer

When you read about big breaches of corporate data, the breaches are generally described as the computer equivalent of “lightning,”  something so fearsome and unstoppable that only the government and draconian laws could prevent those breaches.

To the cyber practitioner, the more apt analogy for breaches is potholes.  Like potholes, vulnerabilities in software and hardware are ubiquitous, not that hard to fix, and new ones are discovered all the time.  The sheer scales of devices that need to be patched and the number of patches and updates that need to be deployed is daunting but the actual installation of a patch is not complex.  This is important because almost all breaches depend on unpatched computers to succeed.  The lightning strikes, more properly called 0-days, are extremely rare.

The key to keeping a street pothole-free is first to know what streets you are responsible for and what kinds of road surface they use.  The same is true of computer networks.  You need to know all the devices and software on your network – PCs, printers, servers, routers, scanners, etc.  Any devices and software that are not yours present a threat unless moved to a separate network.  When you know your network you can patch it – all of it.

Once you know the roads you are responsible for, you can determine whether the road surfaces are appropriate for the traffic that uses them.   You’ve noticed that highways have different surfaces than neighborhood roads.  In IT network terms, you need to ensure that users and processes have credentials that are appropriate for the kind of work they do so that no users or processes have more access than they need.  Only a small percentage of users should have administrative privileges, and those privileges should be allocated for particular purposes.

When it comes to detecting potholes, system administrators have an easier time than city managers.  Most modern operating systems benefit from monthly patch-cycles.  If you have computers that no longer receive patches, such as 13-year old Windows XP operating system, it might be time to repave that road.  It is no surprise that breaches are ubiquitous given that 17% of computers still run Windows XP one year after Microsoft stopped issuing patches and it is hard to blame those vulnerabilities on hackers.  By the way, the most common Windows operating system, with 58% of the total market, is Windows 7 which was released in 2009.  It is now on “extended support” until 2020.  There is a strong argument for re-paving the road before it becomes one giant pothole.

You already know that most urban streets have more potholes than are good for your car.  In a nutshell, this is because inadequate resources are devoted to maintaining the streets and nobody wants to block the street while repaving it.  The same is true of computer networks.  The damage done to vehicles is not borne by the city and the cost of a network breach is similarly unpredictable, unlike the cost of securing the network.  In both cases, high known costs outweigh uncertain, but almost certainly orders of magnitude higher, future costs.

If you had to track the pothole repair metrics, you’d track the number of streets that are completely patched.  You can do the same for networks.  If you compile the percentage of PCs that are fully patched plus the percentages of all other devices which are fully patched, that would create an indicator of the security of a network.  Given that the vast majority of breaches exploit these fundamental vulnerabilities, it is an adequate proxy for the security of the network.

Once you have reached a state where your average security is predictably high, it is time to bring in experts who can help you defeat the lightning strikes.  It is well known that 0-days seek your most valuable items, in whatever form it takes, be it intellectual property, customer specifics or money.  By implementing expert countermeasures focused on protecting your critical data and processes, you can reach that rare state of having neither potholes nor lightning in your network.

 

Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions.  He can be reached at hholmer@intelligent.net or 703.599.4735.

Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence  and over 40 years in computers and similar technologies.


Comments Sought: Proposed Rule To Establish Government-Wide Mentor-Protégé Program

February 11, 2015

By Sean Milani-Nia

On February 5, 2015, the Small Business Administration (SBA) issued a new proposed rule that would establish a Government-wide mentor-protégé program for all small businesses.

Under the current framework, entities that enter into joint venture agreements to perform federal contracts are, in most instances, considered “affiliates.”  In determining a company’s eligibility to compete for set-aside procurements, the SBA combines the offeror’s size with the size of its affiliated entities. Thus, an otherwise eligible small business may be deemed large due to its affiliation with another entity.

An exception to this general rule exists for participants in the SBA’s 8(a) mentor-protégé program.  Under the 8(a) mentor-protégé program, an 8(a) protégé can joint venture with an approved large business mentor without being deemed affiliated.

