Tag Archives: Bill

IoT Cybersecurity Improvement Act calls for deployment standards

Proponents of a proposed federal bill are seeking the development of security standards for all government-purchased Internet-connected devices — a move that could spur improved security for IoT deployments across non-government entities as well.     

The IoT Cybersecurity Improvement Act of 2019, co-sponsored by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), would require the National Institute of Standards and Technology (NIST) to issue guidelines for the secure development, configuration and management of IoT devices. It would also require the federal government to comply with these NIST standards. 

Perhaps more significantly, the bill would likely reach beyond the federal government if passed and made into law. Security experts predict that NIST standards would help elevate IoT security throughout private industry and during development of consumer products.

“Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices,” Rep. Kelly said in an emailed response to questions about the proposed legislation. “Right now, we are focused on securing government IoT devices. I think the most relevant piece to executives would be the ability to use NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks as a model for internal standards.”

She added, “Our goal remains securing government IoT devices. If these standards are helpful to the private sector then that’s an additional benefit.”

IoT: Speed to market offsets cybersecurity

Security leaders said there’s a need for improved IoT security: Vendors work fast to bring IoT products to market, while enterprise leaders have moved just as quickly to capitalize on IoT deployments. In both cases, the desire for speed typically trumps security concerns, they said.

Now these security concerns are gaining new attention.

“People have been saying for at least three years that there’s a problem and we need to fix it,” says David Alexander, digital trust expert at PA Consulting.

Others agreed, adding that they think NIST is the right entity to take the lead on establishing security standards.

“We need government intervention,” said Balakrishnan Dasarathy, collegiate professor and program chair for Information Assurance at the Graduate School at the University of Maryland University College.

Our bill establishes baseline cybersecurity standards for government purchased and operated IoT devices.
Robin Kelly U.S. Representative (D-Ill.)

Dasarathy said the ripple effect from federal action on IoT legislation would improve product security for consumers and private industry alike. It would also give appropriate IoT security guidance to chief information security officers (CISOs) and other organizational executives.

“Right now many CISOs struggle to determine adequate security,” Dasarathy said.

Weak IoT security has had significant consequences. The Mirai botnets, for example, exploited vulnerabilities in networked devices and led to a massive distributed denial of service attack in 2016.

The skyrocketing number of connected devices also increases the amount of infrastructure to protect. Gartner, the technology research and advisory firm, predicted that 14.2 billion connected things will be used this year, a figure that will hit 25 billion by 2021. That growth means CISOs will be responsible for more than three times as many endpoints in 2023 than they were in 2018.

The emergence of IoT security standards

Despite often treating security as an afterthought, the IoT community — including vendors, executives engaged in IoT initiatives and regulatory bodies — has already started to address security and data privacy issues. This recognition helped create an emerging collection of standards, best practices and regulations such as California’s IoT device law known as SB-327. –It is the first such state law in the United States, and the European Telecommunications Standards Institute has developed similar rules.

However, the IoT Cybersecurity Improvement Act could push IoT safety to the forefront for IoT device makers and end users. This is because of the clout that NIST has in setting standards and that the federal government has in purchase power. The federal bill was advanced out of the House Oversight and Reform Committee in June.

“It will set a direction that will make it easy for others to follow,” said Gus Hunt, managing director and cyber strategist for Accenture Federal Services.

If the bill passes, IoT device makers that want to sell to the federal government would have to design and manufacture products according to NIST standards. To avoid designing a second-tier product for the nongovernment market, those makers would bring those same government devices to the broader market, Hunt explained.

Even if the IoT Cybersecurity Improvement Act doesn’t pass, Hunt said vendors now recognize that buyers want better security features in their products.

“Many manufacturers realize that they have to find a way [to make sure] that whatever they sell is safe, secure and doesn’t place people at higher risk simply by buying the device,” he added.

Security becoming an IoT priority

Meanwhile, private sector CISOs and CIOs could benefit if the bill is passed and NIST develops security standards that give them guidelines to adopt for their own IoT deployments.

