Ideas & Insights from The Chertoff Group
Why the Fear Over Ubiquitous Data Encryption is Overblown
Source: Washington Post
July 28, 2015
Michael Chertoff is a former homeland security secretary and is executive chairman of the Chertoff Group, a security and risk management advisory firm with clients in the technology sector. Mike McConnell is a former director of the National Security Agency and director of national intelligence. William Lynn is a former deputy defense secretary and is chief executive of Finmeccanica North America and DRS Technologies.
More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation’s well being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation.
"OPM Breach Leaves Threats Hidden in Plain Sight"
July 17, 2015
A 50-year veteran of U.S. intelligence, Charles Allen says the data breach at the Office of Personnel Management potentially casts doubt on the integrity of the entire security clearance system.
The data breach of the Office of Personnel Management could affect more than 20 million Americans. Yet the true magnitude of this breach lies not in the number of individuals affected, but in the seemingly infinite ways it has compromised our national security.
The risk of widespread identity theft or other uses of personally identifiable information for financial gain is not to be taken lightly. But, in my view, it pales in comparison to how it has jeopardized our national security workforce, both in government and the private sector, and degraded the integrity of our security clearance system. Quite simply, it is a national security risk unlike any I’ve seen in my 50 years in the intelligence community.
"Making Headway in the US"
Published by Exporter Magazine
Jim Pflaging identifies the big opportunities in cyber security and offers tips on successfully navigating the market.
Exporter: Describe your role as a Beachheads Advisor in Government and Public Safety and Security?
Jim Pflaging: It makes me chuckle a bit when I hear myself referred to as a government guy! In truth I’m a Silicon Valley tech guy and my background is primarily in security, technology and start-ups. That said, many of the technology waves that hit Silcom valley are applicable- and in many cases critical – to government operations, such as identity analysis and software, cybersecurity and enterprise technology.
My passion, and the reason we established The Chertoff Group, is to help make the world a safer place through a lens of national and local security. Government is a vital part of that and there’s an impressive caliber of New Zealand companies involved. I’m really attracted to the way Kiwis do business and, truthfully, their humor and style. I can’t tell you what a different that makes because, at the end of the day, business is about connections and relationships.
Exporter: What are the top two things you find yourself saying to New Zealand companies?
JP: Be bold. New Zealand companies are creative and resourceful. However, coming to the US from a small island nation, a lot aren’t bold enough. They need to tell their stories in broader, more impactful ways and to connect with executives on meaningful levels. It is a delicate balance. On one hand, Kiwi humility is a positive. We don’t want Kiwi companies to lose that. On the other hand, they need to get used to going in guns blazing. Another commonality is the lack of governance in some of these early-stage companies.
The teams really need to ask themselves basic questions like, “How do I structure my company?” “How do I finance my company?” and “What should my board do?” before asking for connections. These issues are more important to tackle and get right than who will your next introduction is going to be.
Exporter: What advise do you have for Kiwi companies approaching the US government as its market?
JP: For those in the Public Safety and Security Space, it’s very important to know where the product should be and who the customer is. The US government isn’t a single purchaser and is obviously very big and very diverse. The good news is that from the perspective of the US Government buyer, New Zealand is highly trusted and its role as a member of the Five Eyes is important and meaningful. As with any market, it’s important to understand the unique needs and buying habits. For starters, the Federal Government has three divisions: Civilian, Defense and Intelligence, each of which has a network of loosely independent agencies. Civilian agencies include Health, Commerce and Treasury. Defense includes central groups like Defense Information Systems Agency (DISA), the centralized telecommunication and IT support organization as well as myriad groups across the different services.
The Intelligence arm is the most difficult, but not Impossible, to break into. There needs to be a compelling set of unique capabilities before the US Intelligence community will turn to a New Zealand technology provider. Further, there is a vast opportunity in the state and local market. I think Wynyard Group made a really smart decision to go after state and local law enforcement here.
Exporter: Where do you see the biggest opportunities in cyber security? Are any Kiwi companies doing it well?
JP: The biggest opportunities are in Malware Detection, Big Data and Identity.
There is a huge interest right now in cybersecurity. Everybody has been breached and the adage is that there are those who know it and those who don’t. There are two fundamental ways of tackling this: 1) Building walls or “strengthening the fences,” or 2) Developing advanced ways to detect the malware, contain it, and attack it.