The SBA’s proposed rule seeks to extend the mentor-protégé program to all small businesses. The intent is to create parallel program for non-8(a) small businesses, including participants in the HUBZone, Women-Owned Small Business, and Service-Disabled Veteran Owned Small Business programs, that is identical to the 8(a) mentor-protégé program. Under the proposed rule, any small business would be able to enter into an SBA approved mentor-protégé relationship and joint venture with its approved mentor without being considered affiliated.

Expanded Protégé Definition

Note that the proposed rule would allow more businesses to qualify as protégés under both the 8(a) mentor-protégé program and the proposed small business mentor-protégé program. Currently, in order to qualify as a protégé under the current 8(a) mentor-protégé program, an 8(a) contractor must (1) have a size that is less than half the size standard corresponding to its primary NAICS code; (2) be in the developmental stage of its 8(a) program participation; or (3) have not received an 8(a) contract.

The proposed rule provides that any firm that qualifies as a small business for the size standard corresponding to its primary NAICS code would qualify as a protégé under either the small business mentor-protégé program or the 8(a) mentor protégé program. SBA proposes to remove the requirement that the small business protégé have a size less than half the size standard corresponding to its primary NAICS code.

Ownership Interest

Similar to the 8(a) mentor-protégé program, the proposed rule provides that a mentor may own an equity interest of up to 40% in the protégé. This could be a significant opportunity for small businesses that are looking to increase working capital.

If finalized in the current form, the proposed rule would create significant opportunities for the participants in the new mentor-protégé program, but could place those small contractors that do not participate at a competitive disadvantage. Contractors who are interested in participating should begin evaluating potential partners and even structuring their agreements. The SBA has recognized that once the proposed rule is finalized, the number of firms seeking SBA approval of their mentor protégé agreements may become “unwieldy.” SBA states that it may institute certain open and closed periods for receipt of mentor-protégé applications. SBA would only accept mentor-protégé applications in open periods. Contractors should be prepared to submit their applications as soon as possible to avoid missing the first open period.

Comments on the proposed rule are due on April 6, 2015.  Send your comments prior to April 6 to Federal Allies Institute Comments@FederalAllies.org 571-217-0823.


Fair Pay and Safe Workplaces Executive Order—What Federal Contractors Need to Know

December 18, 2014

By Sean Milani-Nia

On July 31, 2014, President Obama signed the Fair Pay and Safe Workplaces Executive Order (Order), which imposes new requirements and prohibitions on federal contractors. While the Order is effective immediately, the requirements will not apply to contractors until the final rule implementing the Order is published (likely in 2016). In the meantime, contractors should bolster their compliance efforts to ensure they will be found responsible for future proposals.

Disclosure Requirements
Pre award: Under the Order, offerors on procurement contracts, where the estimated value exceeds $500,000, will be required to disclose certain labor law violations occurring during the prior three years. The Order enumerates 14 applicable federal labor laws and includes their state law equivalents as well.

Upon disclosing such violations, federal contractors will be permitted to explain their efforts to correct the violations and increase compliance efforts.

Contracting officers, in consultation with the agency’s designated Labor Compliance Advisor, must consider violations as well as contractors’ remedial efforts in determining whether contractors have a satisfactory record of integrity and business ethics sufficient to be considered responsible offerors.
Only serious, repeated, willful, or pervasive violations of the labor laws enumerated in the Order will demonstrate lack of integrity and business ethics. In most cases a single violation should not give rise to a non-responsibility determination.

Post award: In addition to disclosing labor law violations prior to award, federal contractors will be required to update their disclosures every 6 months. If a new violation is disclosed, the contracting officer, in consultation with the agency’s Labor Compliance Advisor, may: (1) require an agreement outlining appropriate remedial measures; (2) provide compliance assistance; (3) decide not to exercise an option on the contract; (4) terminate the contract; or (5) refer the contractor to a suspending and debarring official.

