Interview with Ami (R.) Elazari

Email interview held on 11th September 2017 – as follows between Alan Radley (questioner) and Tony Collings (relator):

  1. What are your thoughts on the current state of cyber security, both for organizations and for consumers?

Consumers will priorities security when deciding which companies to do business with!

Following hackers breaches in 2016 including Yahoo and Three Mobile, consumers are more anxious than ever about the downstream financial crime that follows a cyber attack.

As the realization of what a criminal can achieve once they have taken our data sinks in, consumers are beginning to demand guarantees that their services providers are safe.

In 2017, a trend will emerge around customers wanting to understand more about the security of the organizations they do business with.

Just as companies promote ‘seals of approval’ for accomplishments like being ‘green’ customers will look for some sort of seal of assurance that the companies they do business with have a strong cybersecurity posture.

In fact, Ofcom has recently highlighted that broad band provider are much voronable and must do more to deliver a reliable internet connection.

Consumers will take ownership of their own cybersecurity

The 2016  kicked off the year with a loud ding-dong. Hackers have figured out that smart home devices IOT , such as doorbells and link refrigerators, are gateways to home Wi-Fi networks and email logins. Similarly, to how they developed new and more inventive scams to get hold of consumers’ data in the ‘90s, this is just the beginning of consumer- targeted cybercrime.

Consumers and businesses will acknowledge the threat potential of IoT devices

Beyond hacked doorbells and refrigerators, certain IoT devices, link like self-driving cars, can present serious security threats. Expect more attacks to follow, especially as it is currently easier for a hacker to create an IoT botnet to compromise a device than it is to phish for data in traditional ways. There is a serious lack of security features in the code developed for IoT devices which needs to be addressed.

Due to the risk some of these devices pose to human life, it should be no surprise to hear that the security of IoT coding will come under stricter scrutiny than ever before.

As IoT devices become widely used by businesses and individuals alike, people and organizations will make security considerations a priority in their decisions to use smart devices, not an afterthought.

Organization and Businesses will assess the cyber security of their own and partners’ networks

Led by the link Office of the Comptroller of the Currency (OCC) directive requiring banks to manage risks – including cybersecurity risk – in their third-party relationships, companies in all industries will start paying a lot more attention to their business partners’ cybersecurity posture in 2017.

Most businesses have large and complex networks of partners, suppliers, vendors and other stakeholders with whom they exchange information on a regular basis. This means that the web of risk is incredibly wide, and a security breach in any link of the chain can expose the entire network.

Boardrooms across all industries have brought concerns about partner network security to the top of their agenda, so in 2017 we will see growth in the adoption of tools that assess risk across the entire network and bring a company’s security status to the forefront for partners, enterprises, and insurers.

The current state of the cyber security industry:  it’s a mess

Biometric security data may become the biggest security vulnerability of all

It started with the innovative Apple Touch ID, and Face ID developed to make it easier for consumers to unlock their phones. But, in 2016, we have seen biometric identification go mainstream – even three year old kids’ fingerprints are being captured when they visit Disney World.

Many believe that biometric security data is safer than digit-based passwords and, if used correctly, it may be so. However, in the wrong hands, biometric security data also has explosive potential. AND NOW APPLE WILL HAVE THE LARGEST DATA BASE OF FACE ID

In the aftermath of the compromise of 5.6 million US government military, civilian and contractor personnel fingerprints, Eva Velasquez, CEO of the Identity Theft Resource Center, explained that stolen fingerprints and FACE ID may be a big problem in the future.

This is especially the case if biometric technology is used to verify bank accounts, home security systems and even travel verifications.

Organization cyber security

 The DDoS attack on the OVH hosting company in September 2016, that used breached IoT devices, has been another example of the increasing threats faced by organizations. The hackers created a BotNet that used tens of thousands of connected devices in order to perpetrate a DDoS of more than 1 terabyte. This has been one of the largest attacks from this type so far.

