Monday, July 23, 2012

Learn how to Take Down a State's Power Grid, Transportation System, and Other Critical Infrastructure

President Obama wrote an Op-Ed piece for the Wall Street Journal last Friday which described a catastrophic attack against the transportation and water sectors of our nation's critical infrastructure. He then pressed for passage of comprehensive cyber security legislation. While Congress and the White House have a sense of what might occur, they don't seem to be aware of the technical vulnerabilities involved or they would know that none of the current cyber security bills pending in Congress could stop such an attack even if they were enacted into law.

Therefore I've decided to invite some of the world's leading experts in protecting critical infrastructure to present how they would mount an offensive attack against their respective industry sectors at the next Suits and Spooks anti-conference to be held October 18th, 2012 in Brookline, MA. For obvious reasons, this event will be closed to the press and none of the presentations will be made public. 

One of our speakers will be Dale Peterson, the founder of Digital Bond, Inc., a control system consulting and research firm that also hosts the most visited SCADA security site and the S4 conference. He began work on control system security in 2000 after beginning his security career as an NSA cryptanalyst. In his presentation for Suits and Spooks Boston, Dale will provide detailed scenarios on how how an adversary would take out thousands of power plants around the world or large parts of the electric transmission system. 

Another one of our speakers will be Rob DuBois, a retired U.S. Navy SEAL and current manager for Red Team operations at a U.S. defense contractor. Since the threats aren't only digital, Rob will walk the audience through how a highly trained team would mount a physical attack against a key facility.

Our keynote speaker will be Dr. David A. Bray who currently serves as Principal Strategist and Senior National Intelligence Service Executive with the National Commission for Review of Research and Development Programs of the U.S. Intelligence Community. Prior to joining ISE, Dr. Bray served as a strategist at the Institute for Defense Analyses and the Science and Technology Policy Institute. In 2009, he deployed to Afghanistan as a Special Advisor to STRATEGIC EFFECTS for NATO’s International Security Assistance Force and U.S. Forces Afghanistan, with the task of helping to “think differently” on critical strategic efforts. Dr. Bray also served as IT Chief for the Bioterrorism Preparedness and Response Program at the U.S. Centers for Disease Control and Prevention, where he led the technology aspects of the bioterrorism program’s response to 9/11, anthrax in 2001, SARS, and other outbreaks. 

This will be the fourth Suits and Spooks event since I first started holding them in September of 2011 and it may be the most critical one yet. The information that will be shared on October 18th by our speakers (a complete list is available at the website) will clearly lay out offensive options that could wreak havoc on up to six key components of critical infrastructure - water, power, transportation, communication, health care, and banking. Due to the timeliness and the importance of this topic, we're going to cap attendance at 130 instead of 100. If you'd like to be part of this history-making event, registration begins today.

Thursday, July 12, 2012

Assumption of Breach: The New Security Paradigm

I was recently invited to participate in a closed Congressionally-mandated meeting of a dozen or more intelligence and technology experts to discuss what the research and development priorities of the U.S. Intelligence Community should be for the next 10 years. While a lot of ideas were tossed about and shot down, one of a handful that rose to the surface was the need to re-think our security paradigm from the long-standing one of trying to keep bad guys out of our networks to assuming that they're already inside. This is known in government circles as "Assumption of Breach". Debora Plunkett of the NSA's Information Assurance Directorate has said as much back in December, 2010. Price Waterhouse Coopers has been an advocate of that strategy as well. New startups are basing their entire business model on an Assumption of Breach focus. Such a strategy involves multiple new tactics but two are key: enhanced threat intelligence and how to prevent critical data from leaving your network.

My next book for O'Reilly Media "Assumption of Breach - the New Security Paradigm" will explore how we arrived at this point, the latest thinking from the U.S. Intelligence Community on this topic via interviews with former and current officials, and provide strategic advice on how companies should establish a ranking system similar to how the U.S. government classifies documents (Top Secret, Secret, Confidential, FOUO) and place appropriate security controls on their data.

Hopefully, the book will be completed and available for sale by the end of this year although the final decision on that is up to O'Reilly Media. If you'd like to stay up-to-date on how the book is progressing, when pre-orders are available, etc., just follow me on Twitter.