Aura InfoSec is playing really well in this space. I see a real demand for not just technology solutions but business model innovation. In fact, I recently heard of a technology solution company who has partnered with an insurance company to provide a full solution and peace of mind for companies. It is a really interesting trend we are seeing in the market: “If you’re hacked while using our system, we’ll cover the recovery costs.” It takes the financial concerns away and is a huge value -add.
Security is a massive market for big data. You need to be able to find the needle in not just one, but hundreds of haystacks. Security apps that can do data analysis quickly through mounds of data- and in turn make decisions- are hugely sought after in cybersecurity. Again, Wynyard Group is a great example while, on a smaller scale, ikeGPS’ picture solution has great benefits for government and commercial users.
Building trust is a big opportunity. Companies offering strong methods of authentication will find success in this sector. Dual authentication- meaning authentication using something you ‘know,’ like a password, or something you ‘have,’ like a card, token fingerprint, or eye-scan- it’s a big trend. Gallagher Security is strong in this space.
Exporter: What is the long term opportunity for New Zealand?
JP: I’ve had the good fortune of being able to work directly with companies on their home turf and there’s not much difference between New Zealand and California. Whether its Wellington, Christchurch or Auckland, it’s a) a beautiful place, b) a great place to build software and technology, and c) an easy place to do business with the US- particularly the West Coast- from a time- zone point of view. Compared to the US, New Zealand is a relatively easy base to schedule meetings and work from. I always tell my friends who are VCs or investors or other technologists, “Don’t forget New Zealand! Great people and easily accessible”
Living in the US and recruiting engineering talent is expensive. When I was in New Zealand I thought, “What an easy place for a US company to feel like home. Why don’t US companies build their tech centres in New Zealand?” There are some serious long- term opportunities here. Universities could build world-class CS and entrepreneur programs and really kick-start the opportunity for New Zealand to become the tech and cybersecurity capital of the world - or at least the Southern Hemisphere. It’s a long term play, but why not get serious about it?
North America Beachhead Advisor Jim Pflaging has over 25 years of Silicon Valley experience, including 15 as CEO of cyber security and data management companies. Beachheads connects participating companies to a network of private sector advisors in New Zealand and around the world who can act as mentors and provide insights into the realities of growing internationally successful businesses.
"Complying with FBI Cloud Policy"
Source: American City & Country
June 03, 2015
All cloud products sold to a recent study showed that half of law enforcement officials have no knowledge or are not familiar with CJIS rules and requirements. The International Association of Chiefs of Police (IACP) conducted the study and to help has issued a report,“Guiding Principles on Cloud Computing in Law Enforcement.”must comply with the FBI’s Criminal Justice Information Services (CJIS) Security Policy. Unfortunately,
GPN reached out to Paul Rosenzweig, senior advisor to the Washington, D.C.-based Chertoff Group, who offers his views on the topic. Michael Chertoff is one of the founders of the firm and is a former secretary of the U.S. Dept. of Homeland Security.
"Big Brother is Watching EU"
Source: POLITICO Europe
May 20, 2015
A strange — and strangely unnoticed — trend is emerging in the evolving global response to massive 2013 leaks about US surveillance activities. While our European cousins talk privacy reform, the United States is actually moving ahead with it, albeit more slowly than many would like. As the American side of the Atlantic inches toward self-restraint, many European governments are seeking sweeping new spying powers. Europe is at risk of falling behind the US in privacy reform.
Following two post-Snowden reviews of US surveillance activities, the United States announced new limitations to its electronic surveillance activities, including additional privacy protections for Europeans and other non-US citizens, which few European countries currently afford Americans. Much-criticized US surveillance activities, including the bulk telephone metadata program, are set to expire in days unless Congress intervenes. Meanwhile, the bipartisan Law Enforcement Access to Data Stored Overseas (LEADS) Act and similar draft laws are moving through Congress and garnering broad support from technology companies, business organizations, and privacy and civil liberties advocacy groups.
"The Vast Amount of Personal Information (PII) Stored in the Cloud Needs to be Better Secured"
Source: Government Security News
May 18, 2015
State and local law enforcement hold vast quantities of personally identifiable information (PII) about their citizens. Arrest records; conviction records; finger prints; mug shots - all of them are collected by police departments around the country. And, increasingly, this information is stored in a digital form with a cloud service provider. How secure is that cloud storage? Jennifer Lawrence and other celebrities know that the answer is "not necessarily as secure as we might hope." And therein lies an alphabet soup of rules and standards. Cloud data privacy is an alphabetic minefield of confusing three letter acronyms (TLAs to those of us in the know). State and local law enforcement who don't make the effort to get to know these acronyms and what they mean do so at their own peril - at least insofar as they collect and store data about their citizens in cloud-based storage systems.