The array of security threats has been increasing in quantity and sophistication, thus the chances of businesses to be attacked are higher than ever. During this year, several trends will prevail, and organizations should be aware of them in order to develop future defenses:

  • Encrypted Traffic

The volume of encrypted traffic has been increasing dramatically. Within several years most of the traffic in the net will be encrypted. Encryption protocols are changing and getting reinforced, and so are the recommendations to organizations. Among other trends, there is an advance in adopting advanced encryptions based on ECC – Elliptic Curve Cryptography, transfer to TLS

1.2 and later to TLS 1.3 in order to prevent data exposure by taking advantage of the weaknesses of old encryptions and the existence of an unauthorized “listener” – Man in the Middle.

Organizations’ security equipment has become obsolete in many cases, and the organizations are called to adopt technologies against malware while complying with new standards.

  • European Union’s GDPR Regulation

The new European law for the defense of private information, GDPR, will not be effective before May 2018, but most of the organizations will need many months to prepare. This issue should be on the agenda of Israeli organizations that offer services to European Union citizens.

The new law requires the organizations’ compliance with cross-organizational regulation for the benefit of preserving clients private information. Organizations that will not comply and will treat their clients’ information security with negligence will be subject to high penalties reaching 4% of their annual turnover. Negligence includes, among others, information exposure, information exploitation by third parties or refuse to erase existing and historical information upon customer’s request, thus disregarding the “right to be forgotten”.

The regulation will be valid for every organization that holds, manages or processes European customers’ information. There are many of these in Israel, including companies from the high-tech and financial sectors.

  • Application and Cloud Infrastructure Security

The cloud-incorporated security services allow organizations to consume the same defenses and information security solutions taken locally only with a better business model, based on use and consumption.

The accessibility of the best solutions in addition to convenient business and technical model will improve the organization’s information security.

  • DDoS-IoT Attacks

IoT devices are on the rise but not the security solutions. Vulnerabilities in the devices that flood the market make them easy targets. Any device connected to the net is under a hacking risk. The cellular and internet suppliers must also consider the risk brought about by home IoT devices. Businesses and communications suppliers should verify that they have got the strategy to confront DDoS attacks and a clear plan in case they are attacked.

  • Applications Security, Mainly API

The rise of mobile applications, IoT etc. gave a boost to the use of API as a convenient means to link, consume and share information over the net in all fields. Inter-organizational processes are also starting to use API and many teams use it for the automation of infrastructure, network and information security.

This shift brings about many security challenges – from the accessibility to the API, e.g. identification, secure connection, to the breaching and the exposure of sensitive information through it.

Organizations should acknowledge the changing trends and make effort to incorporate them in their business plans. Adopting relevant trends will increase organizations efficiency in operating new services and will contribute to the accomplishment of their growth targets while confronting future risks. It is possible to improve 2017’s chances to be a successful year from information security point of view.

What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

  1. failure to Report  Cyber security Breach!!!!
  2. Employer Failed to Report a Cyber Hacking Breach or Apply Adequate Cyber security Measures?
  3. Billing Clerks, IT Professionals, Executives, Managers, Consultants, Bankers & Other Insiders Have Been Awarded $4 Billion+ in Whistleblower Rewards
  4. Cybercrime is estimated to cost the global economy as much as $575 billion per year. This number could quadruple to $2 trillion by 2019.
  5. The Federal False Claims Act, the Justice Department’s bank fraud program and Securities and Exchange Commission pay cash rewards to “realtors”, the first person who reports (blows the whistle) on otherwise- unknown information about banks, defense contractors, investment agencies, government vendors or government subcontractors in cases of:

So the reasons behind the many computer security breaches/failures that we see today:

  • Failure to Promptly Report Cybersecurity Breaches
  • Failure to Promptly Report Suspected Cyberhacking Incidents
  • Failure to Provide Adequate data security
  • Failure to Regularly Update Cyber security Programs
  • Failure to Adequately Safeguard Customer and Government Data

Defense Contractor or Subcontractor Employer Failed to Report a Cybersecurity Breach

IT professionals, federal contract administrators and other defense contractor or subcontractor employees are in prime position to detect weaknesses in security measures or breaches in cybersecurity systems.