“NIST standards could give them leverage in their discussions about budget, controls and selection of products,” Alexander said, as NIST protocols in other areas have often become the basis for best practices in private sector organizations seeking to strengthen their own programs.

However, the bill’s future is uncertain. A similar measure was introduced in 2017 and failed to move forward. On the other hand, the IoT Cybersecurity Improvement Act of 2019 does have bipartisan sponsors — which security experts said gives them some hope that Congress will take favorable action on this issue.

Yet that hope comes with a caveat: They said lawmakers — in Congress and elsewhere — must pay attention to each other’s IoT legislation to ensure they’re all moving in the same direction.

Also, they said NIST should work with industry to craft standards. This cooperative approach is one that NIST typically takes, and it would help ensure that all the various laws share common elements so that vendors understand what they must deliver to the market.

“These things cannot be contradictory. All these versions of [IoT] legislation need to be aligned because vendors want to make one version of their product. All the legislation has to be pointing in the same direction, otherwise it’s not going to work,” Alexander said.

Go to Original Article
Author:

Teleporting holograms, a belt for fetal health, and more at Microsoft’s Imagine Cup student contest

Team Pengram. From left to right: Bill Zhou, Will Huang, Vedant Saran. (Microsoft Photo)

Bill Zhou wanted to be able to help his mom fix the WiFi router when she called. The only problem? He was at school in Berkeley, Calif., and she was not.

“So I try to send her links online or send her videos or try to do a phone call with her, but it’s not really clear,” Zhou said. “And sometimes I wish I could just teleport my presence back home just for five minutes, show her what’s going on, and then teleport back to Berkeley to do whatever I’m doing.”

That personal desire was part of the inspiration for Pengram, an augmented reality tool for remotely assisting and collaborating on projects such as fixing equipment or assembling furniture. The Pengram team, made up of University of California, Berkeley graduate students Zhou, Vedant Saran, and Will Huang, will be one of 49 teams competing in the world finals of Microsoft’s Imagine Cup student competition starting Monday in the Seattle region. Imagine Cup brings together high school and college students who are “innovating and addressing some of humanity’s biggest problems.”

Pengram uses both augmented and virtual reality to “holographically teleport” an expert to assist on a task involving a physical object in another location. The expert, wearing a virtual reality device, can work in the virtual world on a virtual model of the object that needs fixing, such an engine. Whatever the expert does to that virtual engine will be reflected on the other person’s side, except in augmented reality, with an avatar representing the expert demonstrating on the physical object.

“The operator will be able to see the expert as if he was actually there,” Zhou said.

Saran said the platform uses Microsoft Azure to deliver the content via the HoloLens device. Pengram allows users to watch experts in real-time or in previously recorded videos.

Though personal use was one part of the team’s vision for Pengram, inspiration also came from what the team noticed businesses needed. Companies worked with much more complicated machines, like wind turbines or locomotive engines. Zhou said that often, to repair the machines, they would have to fly out an expert because field technicians wouldn’t know how to fix them.

“So what they’re looking for is actually a remote assistance solution where the expert can teleport their presence to the field to assist their technicians anywhere in the world,” Zhou said.

Pengram has worked with companies like smartphone maker HTC to explore the possible uses for the platform. Zhou explained that any company could use Pengram’s capabilities in a unique way suited to their needs. HTC, which supports trade schools in China, finds pre-recorded assistance helpful in training students.

Flashes of Pengram’s capability can be seen in Microsoft’s own Holoportation project, which Microsoft revealed in 2016. Holoportation, like Pengram, uses the HoloLens as a tool to holographically transport 3D models into a physical space in real time, as if all participants were in the same space. In another demonstration, Microsoft showed how someone using a tablet in one location could annotate the real world for someone using a HoloLens in another, such as a plumber showing a homeowner how to fix a sink.

The Pengram team, who have known each other for three years and met through the [email protected] club when they were undergraduates, began the project at a Cal Hacks hackathon a year-and-a-half ago. Pengram won the Microsoft Imagine Cup U.S. Finals to advance to the world finals.