The latest entry into this derby of acronyms is the ISO, which is the International Standards Organization. If you are familiar with the American National Institute for Standards and Technology (NIST) then you know what ISO does - it is a consensus-based body that is intended as a technical standard setter for the world, in a host of disciplines - the international version of NIST.
"Convergence, Reemergence, or Convergence 2.0"
Source: Intelligent Utility
May 8, 2015
A little over a decade ago, the term convergence was de rigueur when talking about bringing the disciplines of physical security and IT security together to solve the challenges of stove-piped security. Fast forward to 2015 and the challenges remain mostly the same, except the conversations are now about how to bring three disciplines-physical security, cybersecurity (formerly called IT security) and operational technology security (industrial control system/SCADA security)-together to manage the threats facing the electric utility industry.
Protecting our nation's electricity infrastructure has evolved from a subject relegated almost entirely to the corporate security officer, to a very visible and often political topic that gets almost daily attention by boards, CEOs, government regulators and even utility customers. While electric utilities in North America remain effective at addressing traditional threats such as severe weather, vegetation management and routine transmission disruptions, the evolving nature of physical, cyber and OT security is creating challenges that many companies are grappling with to ensure the resilience of their operations.
"ISO 27018: Protecting privacy and national security too"
May 5, 2015
In the late 1970s, Leonard Nimoy (RIP Mr. Spock) hosted a weekly television "documentary" called "In Search Of…," in which he quested after Bigfoot, the Loch Ness Monster and other mythical creatures or phenomena. Nimoy's mysterious quarry almost always eluded him.
Many, myself included, generally expect the same outcome for international privacy and IT security standards that enhance the national security of countries implementing them: they are myths. But ISO (the Geneva-based multinational International Organization for Standardization) may have managed just such a mythical feat with its first-of-its-kind standard 27018, formally entitled "Information technology — Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors" (ISO 27018).
"Getting past the zero-sum game online"
Source: The Washington Post
April 2, 2015
As director of the National Security Agency and then the Central Intelligence Agency after the Sept. 11, 2001, attacks, I fought to provide our intelligence officers with every possible advantage in their work to detect and confront threats from our enemies.
We were entering a new kind of conflict. I had grown to professional maturity in an era in which it was NATO vs. the Soviet Union, and our enemy — with its tank divisions in Eastern Europe and intercontinental ballistic missile silos in our sights — was easy to find, though hard to defeat. Today, our enemies are relatively easy to defeat, but they often are damnably difficult to find. Hence the need to create timely, actionable — even exquisite — intelligence.
"Why State and Local Law Enforcement Should be Part of the MLAT Reform Process"
Source: Government Executive
March 25, 2015
God forbid. You're an Assistant District Attorney in the midst of a case when gunfire erupts in the offices of a local magazine headquartered in your city which recently satirized ISIS. In "retaliation," terrorists have executed a dozen magazine employees although most had nothing to do with the offending column. Your top cops and prosecutors are immediately on the trail, but the gunmen disappear into the underworld of Europe. Your citizens demand swift justice and exemplary police work traces your perpetrators to social media accounts housed on servers in France. Time being of the essence, you quickly request vital evidence from the French social media companies before the killers' trail goes cold.
"Alibaba and the Cognititve Dissonance of American Data Policy"
March 25, 2015
"Who says A must say B..."
The aphorism, often attributed to the conservative philosopher James Burnham (though it originated in the fable of Hansel and Gretel), is a short-hand phrase that is intended to capture the requirement of intellectual consistency. Or, put more colloquially - don't be an intellectual hypocrite. American cyber policy makers may well rue not paying heed to Burnham. The legal interpretations they currently espouse may soon turn around to bite them in the proverbial hypocritical posterior.