Cyber hacks into the computer systems of companies supplying software, radar technology, aircraft, ammunition and other supplies to our U.S. defense programs pose a significant danger to national security and the men and women of our armed forces.

Failure to report cyber attacks among Department of Defense (DOD) contractors and subcontractors may violate the federal False Claims Act. The Defense Federal Acquisition Regulation Supplement (DFRAS) cybersecurity rule, titled Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that those participating in any kind of defense department contract:

So the reasons behind the many computer security breaches/failures that we see today and the way to tackle it

  • Have security measures in place on all computer systems, and
  • Report all incidents of cyber hacking or security breaches to the Department of Justice within 72 hours of discovery.

Specifically, contractors and their subcontractors must implement “adequate security” commensurate with potential consequences and probability of loss, misuse or unauthorized access to, or modification of, information.

Contractors must report any cyber incident that affects the contractor’s information system, covered defense information or the contractor’s ability to provide operationally critical support within 72 hours of discovery.

Whether hackers succeed or not in acquiring sensitive information, any breach in cybersecurity that goes unreported could violate the False Claims Act. The False Claims Act awards whistleblowers with between 15% and 30% of any government recovery arising from settlement or successful lawsuit. Million dollar-plus whistleblower awards are not uncommon since many defense department contracts can range in the millions to tens of millions of dollars.

Whistleblower awards can’t be paid for publicly known information claims like frequent reports but if a contractor fails to implement appropriate cybersecurity measures or fails to report a breach in the system, a False Claims violation may exist.

To qualify for a whistleblower award, the whistleblower must have “original source” (inside) information about the failure to report a cyber hacking incident or failure to take the required security measures involving a federal program or contract. If you think you have information and want to learn if it might qualify for a whistleblower award, call the MahanyLaw whistleblower team. Your call is confidential: 202.800.9791

Banks or Financial Institution Employer Failed to Report A Cybersecurity Breach!!!

Failure to report weak security systems and cyber hacks continues to pose a problem for U.S. banks. Bankers, financial advisors, broker-dealers, IT professionals and other financial employees are in a unique position to detect security breaches or cybersecurity system errors.

Not only do weak systems expose sensitive personal information, but careless handling of data presents an equally serious threat. An employee accidentally attaching a sensitive file to an email or downloading data to a personal device are among potential violations.

To qualify for an SEC whistleblower award (this is separate and distinct from False Claims Act whistleblower awards discussed above), the whistleblower must have “original source” information about the failure to comply with regulatory requirements. The federal government enforces a number of stringent cybersecurity and breach reporting regulations on American banks and financial institutions.

Cyber security mismanagement can also violate securities laws for companies and agencies regulated by the Securities and Exchange Commission (SEC) and may amount to securities fraud.

 

The SEC’s Regulation Systems Compliance and Integrity rule requires organizations to incorporate computer networking systems with security levels “adequate to maintain operational capacity and fair and orderly markets,” and to “take corrective action” and report incidents following system breaches. In addition, the Dodd- Frank Act commands the SEC and CFTC to require financial institutions to design and execute robust identity theft prevention measures.

The SEC’s Safeguards Rule (Rule 30(a)) of Regulation S-P) requires that investment companies and their agents adopt policies to implement certain safeguards. The safeguards must be designed to:

So the reasons behind the many computer security breaches/failures that we see today and the way to tackle it is :

  • Ensure security and confidentiality of customer information,
  • Protect against anticipated threats or hazards to the security or integrity of customer records and information, and
  • Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any

  1. Where do you go to find your “science” of cyber security?

Cyberattacks on corporations, agencies, national infrastructure and individuals have exposed the fragility and vulnerability of the internet and networked systems. Achieving truly secure cyberspace requires addressing both the technical vulnerabilities in systems, as well as those that arise from human behaviors and choices.

Today, the National Science Foundation (NSF) announced $76 million in research grants through its Secure and Trustworthy Cyberspace (SaTC) program to study the scientific, engineering and socio-technical aspects of cybersecurity. The grants support 241 projects across 36 states and 129 institutions, and touch on all aspects of the field. These include hardware, software, network security, human incentives and behaviors, and the integration of computation with the physical world.

