Government - All Articles - CISO Platform2024-03-29T06:22:35Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/GovernmentKeynote: Critical Infrastructures Are Under Attack From Aggressive Nation Stateshttps://www.cisoplatform.com/profiles/blogs/keynote-critical-infrastructures-are-under-attack-from-aggressive2024-02-19T22:55:55.000Z2024-02-19T22:55:55.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12385096096?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/SNANAfdBtjs?si=VYPA3R7JlDFzUhQD" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p>
<p class="graf graf--p">Critical Infrastructures are under attack from aggressive nation states! Governments must step forward to help protect these crucial sectors and the services they provide to citizens.</p>
<p class="graf graf--p">My cybersecurity keynote from the InCyber North American conference is now available for the public to watch!</p></div>Lacking Practicality - Executive Order for Safe, Secure, and Trustworthy AIhttps://www.cisoplatform.com/profiles/blogs/lacking-practicality-executive-order-for-safe-secure-and-trustwor2023-10-30T18:55:12.000Z2023-10-30T18:55:12.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12271494871?profile=RESIZE_400x&width=400"></div><div><p id="f139" class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">The White House just released an <a class="af ks" href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/" target="_blank">Executive Order</a> intended to lay down some standards intended to manage the risks of Artificial Intelligence. I absolutely like the idea of establishing guardrails to make AI safe, secure, and trustworthy, but I am unsure that the concepts will manifest into something meaningful.</p><p class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">It appears that the authors have a simplistic view of AI, which if true, can be easily managed. However, AI is more an adaptable set of tools and capabilities. It is not a specific machine or device. It is equivalent to an edict requiring the Internet to be safe, secure, and trustworthy. Great in concept, but shortsighted in the actual complexity to achieve and sustain.</p><p class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">For example, there is a requirement for AI-generated content to be watermarked, to protect from fraud and deception. We can’t do this well in the real world, much less the digital one. If we could do this, spam and phishing would not be a problem. In the Generative AI world, every time a new tool or process has emerged to watermark content or detect fakes, it has been undermined in a very short period.</p><p id="ff44" class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">In general, the document is filled with mostly ‘don’t use AI for bad’ concepts, but not actual structures to govern, control, or penalize non-compliant practices.</p><p class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">At a high level, there is much good in this Executive Order, as it draws attention to key areas that we must manage, including security standards for AI implementation in Critical Infrastructure sectors. The order supports a long-needed national data privacy law that unifies the collage of confusing and inconsistent state rules. It offers guidance for many ways how the government can or should use AI.</p><p class="pw-post-body-paragraph xy xz ug nd b ya yb yc yd ye yf yg yh mn yi yj yk ms yl ym yn mx yo yp yq yr jg bj">These are great areas to pursue, but the rapid evolution and adoption of AI greatly limits our practical visibility and capabilities in how best to establish meaningful guardrails. The result will likely be similar to what has been seen in the past, ineffective standards, with government regulations that are outdated by the time they are defined, and the development community several steps ahead in whatever they want to accomplish.</p></div>Cybersecurity Regulations Will Force Companies to be Trustworthyhttps://www.cisoplatform.com/profiles/blogs/cybersecurity-regulations-will-force-companies-to-be-trustworthy2023-10-05T02:19:11.000Z2023-10-05T02:19:11.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12239694684?profile=RESIZE_400x&width=400"></div><div><p>I think the list of executives and board members genuinely interested in cybersecurity will increase greatly as regulations, such as the US SEC cybersecurity reporting requirements and the European Union's proposed Cyber Resilience Act (CRA), are established to correct longstanding financial incentives that do not benefit the customers or investors. </p><p>These are requirements, for those under their oversight, that force a level of transparency that creates accountability for company’s cybersecurity posture and management. Such strong catalysts will drive recognition across the top tiers of business leadership for the importance and necessity to commit resources to develop and actively maintain the security of their digital products and services.</p><p>Needless to say, such regulations are unpopular with many organizations as they greatly narrow down the options of concealing security issues and, therefore represent an undesirable forcing function to invest more in cybersecurity and maintain executive oversight.