Chertoff: Protect electronic conversation privacy today
Source: USA Today
March 3, 2015
Over a century ago, Alexander Graham Bell invented the telephone and it was soon within widespread use. Not surprisingly, police soon saw the value of listening in on private phone conversations, and wiretapping was born. But in 1933, Congress decided that interceptions of phone calls were an invasion of privacy comparable to a physical search under the Fourth Amendment. So, in order to listen to the content of a telephone call through a wiretap, police must first get a warrant and demonstrate to a judge that there is probable cause to think criminality is afoot. But what should be the rule when the conversation is by email and the substance of the conversation is stored on a server owned by an Internet service provider? Read Full Article>>>
"DRM Institute Leader Series"
February 24, 2015
Mark Weatherford, a Principal at The Chertoff Group, was featured in a Digital Risk Management Institute Leader Series featured article. Read the full Q&A with Mr. Weatherford where he discussed the digital threats facing industry and how executives can better manage the influx of new and increasingly complex cyber risks. Read Full Article>>>
"Opinion: Privacy could be the victim if police body cameras aren't more hack-proof"
By: Paul Rosenzweig
Source: Christian Science Monitor - Passcode
February 3, 2015
President Obama's request that Congress spend $75 million to outfit police with body cameras after the Michael Brown shooting reflected a consensus that the technology will provide a clear record of interaction between the public and law enforcement. But while civil rights and police groups agree that video can protect citizens and officers, the security within these systems needs to be addressed long before some 50,000 police strap cameras to their uniforms. After all, the information collected on video will be incredibly sensitive, and the impact of a hacker accessing this data could be extraordinary. Imagine a hacker who edits the data to change the identity of an assailant or leaks the footage of a victim immediately following a violent crime. The concern is not speculative – at least one white hat hacker has shown he can break into a police video system and criminals have demonstrated the ability to penetrate police department networks. Read Full Article>>>
"Wanted: An International Rule of Law for Cloud Data"
By: Michael Chertoff
Source: The Wall Street Journal
December 18, 2014
Imagine a world in which European regulators can order Google to delete information from its servers—information that, in America, would be protected by the First Amendment. Or a world in which Apple can be ordered by the Chinese government to keep all iCloud data created in China (even by Americans) on China-based servers so that the government could have ready access to it. Both of those real examples recently made headlines. But they exist in a world of conflict over whose national laws govern data held in cyberspace. And what is true for corporations is equally true for individuals.
"We Need a Clear Doctrine of Deterrence to Cyber Attacks"
By: Michael Chertoff
Source: TIME Magazine
December 18, 2014
For years, cyber security specialists have reported on intensifying intrusions into the information networks of our major institutions, both public and private. Most of these have involved theft of personal information for financial gain or espionage aimed at stealing valuable intellectual property. But occasionally we have seen more destructive attacks, aimed at “wiping” or destroying the networks and data themselves. In 2012, Saudi Aramco was a victim of a cyber attacks that destroyed thousands of machines, and in 2013 South Korean banks were also targeted for cyber damage. The recent Sony attack is a disturbing new chapter in this escalation of cyber conflict, not least because of the reaction we have seen.
"Managing Cyber Risk in Today's Security Landscape"
Published in Edison Electric Institute's November/December 2014 Issue of Electric Perspectives
Question: Based on your experience working with companies on their security issues, are they prepared for today's cyber threat?
Michael Chertoff: Some companies are better than others at their overall ability to manage risk, including today’s cyber threats. The good thing is that more and more members of the C-suite are becoming active in addressing these issues and no longer view cybersecurity as simply a technical matter best left to the chief information officer. The key is to identify an effective risk management framework that will help a company intelligently examine the threats it faces; identify, assess, and where possible, eliminate security gaps or vulnerabilities; and ensure a robust plan for consequence management. A company needs to be prepared to respond when a crisis does occur. A risk management framework is an effective instrument to better inform decision making when it comes to prioritizing security investments, detecting new threats, and managing future security concerns and changes in the risk environment.
Addressing Dynamic Threats to the Electric Power Grid Through Resilience
On November 14, 2014, the Chertoff Group released a new report examining the resiliency of the American electric grid against cyber and physical security threats. The report - Addressing Dynamic Threats to the Electric Power Grid Through Resilience - outlines the industry’s multipronged approach to grid security, including critical infrastructure standards, voluntary security initiatives, incident response preparations, and partnership with the government to enhance the reliability of our nation’s electric power grid.
The U.S. electric power grid is often called the ‘largest machine in the world,’ and our society’s reliance on it is only increasing,” said Mark Weatherford, Principal at The Chertoff Group and former Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security. “As the grid transforms, it’s vital that we analyze and assess the risks in order to improve the security and resiliency of the electric grid.”