On the other side of the world in Pakistan, Iqra Irfan, Areeba Kamil, and Sami Ullah are developing a wearable belt that monitors fetal health. The team, named Fe Amaan, consists of three undergraduates in their last year at the National University of Sciences and Technology. They wanted to tackle Pakistan’s miscarriage and stillbirth problem, which they described as one of their home country’s biggest issues.

“One of the major issues we found in the healthcare facilities in our country is that there is not enough access to facilities for expecting women,” Kamil said. “And the women who have to suffer the most are women in rural areas, and then they become the target of stillbirths. Later on we also realized that this problem is not just confined to Pakistan, but it’s also a worldwide issue.”

Fe Amaan works as a remote fetal monitoring device, helping ease the consequences of a lack of access to medical facilities. The belt and corresponding Internet of Things sensor device, which sits on the mother’s abdomen, can monitor fetal movements and heart rate. It sends the data to a mobile app, which analyzes it and generate alerts if it detects any anomalies. The device uses Microsoft’s Azure cloud platform to host its applications and to predict the state of the fetus in advance, based on the data gathered.

The Fe Amaan team. From left to right: Areeba Kamil, Sami Ullah, and Iqra Irfan. (Microsoft Photo)

The hope is that precautionary measures can then be taken before it’s too late.

“We believe it’s the right of every woman to have good medical facilities and we want to make sure it’s our aim to eliminate the risk of having a stillbirth,” Irfan said.

The three have were friends prior to the project, and decided to work on Fe Amaan as part of their senior projects for university. Fe Amaan has gone through clinical trials, which the team cites as the most difficult part of the process. The team participated in the Pakistan national finals and won the Middle East and Africa finals to advance to the world finals.

The Microsoft Imagine Cup World Finals will take place in Seattle next week, from July 23 to 25. The annual student technology and innovation competition requires participants to submit their software, instructions, and give live presentations on the team, the project, the target market, and how the team plans to bring the project to market.

Forty-nine teams, including Pengram and Fe Amaan, will compete on the world stage after winning national and regional competitions throughout the year. The winning team will get $100,000 and a mentoring session with Microsoft CEO Satya Nadella.

This year’s Imagine Cup, the 16th annual competition, includes awards for projects in artificial intelligence, big data, and mixed reality. The judges include Microsoft executive vice president of business development Peggy Johnson, coding community Glitch CEO Anil Dash, and software package management company Bitnami co-founder and COO Erica Bresica. Snowboarder and Olympic gold medalist Chloe Kim will also be a special invited guest at the competition.

The Rock Surprises Make-A-Wish Kids with Custom Xbox One X Consoles

16 years ago, Dwayne Johnson was on-stage with Bill Gates to help announce the original Xbox. We’re excited to be working with Dwayne again to show there is no power greater than X.

Yesterday, three Make-A-Wish children received the gift of a lifetime when The Rock surprised the group with a private gaming event on the set of his current movie project, “Skyscraper.” With the help of Xbox, the kids were the first to receive the world’s most powerful console, a custom Xbox One X, a full week before its November 7 global release. The custom consoles feature Dwayne’s logo, a brahma bull, and a personal holiday message.

Throughout the day, Dwayne gave children the VIP treatment which included personalized director chairs, a private tour of the set, exotic car rides and challenging them in video game matchups on popular Xbox titles such as Super Lucky’s Tale, Forza Motorsport 7, Killer Instinct as well as other games featured in Xbox Game Pass.

Thanks again to Dwayne, Make-A-Wish and the crew on the “Skyscraper” set for allowing us to join in on all the fun!

SAVE Act attempts to bolster election security

Two senators introduced a new election security bill with the aim of providing assistance to states in order to protect against cyberattacks on voting infrastructure.

The bipartisan bill — the Securing America’s Voting Equipment (SAVE) Act — was put forward by Senators Susan Collins (R-Maine) and Martin Heinrich (D-N.M.). The aim of the bill, according to Collins, is to “assist states in protecting the integrity of their voting systems. 