“Examining the fundamentals of security and privacy from a multidisciplinary, sociotechnical perspective can lead to fundamentally new ways to design, build and operate cyber systems, protect existing infrastructure, and motivate and educate individuals about cybersecurity,” said Jim Kurose, NSF assistant director for Computer and Information Science and Engineering.

The program is inspired by and aligned with two new strategic plans that the administration released in 2016: the Federal Cybersecurity Research and Development Strategic Plan and the National Privacy Research Strategy. Both are dedicated to protecting and preserving the growing social and economic benefits of cyber systems while ensuring security and privacy.

The SaTC program takes an interdisciplinary, comprehensive approach to cybersecurity research, development and education. It also encourages the transition of promising research ideas into practice.

In addition to supporting computer science and engineering research, this year’s SaTC awards emphasize the fundamental mathematics at the core of cybersecurity.

“Improvements in the statistical and mathematical sciences can have a major impact on many aspects of cybersecurity from cryptography and risk assessments to privacy methods and encryption that is resistant to classical and quantum attacks,” said Fleming Crim, NSF assistant director for Mathematical & Physical Sciences.

The program also emphasizes the need for sociotechnical approaches that consider human, social, organizational and economic factors involved in the creation, maintenance and operation of secure systems and infrastructure.

“No solution for securing cyberspace is complete without the integration of research that examines how people — from the users of internet commerce to the attackers who endanger networks — behave in the complicated systems that constitute the internet,” said Fay Lomax Cook, NSF assistant director for Social, Behavioral & Economic Sciences. “Technology and behavior are intrinsically linked in the world of cybersecurity, and NSF’s support for interdisciplinary research reflects that.”

Three new large projects, each supported by $3 million grants, will investigate emerging areas of interest: the relationship between the Internet of Things and humans, the development of verifiably secure hardware, and cryptographic methods to improve privacy. They include:

Several SaTC projects involve engagement with industry through Secure, Trustworthy, Assured and Resilient Semiconductors and Systems (STARSS), a collaboration between NSF and the Semiconductor Research Corporation (SRC). Others were submitted under the SaTC Transition to Practice designation, for projects focusing on transitioning existing research results to practice.

The awards are part of a portfolio of approximately $160 million invested in cybersecurity research across the agency in Fiscal Year 2016.

Despite stringent federal regulations, financial institutions continue to fail to report incidents of cyber hacking or security breaches. Any breach that is not reported could potentially qualify for a whistleblower lawsuit under the SEC whistleblower program or FIRREA (the Financial Institutions Reform, Recovery and Enforcement Act).

The SEC offers whistleblowers between 10% and 30% of any $1 million-plus recovery arising from settlement or successful lawsuit. Because cybersecurity breaches among financial institutions often involved millions of dollars, the potential for a whistleblower award of $1 million or more under the SEC whistleblower program is high.

FIRREA can pay awards of up to $1.6 million.

For a confidential assessment of your reward potential, contact our whistleblower legal team today. Among other qualifications we led the case resulting in the largest single settlement in U.S. history. For a Confidential opinion on your information: 202.800.9791

Fired or Harassed for Reporting Your Employer’s Cybersecurity Breach or Violation!

The U.S. False Claims Act and Securities and Exchange Commission protect qualifying employees who report cybersecurity breaches or violations from “retaliation” – termination, harassment, demotion or threats in response to reporting a cybersecurity violation.

MahanyLaw retaliation lawyers help employees collect damages due to employer retaliation in response to reporting violations either internally or externally. Damages can include double back pay, job reinstatement, and other related losses.

  1. Do you recommend a particular cyber security blog that our readers could follow?

We all know that the information security world is constantly evolving, making it increasingly important to keep up with the latest threat, breach, or vulnerability that may be exposing risk to your organization.

There are many security publications, sites, and even blogs that are great resources to learn how to keep you and your organization safe.

Here’s a few that I thought were better* than the rest:

  1. Brian Krebs | com

Brian Krebs is an investigative journalist and reporter whose focus is focusing on cybercrime and other major data breaches and hacks. Taking advantage of his expertise and connections within the security industry, he finds angles in a story that most major publications will miss. Brian is meticulous and dedicated towards ensuring that every aspect of an attack from motive to technique is discovered and reported.