</p><p>I see this as a strategically important shift that strengthens the trust in digital technology. </p></div>Why I'm in Favor of the EU Cyber Resilience Act and You Should Be Toohttps://www.cisoplatform.com/profiles/blogs/why-i-m-in-favor-of-the-eu-cyber-resilience-act-and-you-should-be2023-10-05T01:37:34.000Z2023-10-05T01:37:34.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12239685455?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">I like the EU Cyber Resilience Act! There, I said it! Yes, this will make companies nervous in the short term, but this regulation is a watershed moment that will fundamentally shift how digital products are secured and maintained! This will FORCE the industry to adapt in more transparent and accountable ways.</p><p class="graf graf--p">I don’t like regulations in the tech world but will support such extreme measures when companies are not doing what is best for their customers. In this case, the industry has chosen not to voluntarily support good security practices such as these in the past. They often keep customers in the dark when attackers are running rampant and exploiting weaknesses in their products until they have a fix ready. Customers, if informed in a timely way, may be able to mitigate risks in other ways while waiting for a patch. But not if the company purposely chooses to keep them in the dark. So now, customers may be able to hold manufacturers accountable if they choose not to be forthcoming.</p><p class="graf graf--p">There are several aspects to this act which is designed to inform and protect consumers of digital products:</p><p class="graf graf--p">1. Notification of exploitation (when vulnerabilities are being used by attackers to victimize targets)</p><p class="graf graf--p">2. Security patching support for the lifetime of the product</p><p class="graf graf--p">3. Differentiation between security and functionality updates where feasible</p><p class="graf graf--p">Those companies who are worried about reporting, when attackers are exploiting vulnerabilities in their products, are basically saying they don’t want their customers to be aware.</p><p class="graf graf--p">I find the <a class="markup--anchor markup--p-anchor" href="mailto:https://www.scmagazine.com/news/eu-urged-to-reconsider-cyber-resilience-acts-breach-reporting-within-24-hours" target="_blank">arguments against this act</a> are outdated. My favorite illogical argument is that “if we report when our products are exploited, then attackers will exploit them more” Um, the genie is already out of the bottle. How about doing the decent thing and informing your customers that they are at serious risk of being victimized!</p></div>Smart Cities Talk About Cybersecurityhttps://www.cisoplatform.com/profiles/blogs/smart-cities-talk-about-cybersecurity2023-10-05T01:17:45.000Z2023-10-05T01:17:45.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12239678861?profile=RESIZE_400x&width=400"></div><div><p>Cities that truly embrace and foster digital innovation must also responsibly address cybersecurity and privacy risks. Open discussions between the public and private sector are crucial. This is why I am absolutely excited to be a part of the San Jose Cyber Awareness Day on Oct 16<sup>th</sup>. </p><p>The Mayor and his top digital leaders, including the city CIO, CISO, Chief Privacy Officer, and Deputy City manager will be talking about AI and cyber opportunities, and the risks that accompany them. They will be joined by many cybersecurity private sector experts in talks and panels throughout the day. I will be moderating a panel of experts discussing how everyone can safeguard data at home, educate our youth, and sharpen our skills to avoid victimization!</p><p>This in-person event is open to everyone!</p><p><a href="https://www.eventbrite.com/e/city-of-san-jose-cyber-awareness-day-tickets-722887906187">https://www.eventbrite.com/e/city-of-san-jose-cyber-awareness-day-tickets-722887906187</a></p></div>New SEC Rules Mandate Cybersecurity Transparency and Oversighthttps://www.cisoplatform.com/profiles/blogs/new-sec-rules-mandate-cybersecurity-transparency-and-oversight2023-07-28T02:45:09.000Z2023-07-28T02:45:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/12163574698?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">The new SEC Rules establish a framework that requires rapid disclosure of material cybersecurity incidents (4 days), companies will need to be able to explain their cybersecurity posture to manage risks, and for boards to describe their oversight and expertise for cybersecurity.</p><p class="graf graf--p">This is a major leap forward for securing US public companies! The new regulation drives transparency of incidents, risk management processes, and board accountability. It may be the most impactful cybersecurity event this year that shifts the trajectory of how cyber risks are managed!</p><p class="graf graf--p">The new SEC Rules establish a framework that requires:</p><ol class="postList"><li class="graf graf--li">Rapid disclosure of material cybersecurity incidents (4 days)</li><li class="graf graf--li">Companies will need to be able to explain their cybersecurity posture to manage risks</li><li class="graf graf--li">Boards of Directors must describe their oversight and expertise in cybersecurity</li></ol><p class="graf graf--p">These three simple rules will shake the current inconsistent foundations across every sector, which are often flimsy, and force companies to build strong programs, integrated with board support, to protect customers’ and shareholders’ interests!