“Our bill seeks to facilitate the information sharing of the threats posed to state election systems by foreign adversaries, to provide guidance to states on how to protect their systems against nefarious activity and, for states who choose to do so, to allow them to access some federal grant money to implement best practices to protect their systems,” Collins said on the Senate floor.

Collins said that she knew of “no evidence to date that actual vote tabulations were manipulated in any state” during the 2016 U.S. election, but noted that the FBI and Department of Homeland Security (DHS) found 21 states had election systems probed by Russian hackers.

“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections,” Sen. Heinrich said in a public statement. “The SAVE Act would ensure states are better equipped to develop solutions and respond to threats posed to election systems. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable.”

Requirements of the SAVE Act

According to the announcement, the SAVE Act would require the Director of National Intelligence to designate security clearance to the chief state election official — usually the secretary of state — and share all “appropriate classified information with those state officials to protect election systems from security threats.”

The SAVE Act would also classify state-run election systems as critical infrastructure and require the DHS to work with states to ensure election security.

Prior to the 2016 U.S. presidential election, the DHS offered to aid states with election security and Jeh Johnson, former secretary of Homeland Security, claimed 18 states had accepted that offer.

The SAVE Act would also call for the creation of the “Cooperative Hack the Election” program which would essentially be a bug bounty program for electronic voting systems.

The DEFCON team, which has offered to help election officials test voting equipment, did not respond to requests for comment at the time of this post.

Mike Pittenger, vice president of security strategy at Black Duck, said he thought a bug bounty program would help “build more secure voting machines, assuming the bounties are attractive,” but wanted more information on the SAVE Act.

If we are talking about vote integrity, the major shortcoming of any electronic voting system is an independent, auditable record.
Mike Pittengervice president of security strategy at Black Duck

“The other point to remember is that security is ephemeral. A secure application can become a ripe target overnight if a new vulnerability is disclosed and not remediated. We saw this with Equifax. How can we ensure that every device is updated?” Pittenger told SearchSecurity. “I do worry about designating this as critical infrastructure, however, if it requires that all states and local governments use electronic voting, even if a variety of choices are available.”

At the DEFCON conference in July, Barbara Simons, former president of the Association for Computing Machinery and president of Verified Voting, a non-partisan and non-profit organization promoting laws and regulations that support accuracy, transparency and verifiability of elections, said risk limiting audits are an essential part of ensuring election results but are very difficult with electronic voting systems and are much more effective with paper ballots.

While the SAVE Act calls for audits of election systems for states that receive federal grant money, there are no stipulations for auditing actual election results.

“If we are talking about vote integrity, the major shortcoming of any electronic voting system is an independent, auditable record. With paper voting, someone could miscount ballots or ‘stuff the ballot box.’ It’s not perfect, but when an election is over we can match the records of individuals who registered, and rescan and recount the paper ballots,” Pittenger said. “With electronic voting, we have an electronic audit trail, but any competent criminal would cover their tracks.”

Minds + Machines | The Premier Industrial Internet Event | GE Digital

LIve Stream: October 26 – Day 2

9am – 10:30am:
Live stream of main stage keynotes

10:45am:
Bill Ruh, CEO, GE Digital

11:00am:
Van Jones, Founder of Dream Corps & CNN Political Correspondent

12:15pm:
Gene Seroka, Executive Director, Port of Los Angeles & Chris Chase, Marketing Manager, Port of Los Angeles

12:45pm:
Jeff Liu, Global Coordinating Partner, EY & Fay Shong, Energy & Digital Strategy Partner, EY

1:15pm:
Patrick Franklin, VP of Predix, GE Digital & Andrea Lim, VP Technical Management Advisor, GE Digital

1:45pm:
Winning Team of 2017 Minds + Machines Appathon

2:15pm:
Kiva Allgood, Chief Commercial Development Officer, GE Ventures, & Stacey Epstein, CEO, Zinc

2:45pm:
Kevin Ichhpurani, EVP Global Ecosystems & Channels, GE Digital

3:15pm:
Derek Du Preez, Manager Technology & Development, South32

3:45pm:
James Zetwick, Vice President & CEO, Newmont

Veritas CEO talks analytics, GDPR and digital transformation

LAS VEGAS — In his role as Veritas CEO, Bill Coleman sees massive change taking place in the data protection world. And Coleman knows that brings great opportunities and great challenges to his company.