2.      Wombat Security Blog | https://info.wombatsecurity.com/blog

Wombat Security Technologies provides security awareness and training solutions to organizations who want to improve their employee awareness security. Their blog offers insight on recent events as well as employee-specific threats, dedicating an entire section of their blog to phishing and other cyber threats. They also offer a ‘Keys to Success’ section which offers actionable information that individuals and organizations can use to improve their own security.

3.          Errata Security | blog.erratasec.com

Errata Security is a blog run by Robert Graham and David Maynor, two security researchers with decades of experience. Their blog is highly opinionated, takes a long-term perspective on security, and offers insight on widely-reported issues. Their articles often combine a high level of technical analysis, providing a unique point of view to each story.

4.       Kaspersky Labs | Threatpost

Kaspersky Labs’ Threatpost is a publication that provides daily articles, podcasts, and videos on all things security. Focused on new threats and attacks, this publication is a great daily resource to check to ensure that your organization and your employees are not exposing themselves to the newest vulnerability that may be lurking on their phone, applications, or essential business products. They’re usually one of the firsts to report on a new vulnerability or threat that may be affecting organizations at large.

5.       Security Bloggers Network | SBN – The Feed

Security Bloggers Network (SBN) is an aggregation of nearly 300 information security blogs and podcasts. The SBN feed aggregates a wide variety of security blogs that cover recent threats, roundups, popular news stories, and the latest in security research. The aggregated feed is perfect for a more technical and hands-on approach to information security

6.       Sophos | Naked Security Blog

The Naked Security blog is often cited by major newspapers, and their writers come from a wide swath of security backgrounds. The blog is owned by Sophos’, but it runs like a security newsroom- publishing daily articles on recent events in the security world, new threats that may affect organizations and their employees, and briefs on most important news of the week.

7.       Paul’s Security Weekly | securityweekly.com

Paul’s Security Weekly is an award-winning podcast, webcast, and security publication, publishing a number of weekly shows focused on recent security events, enterprise security, and interviews with professionals in the field. With a high-production value and robust team behind them, Paul’s Security Weekly provides insight and security news in a different format than many other sites.

8.       Akamai | The Akamai Blog

Akamai is a content delivery network (CDN) service provider and runs a blog that focuses on enterprise security, data protection, and cloud security. Its blog is written by Akamai writers and analysts with decades of experience working with enterprises and organizations. However, because Akamai is a CDN provider, they have a unique perspective when it comes to attacks that compromise websites, such as a DDoS attack. The blog is well-known for providing a more detailed look into how these kinds of attacks can take down a website and what further fallout an organization can expect.

9.       The Security Ledger | securityledger.com

The Security Ledger is an independent news provider that publishes daily content on recent news events and updates in security with a focus on long-term consequences, enterprise reaction, and government policy. They focus on the Internet of Things (IoT) as well as external threats from malware to cyber- terrorism.

10.        Graham Cluley | grahamcluley.com

Graham Cluley is a public speaker and independent computer security analyst. His website aggregates numerous posts on breaches, hacks, enterprise security, and the security industry itself.

* What makes these BLOGS better? I determined the best websites by looking at several factors including post frequency, content quality, and social influence.

  1. What keeps you up at night in the context of the cyber environment that the world finds itself in?

What keeps cyber security experts up at night?

last Influencers Poll, asked an open-ended question: What’s the most urgent cybersecurity or privacy challenge right now, and what’s one way to fix it?

Securing elections from hackers. The spread of connected devices. Nation-state attacks. The lack of cybersecurity talent.

These were some of the pressing cybersecurity challenges that keep Cyber security and privacy experts up at night.

Several Influencers were concerned about the impending explosive growth in the sheer number of devices connected to the internet. “Whether one calls them embedded systems, or the ‘Internet of Things,’ the combination of these little computers, poor security design, and upcoming high-speed wireless networks are a perfect storm of sorts that holds the potential to make all of our current cybersecurity concerns worse, more persistent, and of much larger scale, As a serial security entrepreneur, investor, and consultant.

