Tuesday, October 7, 2014

Cyber Competitions: A Bandwagon For Retailers To Jump On

[JBJ:  Note National Cyber League mentions]

10/06/2014 @ 8:58AM  Forbes

The headlines are all about massive data breaches at places like Home Depot and Target, and the protective steps that must be taken in the aftermath of an incident. That’s one part of the story, the unnerving part.

Another, more encouraging story is all about how many organizations are taking a significant step further, with the longer-term prospect in mind. It’s all about the next generation, and how it’s being trained today to more effectively safeguard tomorrow’s marketplace.

I’m thinking of the tens of thousands of diverse individuals – at least that many – who now get unprecedented hands-on training in cyber security via “cyber competitions.” These contests have gained immense currency as pedagogical tools. This year, for example, Vice President Biden congratulated the winners of one competition, the 2014 National Collegiate Cyber Defense Competition, at a White House ceremony.

Cyber competitions, sponsored by multiple organizations, including groups like the National Cyber League (NCL) and their corporate underwriters, involve game simulations such as the popular“Capture-the-Flag” (CTF). Preparatory lab exercises equip players to compete in events covering a broad range of security-related topics. In CTF, they search for digital “flags” hidden in encrypted text, applications, or on servers, moving from one bracket to the next more difficult level. Whoever captures the most flags wins.

These programs are all the more noteworthy because they do not exclusively target techies. The goal is to welcome and teach as many people as much as they’re able to learn – so that that accountant, or that department store clerk, can capture a few flags later on in real time when it counts the most.

Two of the best attended events are Def Con, which features special games like Hacker Jeopardy, and Black Hat USA, which has been holding games for the past seventeen years. Def Con’s been in business since 1993. As Rich Coleman observes, the fact that thousands continue to attend both events certainly suggests that “tens of thousands” of total trainees is probably a low estimate.

Coleman, the Chairman, President, and Founder of Cyber, Space & Intelligence Association (CSIA), also suggests that, notwithstanding the longevity of Def Con and Black Hat, the cyber competition phenomenon has really taken off in more recent years. It was in 2011 that both NCL and CSIA were founded, CSIA’s mission being to “provide an environment for a vital flow of ideas between national security thought leaders in government, industry, and Congress.” (CSIA does not itself hold competitions but twenty corporate members do sponsor a “significant number” of contests.)

“2011 was a big year for cyber security,” says Coleman. “The Cybersecurity and Internet Freedom Act was passed and the White House released the Cybersecurity Legislative Proposal. With an 80% increase of APTs [Advanced Persistent Threats] that year, I think the entire world realized we need to pursue a more aggressive agenda to protect our nation’s cyber space.”

The government has also joined the cyber competition party. Homeland Security’s Cybersecurity Education & Awareness Branch introduced the Cyber Competitions Project (CCPS), in part to identify and “champion” all U.S.-based cyber competitions, even offering a shopping list of ongoing events.

Meanwhile, private sector groups like SANS Cyber Aces foundation and National Collegiate Cyber Defense Competition sponsor their own competitions and increase access to others on behalf of students, job seekers, and professionals.

However, a search of that aforementioned CCPS shopping list finds nothing listed for retail. I’m not suggesting that that industry has been remiss in the aftermath of major data breach shocks. Initiatives like the 2014 Retail Cyber Intelligence Sharing Center (R-CISC) suggest otherwise.

The R-CISC is an impressive vehicle by which retailers share cyber threat information among themselves and with private and public entities such as Homeland Security, the Secret Service, and the FBI. It also provides training and research for retailers. That industry/government interface is precisely the area where, experts like Coleman insist, more has to be accomplished. And, they add, passage of pending legislation, the Cyber Information Sharing Act of 2014 (CISA), will go far toward faster systematized information-sharing on incipient threats.

Target is among the R-CISC participants, along with J. C. Penney, Lowe’s, Walgreen, and others. Our additional and modest proposal is that this industry should at least consider sponsoring public cyber competitions; they needn’t be the exclusive purview of defense and tech companies.

Such sponsorship would send precisely the right message to non-professional stakeholders (i.e., customers) who have the most at stake when breaches occur in this industry. The message would engage consternated consumers in a way that meritorious professional initiatives like R-CISC cannot. It would be a lively, credible alert to those stakeholders, underscoring the leadership position these companies are presumably eager to assume.

If the retail industry wants to protect us, retailers should make a splash doing so.

Richard Levick, Esq., is Chairman and CEO of LEVICK, a global strategic communications firm.

No comments:

Post a Comment