"Cybersecurity and Privacy Challenges with the Internet of Things"
By: Mark Weatherford
Published by Edelman.com
October 29, 2014
The Internet of Things is coming. The term “Internet of Things” (IoT) refers to the increasing number of everyday objects – from airplanes, cars and trains, to light bulbs, blood pressure monitors and thermostats – that communicate with each other via the Internet. The IoT may provide fantastic new opportunities for humankind, but it may also lead to growing security risk and continued diminution of our privacy. It may do both.
Gartner has estimated that the number of things connected to the Internet will reach 26 billion by 2020 and John Chambers from Cisco has predicted that allowing these devices and applications to work together and create new services will realize savings to the tune of 19 trillion dollars.
While there are certainly profound efficiencies to be realized from the IoT in everything from manufacturing and agriculture, to health care and energy, there’s also a dark underside. When there is that much money involved, you can be assured that it will be very attractive to bad guys.
"Why Companies Need a Business Continuity Plan"
Published by Forbes.com
August 22, 2014
Christopher Skroupa: At the time of a cyber-attack, how do company executives define and protect their most critical assets and put into place a business continuity plan?
Brian White: It is important to note that at the time of an attack it will already be too late for a company executive to identify those critical assets. The intruder will have located them and targeted these assets. Once the company identifies the cyber intrusion, each second is critical to effectively responding. With this in mind, it is essential for business executives to conduct a strategic review and analysis of their most vital assets and make investments to create a more resilient enterprise. It’s not about what they should do at the time of an attack, but rather how they implement a response and recovery plan. The biggest risk a company faces in today’s uncertainty of cyber-attacks is not being prepared.
Skroupa: As cyber-attacks become more sophisticated, how does a company executive best prepare for agile risk management and prepare effective response plans?
White: Practice is everything. In today’s world of cyber uncertainty 100% protection against a cyber-attack is not possible, even with the strongest of security measures in place. Therefore, creating an effective risk management and response plan is a key mitigation activity. Companies and enterprises should prepare and practice table top exercises with key executives and work with crisis communications professionals. Messaging the cyber-attack to customers and stakeholders must be included in an active response plan, both in protecting assets and restoring operational functionality. Understanding the key decisions and having preemptive conversations on how to disclose the attack and seek to regain trust from customers is a fundamental step in developing an effective response plan. Additionally, planning and preparation will be helpful in building the team regardless of whether it’s a cyber-event, a natural disaster or a product recall.
Skroupa: With an unforeseen attack, how can executives trust that their response plan will even work?
White: The hard fact is that you will never know if the plan will work before a cyber-event. But as General Dwight D. Eisenhower said, “Plans are nothing; planning is everything.” The key is to engage in the process of planning and exercising so company stakeholders know their roles and responsibilities. As a CEO, the first time meeting with the CISO and his or her team cannot be during the crisis. Every plan will have opportunities and vulnerabilities. Understanding the plan’s parameters and options will enable an executive to make decisions quickly and accurately at first response. If the plan initially fails, they will have the knowledge to divert and implement a modified response. An exercise two to three times a year for three to four hours each time will make all the difference if there is a major breach.
"Big Data and Cybersecurity Key Players in Dynamic M&A Market"
By Sandra Jontz
Published in Signal Magazine
July 31, 2014
Enduring problems surrounding data analytics and emerging cyberthreats keep small businesses vital in mergers and acquisitions environment.
A resurgence of activity has hit the mergers and acquisition market this year, with companies operating in big data analytics and cybersecurity seeing a lot of the action, experts say.
"We believe [big data analytics] is going to be an enduring problem," said David Wodlinger, principal with Arlington Capital Partners, a leading investor firm in defense technology and the aerospace market. "Data is getting created at such an astronomical rate, the quality of sensors are getting so much better … that the market for companies that have the capabilities to analyze these massive amounts of data is going to be hot now and going to be hot for the foreseeable future.
“Similarly, cybersecurity is one problem that we don’t see a real solution to any time soon,” continued Wodlinger, a panelist on the Defense, Cyber, Intelligence and Homeland Security; Market Forecast and Emerging M&A Trends forum co-sponsored by The Chertoff Group and AFCEA International. “The problem is that adversaries keep … getting better at what they’re doing; consequently there is going to be a lot of [research and development] dollars spent on that.”