In order to combat this, “we as consumers, investors, and regulators all have to make clear our insistence upon products (of all kinds) that have at least some basic modicum of system integrity and resistance to compromise built in at the time of manufacture.

Not every connected light bulb has to have the same security features as a desktop computer, but it is reasonable to expect that ours will only obey commands from the proper controllers and at a bare minimum, that these little devices do not provide a foothold for an attacker trying to gain access to the rest of our home and business networks.”

To that end, the No. 1 challenge for Dan Kaminsky, cofounder and chief scientist at White Ops security firm, is making secure development of products “faster, better, and most importantly, cheaper.”

“Astonishing things can be built on a solid foundation. They can also be built on quicksand, but they won’t last very long,” he says. “We need to escape the false

dichotomy between quickly developed crud and monoliths of perfection. It needs to be relatively easy and straightforward to build and operate secure systems. A lot of that is going to involve actually studying what developers want and need, and giving them tools that maintain and retain security as a first class feature.”

Dan Geer, chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the intelligence community, took a big picture approach in his answer: The most urgent issue, he says, is people’s overall dependence on technology. “The more people use something, the more it is depended upon. Because the wellspring of risk is dependence, risk is therefore proportional to adoption. We call that on which we must depend critical infrastructures. Because dependence is transitive, so is risk,” Mr. Geer says.

“That you may not yourself depend on something directly does not mean that you do not depend on it indirectly. Interdependence within society is today absolutely centered on the Internet beyond all other dependencies excepting climate, and the Internet has a time constant five orders of magnitude smaller. The complexity of our problem is therefore unacknowledged correlated risk and the unacknowledged correlated risk of cyberspace is why cyberspace is capable of black swan behavior.”

To address this, Mr. Geer says there’s no single bullet. “Bring a revolver,” he quips, advocating for “disconnected operation for critical infrastructures, stress testing for entities too connected to fail, public seizure of abandoned codebases, mandatory cyber- event sharing above some threshold of seriousness” and to “geocode the internet, just as cell phones are.”

Other experts pointed to broader privacy challenges as consumers put more and more personal information online. Jenny Durkan, global chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm, points to “gross and unnecessary over collection of personal information” as her major concern – especially because it’s not adequately protected by the companies that collect it, and consumers have “no realistic way” to control how their personal data spreads online.

To solve this problem, Ms. Durkan says, “consumers should be given a easy and clear way to opt out of data collection and still utilize new technology, and should have the right to limit, review and remove data collected about them for commercial purposes. Innovators need to build and bake better security into technology from the outset. We must end the ‘innovate, then secure’ mindset.”

Several Influencers said the biggest challenges were not necessarily the cyber threats themselves – but people’s reaction to them. “The most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from

incidents that occur,” says Christian Dawson, executive director and cofounder of the Internet Infrastructure Coalition.

To prevent this, Mr. Dawson adds, “a focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.”

Similarly, Jeffrey Carr, president and chief executive officer of Taia Global, Inc., worries about “the likelihood that we will go to war over incorrect attribution of a serious cyber attack.”

“When the leadership of both House and Senate Intelligence Committees misrepresent the facts of electoral databases being hacked, and when national policy decisions are frequently driven by privately provided intelligence data that is often unverified and unreliable, and when the private sector and the media can announce nation state attribution of a cyber attack, right or wrong without fear of blowback, then a window of opportunity exists for a malicious third party to cause two nations to escalate to a kinetic conflict when the presumed attacking state is innocent,” Mr. Carr continues.

Unfortunately, Carr says there’s “no way to address it because the cyber threat intelligence industry has no incentive to change and the US government doesn’t acknowledge it as a problem.”

A few Influencers agreed that before any of these challenges can be tackled, the pipeline of people itself needs securing. “There are a reported one million or more job openings currently in the cybersecurity field, and some industries are just beginning to grow their efforts in this space,” says Jeff Massimilla, chief product cybersecurity officer for General Motors. “This gap will likely increase, making it even more difficult for companies to find qualified individuals to fill these roles.” Mr. Massimilla

suggests developing more robust university curricula and programs, specialized academic support and focused efforts on job placement after graduation for students interested in the cybersecurity field.