Subcontract Agreements
Federal contractors should also be aware that they will be responsible for flowing down similar requirements to their subcontractors. For subcontracts where the estimated value exceeds $500,000 (excluding commercially off-the-shelf items), contractors will need to require subcontractors to disclose any violations of the enumerated labor laws within the preceding three years and to update those disclosures every six months.

Arbitration Agreements
The Order prohibits contractors with federal contracts in excess of $1 million from entering into pre-dispute arbitration agreements with employees relating to Title VII or sexual assault or harassment torts. Contractors will be required to flow down similar requirements in subcontracts greater than $1 million. This provision, however, will not apply where employees or independent contractors entered into a valid agreement to arbitrate prior to the contractor or subcontractor bidding on a contract that is covered by the Order.

The Fair Play and Safe Workplaces Executive Order sets forth yet further requirements with which federal contractors will need to comply. Contractors should focus on increasing their compliance efforts now to ensure that the disclosure of any labor law violations in the future are minimal and not grounds for a nonresponsibility determination.


Federal Allies News September 2014

September 18, 2014

Letter from the Executive Director

U.S. SBA Central Office Government Contracting Transitions

Calvin Jenkins, Dean Koppel and LeAnn Delaney are all retiring this month with Judith Roussel and Darryl Hairston having left last spring. Remaining SES level staff: John Shoraka, SBA’s Associate Administrator of Government Contracting and Business Development responsible for overseeing the umbrella office with jurisdiction over the Agency’s offices of Size Standards, HUBZone, Government Contracting, and Business Development/8(a); and Ken Dodds, Director of SBA’s Office of Government Contracting, responsible for SBA programs and policies including goaling, size standards, size protests, procurement center representatives, subcontracting, certificate of competency, and the women-owned and service-disabled veteran-owned small business programs.

National Defense Authorization Act of 2013 and Mentor Protégé Proposed Regulation

If properly implemented, the Mentor Protégé proposed regulation could significantly expand the number of small businesses actively competing for government contracts.

Following the latest U.S. House Committee on Small Business, Subcommittee on Contracting and Workforce hearing entitled “Action Delayed, Small Business Opportunities Denied: Implementation of Contracting Reforms in the FY 2013 NDAA”, the Mentor Protégé proposed regulation is now with Office of Management and Budget for intra-agency comments. Once U.S. Small Business Administration receives comments from the other agencies, SBA will revise the proposed regulations as needed. Proposed regulation will then be released for public comments within the next 120 days.

“In the near future, SBA will publish a rule to implement a new Government-wide mentor-protégé program. The mentor-protégé program will be for all small business concerns, including socio-economic subcategories of small businesses, consistent with SBA’s mentor-protégé program for participants in SBA’s 8(a) Business Development Program,” said Associate Administrator John Shoraka for Office of Government Contracting and Business Development, U.S. Small Business Administration.

Continuing Resolution and the Lame Duck Session

In a morning small business briefing on September 17 prior to the convening of his afternoon hearing in the House Budget meeting room, Congressman Paul Ryan spoke of his committee’s agenda namely the CR to extend to December the previous two-year agreement achieved with Sen. Patty Murray (See Federal Allies News December 2013) that took the sequester off discretionary spending that hit particularly hard the Pentagon and NIH and many other areas important to Federal Allies Institute members. This will take us to December 11 when the rest of the FY bill is to be finalized. So for at least the near future “the fiscal trains” will run on time, plus following two days debate “fiscal plumbing to prosecute ISIS” is moving forward. Next will be the elections, followed by a lame duck session, which will take on tax extenders for expiring tax provisions from last year, revenue targets, score keepers that will better reflect reality as econometrics have come a long way. By March 2015 expect the Highway Trust Fund to be reauthorized. More priorities: the “doc fix”, Medicare, Debt Limit and Trade issues. The issue that both the Obama Administration and House agree closely upon: trade and making US businesses competitive overseas. Eximbank is extended until June and a goal is to enable more small businesses, not just the well-connected, to take advantage of Eximbank programs.