Small businesses with solutions to stamp out waste, fraud and abuse round out his top three of enduring business that will drive market movement and pique investors’ interest, said Wodlinger, also a member of the boards of directors of Novetta Solutions and Quantum Spatial.
There is a whirlwind of big companies buying smaller companies, setting up 2014 as a huge year for mergers and acquisitions. The economic recession spawned a new type of trend in the dynamic merger and acquisitions environment, said Jason Kaufman, principal at The Chertoff Group and the panel moderator.
“We had a long cycle of prosperity over the course of a dozen years where, because of the war years boom and post 9/11 spending, we had a lot of private equity groups who rushed to the market,” Kaufman said. “Since then, we obviously entered into a downturn, and over the course of that downturn, we’ve seen the emergence of a couple of new trends. … We’ve seen a new class of private equity firm come into the market to really focus on building scaled contractors who have the ability to remain agile and innovative and bring technology to the customer, but who also have enough size to handle large-scale programs.”
Our New Fear of Flying
The Ukraine shoot-down and FAA decision cry out for a revamping of global air security.
July 23, 2014
It may not exactly be easy to shoot down a civilian airliner—but it’s easier than ever before.
The missile attack on Malaysian Airlines Flight 17 over eastern Ukraine, and the decision by the Federal Aviation Administration to temporarily bar U.S. flights to Tel Aviv because of rocket fire, have riveted attention once again on the question of global aviation security. For aircraft cruising at high altitude, downing a plane requires either a relatively sophisticated missile or another aircraft, capabilities that up to now have been restricted to nation states (or their proxies). But recent developments in the global security situation, including the growing availability of less sophisticated technologies, suggest the rise of more broadly based threats to aviation in a number of regions around the world.
Building a Resilient Power Grid
Industry and government are working together to ensure necessary investments – not only to anticipate and prevent possible harm to critical energy supply – but also ensure a constant focus on building a more resilient grid.
By Michael Chertoff
Published in Edison Electric Institute's May/June Issue of "Electric Perspectives"
In the early morning hours of April 16, 2013, just 12 hours after the tragic Boston Marathon bombing, Pacific Gas and Electric’s (PG&E’s) Metcalf transmission substation, located just south of San Jose, CA, fell victim to well-planned and executed acts of sabotage. Two fiber-optic lines running underground near the substation were cut, and more than 100 rifle shots were fired at the substation’s transformers and radiation cooling devices. While substantial damage was done, it is important to note that no power was lost. Why? PG&E operators saw an anomaly in the system and acted in accordance with their training by rerouting power to another substation. Their planning, training, monitoring, and response protocols helped them avoid a loss of power to a large portion of Silicon Valley.
There is no single solution that can completely eliminate each and every risk to our nation’s power grid. However, the electric power industry and government can and are working together to ensure necessary investments – not only to anticipate, prepare for, and prevent possible harm to critical energy supply – but also to ensure a constant focus on building a more resilient grid.
Why Every Board Should Care about Cybersecurity
The Internet was originally designed to move large volumes of information among a limited number of trusted users. Security was never a central component; no natural technical boundaries were put into place to protect information. Today, the Internet has evolved into a massive global system essential to our daily lives, global commerce and national security. It also remains defined by the same core principals of openness, flexibility, speed and efficiency as when it was first created.
Is Internet in Danger of Becoming "Splinternet"?
By Michael Hayden, Principal with The Chertoff Group and former director of the NSA and CIA
Published in: CNN
The serial revelations by Edward Snowden, the former National Security Agency contractor who stole and leaked classified government information, have ignited a variety of disputes in the United States and around the world.
Is the collection of metadata, detailed records of phone calls and other communications, as benign or as malignant as it has been portrayed? What are the proper limits in conducting electronic surveillance of geopolitical allies or of ordinary citizens? How much government espionage activity must be publicly available to really give meaning to the concept of "consent of the governed"? Is it appropriate to secretly compel private enterprise to assist in intelligence collection?
Beyond Snowden: An NSA Reality Check
By Michael Hayden, Principal with The Chertoff Group and former director of the NSA and CIA
Published in: World Affairs Jounral: January/February 2014
Despite continuing debates over debt limits and government shutdowns, the reach of NSA surveillance has become a hot and enduring topic. And foreign leaders are weighing in on the scope of alleged NSA activities against them.