Günter Ollmann, chief security officer at Vectra Networks, also said the shortage of appropriately trained and experienced cybersecurity staff is the biggest challenge, and offered two different ways to solve it. “There are two primary methods for incrementally addressing the shortage of experienced cybersecurity staff. Firstly, the increased deployment of machine learning and AI-based technologies that reduce the technical load on expert staff. And secondly, concerted efforts to encourage more women to join the information security field, coupled with better pay and support mechanisms for women already commencing their cybersecurity careers.”

Comments  by experts:

Mike Papay, Northrop Grumman

Challenge: “Cybersecurity of the things in our life we rely on: IoT, critical infrastructure, vehicles, etc.”

Solution: “Ensure a market-based economy exists that values the security as well as the capability of the systems we buy.”

Nick Selby, Secure Ideas

Challenge: “There is still an almost total lack of training for non-federal prosecutors on cyber crime. This means almost no cybercrime cases are brought outside the federal system.”

Solution: “The DOJ and federal government must provide funding for training of District, County, and State’s Attorneys on how to bring cybercrime cases. This is the only way to balance the load placed on federal authorities, and the only way to make a dent on logarithmic growth in cyber criminal activity.”

John Pescatore, SANS Institute

Challenge: “Increasing use of strong authentication – moving away from reusable passwords.”

Solution: “Require strong authentication for online tax filing.”

Christian Dawson, Internet Infrastructure Coalition

Challenge: The most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from incidents that occur.”

Solution: “A focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.”

Daniel Castro, Information Technology and Innovation Foundation Challenge: “There is a market failure around cybersecurity. Consumers cannot easily compare the security features of two products. This is an information asymmetry problem that government can help fix.”

Solution: “Most companies publish a privacy policy, which helps create a transparent and accountable mechanism for regulators to ensure companies are adhering to their stated policies. However, no such system exists for security practices, which has resulted in vague standards, regulation by buzzword, and information asymmetry in markets. By publishing security policies, companies would be motivated to describe the types of security measures they have in place rather than just make claims of “we take security seriously.” This is a concrete step that policymakers can take to improve security practices in the private sector.”

Marc Rotenberg, Electronic Privacy Information Center

Challenge: “Growing threats to personal privacy and the increase in identity theft, data breach, and financial fraud.”

Solution: “The United States needs to establish a Data Protection Agency, like every other democratic government. There is a real risk of a cyber security policy that protects US businesses and US government agencies but leaves the personal data of Americans at risk.”

 

Thank you kindly Ami (R.) Elazari for taking the time out of what must be a busy schedule to answer our questions in such an expansive and purposeful way.

Interviewee: Eng. Ami (R.) Elazari MBA LLM,

Entrepreneur Inventor.

Chairman Owner & President CEO,

Millennium Electric. Electric  group ltd,

Amitec Security Information Industry Ltd

179 Namir Ave., PO Box 48466, Tel Aviv North Industrial Zone 61481001, Israel

website: www.millenniumsolar.com

www.linkedin.com/pub/ami-elazari/2/885/a7

Ami (R.) Elazari – Biography

Mr. Elazari has over 30 years of technology&management experience;

Previously he served as a PV Division Manager for Chromagen Solar Systems. He founded Amitec Information Industries as well as Solar Photovoltaic Systems;

Mr. Elazari is a renowned expert in solar energy, and has registered many International Patents in the solar field;

Mr. Elazari is involved as partner and coordinator in over 8 European Commission projects world-wide;and evaluator for the 7th program of r & d in energy field

Mr. Elazari has completed his Executive MBA degree in Economics and Marketing. He is an accomplished engineer with expertise in, the specific sectors of energy Electronic and computer science

Long CV Profile: http://www.zoominfo.com/#!search/profile/person?personId=57556613&targetid=profile

Specialties: photovoltaic world expert hold 29 world patents

Contact Ami on LinkedIn here.