Veritas Technologies is the market leader in traditional backup, but the current version of the company has been around only 20 months since its spin out from Symantec. Besides its traditional challengers, such as Dell EMC and Commvault, Veritas faces fast-growing Veeam Software and converged data protection newcomers such as Rubrik and Cohesity. All of these vendors want to cash in on the digital transformation and ensuing changes to the backup world.

Part of Coleman‘s job as Veritas CEO is to make sure his company has all the pieces to deal with modern day backup. He predicts the traditional data protection market will undergo a 360-degree change in the next several years in which backup, disaster recovery and archive will be part of a large policy-driven, multicloud service. Changes are already coming with the rise of the cloud’s role in data protection and new customer challenges from the likes of ransomware and the General Data Protection Regulation (GDPR).

We spoke with Veritas CEO Coleman at the recent Veritas Vision 2017 conference about how those changes will affect the future of backup.

Does the Veritas platform have all the pieces it needs to be a full-scale data management platform and deliver on the company’s promises?

Bill Coleman: We have all the pieces we need except for object store [announced at Veritas Vision 2017]. That completes the pieces. Now how do you fill them out? We can visualize a handful of data sources with Information Map. Now we’ve added 23 additional sources, whether it is Google store, Box, Oracle, Microsoft Office 365, and so on. We are going to continue to build those out. We are going to containerize all our products. We are going to build advanced appliances that can support that and different kinds of workloads.

Next year we will publish our APIs and we’ll also ship our software development kit so third parties can build their applications for our platform. Last year, I said we are going to be a platform company and we are going to build a first-generation platform, which we have done. Then we will build a follow-on to that, which I call the Enterprise Data Management platform that will be an end-to-end, purpose-built, cloud-native, microservice, container-based architecture. But the key to that is adding the analytics plane. So we will add a plane to separate all the analytics services and provide all the abilities to discover and manage not just the enterprise data but any other data based on whatever problem you are working on.

There will be no concept of backup. Those will be just policies. … That is the next-generation world.
Bill ColemanCEO, Veritas Technologies

We will use predictive analytics; identify the data sources both internally and externally. We’ll mine the metadata and take that to determine what data you actually need to turn that into a dynamic warehouse and solve that problem. We’ll support the products we have and the 360 Data Management over the next three to five [years.] We will migrate everything to be done in that next-generation platform in which there will be no concept of backup. Those will be just policies; set the level of reliability you want. That is the next-generation world.

What do you see the data protection market looking like in five to 10 years? Will we still be talking about the complexities of backup?

Coleman: You are right, that world is changing. It is being compounded by the fact that things are moving everywhere. Data is not just in the data center anymore. It’s in the cloud. It’s in lots of clouds and it is in lots of SaaS applications. So that makes things a lot more complex. All the [data protection] capabilities will still be there. Those will just be assumed.

In a world of software-defined, there is no difference between backup, archive and disaster recovery. There are just the policies of where you put [data] and how many times. As an enterprise, if you are being required to do governance on your data, you have to figure out what is in the Oracle Cloud, the Amazon Cloud. … What I believe in five to 10 years, the world is going to be software-defined. Hyperscale and portability will be assumed. No enterprise is going to be locked into one platform.

A big, well-known company wants to move all mission-critical to the cloud over the next few years. What the CEO told me is he wants to be able to manage three clouds simultaneously, based on policy and process and time. So it’s going to be a utility. It’s going to commoditize everything we know about hardware and software. The customer’s site might not even own a data center. Veritas does not even own a data center anymore. All of our IT is run mostly on IBM Cloud, some on managed services.

As Veritas CEO, you speak with a lot of large IT organizations. What are you hearing from customers about the European Union’s GDPR? In general, how far along are companies in being compliant? What stage are they in?