2014 Market Outlook: Jason Kaufman of Chertoff Capital Expects Surge in M&A Activity as Renewed Market Certainty Drives Cautious Optimism
By Jason Kaufman, Head of Investment Banking, Chertoff Capital
Published in: Washington Executive, January 8 , 2013
Deal makers often greet the new year with optimism and this year is no different. Chertoff Capital expects a surge in mergers and acquisitions (M&A) in 2014 as renewed market certaintly enables a return to strategic planning and measured risk tolerance.
US Must Tackle Cyberattacks from Chinese
By Michael Chertoff and Michael Hayden, Co-Founder and Principal with The Chertoff Group
Published in: The Hill, April 18, 2013
The American public is waking up to a reality that many in government have known for some time — the threat of cyber espionage and intrusions, particularly from China.
The Chertoff Group Partners with the FCC to Launch Smartphone Security Checker to Help Consumers Protect Mobile Devices This Holiday Season
More than 20 million Americans will unwrap a new mobile device this holiday season, but most smartphone users admit they don’t know how to protect themselves from mobile security threats
The Chertoff Group is Proud to Work with the FCC to Release Small Biz Cyber Planning 2.0 to Empower Small Businesses with Customizable Cybersecurity Plans
Small businesses are more dependent on the Internet than ever before, but 83 percent don't have a formal cybersecurity plan to protect against cyber threats.
When Intel Meets the Political Debate
By General Michael Hayden, Principal
Published in: The Washington Post, October 1, 2012
The intersection of intelligence reporting and policymaking is tricky.
The Lesson of Google's Safari Hack
By Michael Chertoff, Chairman & Co-Founder
Published in: The Wall Street Journal - July 23, 2012
In the cyber age, privacy and security are two sides of the same coin. Digital privacy concerns can't be separated from security ones, and vice versa.
Cloud Computing and the Looming Global Privacy Battle
By Michael Chertoff, Chairman & Co-Founder
Published in: Washington Post
A grave threat is said to be stalking Europe. No, it isn’t the financial crisis and the potential demise of the euro. It’s the “rapacious” U.S. approach to privacy — which portends, for those engaged in the development of cloud architecture, a coming “clash” of privacy laws.
China's Cyber Thievery Is National Policy—And Must Be Challenged
By Michael Chertoff, Chairman & Co-Founder, Mike McConnell & William Lynn
Published in: Wall Street Journal - January 27, 2012
Only three months ago, we would have violated U.S. secrecy laws by sharing what we write here—even though, as a former director of national intelligence, secretary of homeland security, and deputy secretary of defense, we have long known it to be true. The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world's most active and persistent practitioners of cyber espionage today.
Can We Trust the Cloud to Protect Sensitive Law Enforcement Information?
By Michael Chertoff, Chairman & Co-Founder
Published in: safegov.org - January 18, 2012
Can we trust the cloud to protect sensitive law enforcement information? Today, the best answer to this question is- no pun intended - very cloudy.
There are good reasons to consider cloud storage - storage of large amounts of electronic information on servers hosted by third parties and located in one or more physical locations
beyond those controlled by the party responsible for the data.
A New Line of Defense in Cybersecurity, With Help From the SEC
By Jay Rockefeller and Michael Chertoff, Chairman & Co-Founder
Published in: The Washington Post - November 17, 2011
We have been in enough classified briefings over the years to know the details of the most significant threats to our national security and our way of life. One vulnerability in particular keeps us up at night: the state of our nation’s cybersecurity.
The World's 7 Most Powerful Defenders & Offenders
By Michael Hayden, Principal
Published in: Forbes - November, 2011
"Global security can be formed or threatened by heads of state whose wisdom, folly and obsessions shape global events. But often it is the security practitioners, those rarely in the headlines but whose craft and energy quietly break new ground, who keep us safe or put us in peril."
Re-Examining Our Bio-Defense
By Jeffrey Runge, Principal
Published in: Politico - October 20, 2011
This is the 10th anniversary of the anthrax letters – a deadly small-scale attack on our nation’s leadership and many innocent citizens. I was stunned to see some responses after three years of virtual radio silence by the Obama administration and the Congress, the very institution targeted by the “warning shot” from a lone wolf terrorist.
What's At Stake in the Cloud?