FAI Corporate Ethics Certification

At coffee at the Russell Senate Office Building with Virginia’s very collaborative senate team Senators Mark Warner and Tim Kaine, I provided an update on Federal Allies Institute’s new Corporate Ethics Certification program, just prior to Senator Kaine’s meeting on ISIL with Secretary of Defense Chuck Hagel and General Martin Dempsey, the Chairman of the Joint Chiefs of Staff. The next FAI Ethics Board of Overseers meeting is to be held at George Mason University School of Policy, Government and International Affairs in October.

David T. Boddie
Founder & Executive Director
Federal Allies Institute


Federal Allies News Summer Edition Pictorial

August 8, 2014

FAN Summer 2014 Cover Image


Federal Allies News Summer Edition 2014

July 8, 2014

Letter from the Executive Director

Federal Allies Institute first invited the Fort Meade Regional Growth Base Business Initiative (BBI) to participate at one of our small business conferences held at Fort Myer, Virginia in 2009 and since FAI has partnered with Fort Meade BBI involving them in several other FAI national conferences. We recently welcomed the invitation by new Base Business Initiative Director Kellyann Few to announce the Federal Allies Corporate Ethics Certification Program before 125 small businesses. FAI’s CEC program is an opportunity for small businesses to earn certificates presented by the FAI Ethics Board of Overseers chaired by Gary Shumaker, President & CEO, C2 Solutions Group of Reston, Virginia.

A new FAI relationship is underway with the Foundation for Innovation and Discovery, FINND. The foundation nurtures a community of interest around innovation, sparks conversation between technologists, and educates decision-makers and promotes an environment of non-proprietary collaboration and transparency in the discovery of innovative solutions. FAI is a FINNDER discovery engine participant for Foundation for Innovation & Discovery. FAI Board member Gabriel Fulton PMP, Founder & CEO, Sintel Group, Inc., Columbia, Maryland chairs the FAI-FINND relationship.

Of the many deserving award recipients at MBDA 2014 National MED Week Conference, Federal Allies Institute members were present to support this year’s Distinguished Supplier Diversity Award winner Diane G. Dempsey, Director, Socio-Economic Business Programs, BAE Systems Intelligence & Security. Dempsey, an integral early supporter of the Federal Allies Institute, is an individual at BAE Systems I&S whose business practices have had a significant impact on the growth and development of minority-owned firms. Dempsey’s career spans over 30 years in the procurement, subcontracts and supplier diversity fields. She’s become a leader in supplier diversity through her dedication and commitment to supporting organizations that advocate diverse suppliers, and serves as an instrument in bridging the existing gaps in industry related to small business utilization.

The FAI Oklahoma Chapter was invited to participate at Oklahoma MED Week iGNITE! Conference & Awards Dinner honoring outstanding minority entrepreneurs held in Tulsa and organized by James Ray, Project Director, MBDA Center – Native American and Alaska Native Program and REI Oklahoma staff and leadership. Keynote speaker was one of the nation’s top business thought leaders Dr. Leonard Greenhalgh, professor of management at the Tuck School of Business at Dartmouth.

With a growing number of members of the FAI Board of Directors located in Texas, the FAI Texas Chapter held several meetings during August to expand and grow the chapter’s grassroots organization within the state. Among the participants the Grand Prairie Chamber of Commerce 2015 Chairman of the Board Herb Rolph and President Lynn McGinley; and Loletha Moore, Interim Director, The Best Southwest SBDC in Cedar Hill.

Federal Allies Institute University Outreach Program has made new inroads now interacting with American University, University of Maryland, The George Washington University and George Mason University.
We welcome new members and participants. If you would like to take part in any of the above activities, please call (571) 217-0823.

David T. Boddie
Founder & Executive Director
Federal Allies Institute


Follow

Get every new post delivered to your Inbox.