Coleman: We did some analysis on this recently. About a third to a quarter think they have a plan and they are moving in the direction of trying to solve the problem. Another quarter to a third does not think it applies to them. And those in the middle think it may apply and they are not yet moving.

When we started our GDPR trek at the beginning of the calendar year, I set a goal that we will have the products and services to support GDPR for unstructured data and some structured data by the beginning of October. So we have those practices and they are moving along. But I believe by the beginning of October, lights are going to go off and there is going to be a lot of panic out there.

We only solve part of the problem because a lot of it is a business problem and a legal problem. We are teaming with companies like Deloitte. I suspect that as we get close to next May [the deadline for compliance], many companies are not going to be ready. I suspect what the EU will do is similar to what our SEC does. They will say. ‘OK you have to have this much of a plan by here, etc.’ I just don’t think companies will be ready. I talked to one of the biggest banks in Europe and their head of strategy said they don’t know where to look to find the personal identifying information. And they are a European bank.

Describe digital transformation.

Coleman: Digital transformation is about doing analytics and machine learning to adapt your business processes, your supply chain, your products and customer engagement model based on data. It has to be better, faster and cheaper. You can do that in a more personalized way and that is how to compete. It’s not just your data but it’s any other source of data out there that can help solve whatever problem you are trying to solve in your business model.

That’s digital transformation. And it is a transformation. It’s not a disruption. In a disruption world, only a startup wins because the economics are such that the incumbent can’t counter it. But this is a transformation so no one is going to say, ‘I’m just throwing out everything I have in storage backup and adopting that startup.’ That means the incumbents get to win if they are good enough.

Health IT innovator Cerner enhances workplace productivity and collaboration with Office 365 – Office Blogs

The Cerner Corporation logo.

Today’s post was written by Bill Graff, CIO at Cerner Corporation.

Profile picture of Bill Graff, CIO at the Cerner Corporation.Cerner is an innovation-driven supplier of health information technology solutions, services, devices, and hardware. You can see this forward-thinking spirit reflected in the culture of our global enterprise. I enjoy working for a company that fosters innovation and actively shapes what tomorrow looks like. When we put together our 2020 vision to respond to the changes we were seeing in the industry and our workplace, we chose Microsoft Office 365 to help drive the “Borderless Mobility” component of that vision.

In the last decade, Cerner has grown to a nearly $5 billion global enterprise. The mobile workforce in tech industries today expect access to corporate data anywhere, anytime, from any device. We have made mobility and virtual collaboration key elements of our 2020 vision, and the suite of cloud services that constitute Office 365 allows associates to work the way they want to.

You know a solution resonates with a workforce when it is adopted without any prompting from IT. This is the case with Microsoft Teams. In just a few months, our associates have formed more than two thousand teams across the organization—and it all happened organically. Development teams at Cerner are responding to the persistent chat capability provided by Teams to facilitate collaboration. Teams has provided a functionally competitive solution in our environment and was “just included” in our subscription. With steady update cycles for Office 365 solutions, we always look forward to the next iteration of services in our device and application environments.

As the organization grows, collaboration technology becomes vital. OneDrive for Business, SharePoint Online, and the ability to co-author content make it incredibly simple to share documents or collaborate globally. To further enhance this collaborative experience, we are actively migrating our intranet to SharePoint Online. Today, geographically dispersed associates can confidently work with the latest versions of their documents, and they can access them anywhere, on any device, which is critical to our operations teams who support our clients around the world.

Digital security is paramount for Cerner as we are responsible for ensuring the protection of our clients’ data. Microsoft indicated its willingness to accommodate our business needs, including our uncompromising security posture, by signing a Business Associate Agreement. Today, we have 28,000 seats of Advanced Threat Protection to help protect our associates from malware, and we are deploying Windows 10 across the enterprise, with its built-in security features that are continuously updated. This saves Cerner time and resources that we once spent on patching and maintenance.

Keeping everyone productive on the same platform is a key part of our ongoing vision for the future of workplace productivity. As we listen to what our associates want for their workplace, we’re confident that Office 365 helps preserve that vision for Cerner.

—Bill Graff