By Michael Hayden, Chairman & Co-Founder
Published in: The Hill - October 4, 2011
The new federal strategy for implementing cloud-computing solutions is called “Cloud First”— and with good reason. We now systematically prefer cloud-computing solutions to those based on local servers and laptops. The allure of efficiencies, economies of scale, high-end services and — most importantly — reduced costs are almost irresistible.
Our Salt Risks Draining into Cyberspace
By John Reid, Principal
Published in: Financial Times - June 22, 2011
The news was dominated on Wednesday by reports of the arrest of a suspected British teenage computer hacker, in connection with a range of security breaches including attacks on the website of the CIA and the UK’s Serious Organised Crime Agency. We can expect many more such events as our security agencies struggle to address the challenges of cyberspace.
Chertoff: Looking Ahead to What's Next in the War on Terror
By Michael Chertoff, Chairman & Co-Founder
Published in: USA Today - May 2, 2011
With the World Trade Center still smoldering, America promised to bring Osama bin Laden to justice or justice to him. President Obama's announcement that bin Laden has been killed brings a tremendous amount of gratification for all those who have fought for years to achieve this result as well as great comfort to those who lost loved ones on Sept. 11, 2001. There is no doubt, this is a great moment for America.
What Happens After Gaddafi is Removed?
By Michael Chertoff, Chairman & Co-Founder and Michael Hayden, Principal
Published in: The Washington Post - April 21, 2011
Libyan rebels have made it clear that any proposal to cease fighting and end their current battle against the Libyan government must include the removal of Moammar Gaddafi. President Obama, along with French President Nicolas Sarkozy and British Prime Minister David Cameron, has repeatedly called for the removal of this violent dictator. The objective is clear. And Libya’s future is being determined by a civil war, one in which we unarguably have a hand.
Ten Years Later
By Michael Hayden, Principal
Published in: World Affairs Journal - September/October 2011
As dusk fell on September 11, 2001, I made my way to the NSA office responsible for counterterrorism analysis. These analysts were still located on a floor near the top of one of our high-rise headquarters buildings because we could not afford the disruption in mission that would have resulted from moving them into spaces in the lower, presumably safer, ops building to which most essential personnel had decamped hours earlier.
The Future of Things "Cyber"
By Michael Hayden, Principal
Published in: Strategic Studies Quarterly - Spring 2011
In the Spring 2011 edition of Strategic Studies Quarterly, General Michael Hayden discusses the lack of clarity and agreement found among government officials and the private sector on how to create a more secure cyber space. He poses several important questions such as whether cyber is really a domain? What constitutes a reasonable expectation of privacy? What we should expect from the private sector? And is defense possible? While there are many other tough questions out there, General Hayden states that until these and others like them are answered, "we could be forced to live in the worst of all possible cyber worlds � routinely vulnerable to attack and self-restrained from bringing our own power to bear."
Defending Against Terror Threat to Cargo
By Jayson P. Ahern, Principal
Published in: CNN - November 11, 2010
Recently, the United States was tipped off by Saudi Arabian authorities that packages laden with explosives were en route to the United States.
With little time to react, the United States, as well as allied countries around the world, led a vigorous search through the multifaceted international cargo shipping system, ultimately discovering the packages, within hours of detonation, in time to prevent a devastating attack.
Chertoff: Keeping America Safe
By Michael Chertoff, Chairman & Co-Founder
Published in: The Washington Times - December 26, 2008
Why has our country remained safe since September 11? Because of concrete policies the president has pursued - policies that range from reorganizing the intelligence community to taking the fight to our enemies, from monitoring terrorist communications to creating the Department of Homeland Security.
We Should Be Prepared for an Emergency
By Michael Chertoff, Chairman & Co-Founder
Published in: The Vindicator - January 5, 2009
With the new year comes the inevitable urge to make ambitious resolutions for 2009. High on people's lists should be a resolve to become better prepared for emergencies.
Texting with Terrorists
By Richard A. Falkenrath, Principal
Published in: The New York Times - August 9, 2010
WHEN the United Arab Emirates announced last week that it would suspend BlackBerry service within its borders starting this fall, business travelers who rely on the handheld devices reacted with understandable dismay. But the decision was greeted quite differently by the men and women who make a living hunting terrorists, smugglers, human traffickers, foreign agents and the occasional team of clumsy assassins. Among law enforcement investigators and intelligence officers, the Emirates’ decision met with approval, admiration and perhaps even a touch of envy.