</p><p class="graf graf--p">Overall, I very much like this requirement! Historically I have despised tech regulations, except when financial incentives fail to drive the industry to serve the best interests of the public, shareholders, or customers. It was true for Sarbanes Oxley, privacy, and now cybersecurity.</p><p class="graf graf--p">There will be concerns about the definition of ‘materiality’ and the 4-day reporting requirement.</p><p class="graf graf--p">So first, as a former Incident Commander for a F100 tech firm, yes businesses can report material breaches within 4 days. Typically, you understand how hot the fire may get in the first few hours. If you know the CEO will need to be briefed, it may be ‘material’, so the regulatory reporting team can get ready. This is doable.</p><p class="graf graf--p">Will a clear picture be determined of the root cause, scope of impacts, final damage tally, and every entity identified?</p><p class="graf graf--p">No. Not in 4 days. Incident response teams will not have all the final details or scope when they make the initial report. Those details will eventually come. The first thing is to notify shareholders. Keep in mind, if it is ‘material’ and you don’t make it public, how many insiders are going to SELL their stock/options because they know something that the public does not! Yeah, insider trading is bad.</p><p class="graf graf--p">Will companies ignore the requirements or try to game the system by fudging the data when they realized it was ‘material’?</p><p class="graf graf--p">Overall, public companies go to tremendous lengths to not violate SEC rules. Additionally, they really don’t like strong shareholder lawsuits that specify failures in the Board of Directors’ due care and diligence. If companies choose not to comply, then shareholders will have a very durable suit when they sue for damages.</p><p class="graf graf--p">The SEC can fine the company and sanction board members. And public sentiment may shift even more negatively, as news outlets will clearly cover such aspects in their reporting of incidents.</p><p class="graf graf--p">It would not surprise me if companies may try to small liberties in the interpretation of when they realized an incident was ‘material’. Taking an extra day might go under the radar, but that is still a tremendous gain for investors who are often shut out from such events for long periods of time. In fact, many data breaches and cyber-attacks are revealed by security researchers or customers first. Only then do companies feel compelled to make a public announcement.</p><p class="graf graf--p">Anything more than a day will probably be scrutinized. It would be hard for a company to claim that they didn’t believe it was material at a point when everyone is on red alert, they called in major forensic and incident vendors, production is stopped, millions of sensitive customer records are on the darknet, or their customer support boards are lit up like a Christmas tree on fire. Those will be the details that are brought up in the lawsuits and SEC investigation.</p><p class="graf graf--p">So overall, the 4-day notification rule is reasonable.</p><p class="graf graf--p">I believe all these requirements will force transparency for incidents, commitment to cybersecurity risk management, and board responsibility/expertise!</p><p class="graf graf--p">Ironically, many of the companies who will voice opposition will likely also take advantage of such public data to understand the security posture and board expertise when they evaluate business partnerships, M&A deals, define supplier requirements, and make vendor selections. Customers, investors, insurance providers, and potential business partners will want to know if a company they are financially tied to, has a mature cybersecurity program that is overseen by savvy board members.</p><p class="graf graf--p">The ripples of this SEC requirement will drive significant and fundament improvements to cybersecurity, that help everyone!</p><p class="graf graf--p">SEC Press Release: <a class="markup--anchor markup--p-anchor" href="https://www.sec.gov/news/press-release/2023-139" target="_blank">https://www.sec.gov/news/press-release/2023-139</a></p></div>How Nation-State Cyber Attacks are Evolvinghttps://www.cisoplatform.com/profiles/blogs/how-nation-state-cyber-attacks-are-evolving2023-04-27T20:49:02.000Z2023-04-27T20:49:02.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/11037112671?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/MKYHsaRaN3s" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="pw-post-body-paragraph if ig hp ih b ii ij ik il im in io ip iq ir is it iu iv iw ix iy iz ja jb jc hi bj">Aggressive countries are leveraging cyber to conduct offensive operations against targets across the globe. The threat of nation-state attacks is growing and I had the opportunity to discuss the challenges with Jeremey Strozer, a strategic risk and international security expert.</p><p id="e069" class="pw-post-body-paragraph if ig hp ih b ii ij ik il im in io ip iq ir is it iu iv iw ix iy iz ja jb jc hi bj">We chat about the changing risks are how organizations should be adapting on the latest episode of The Cybersecurity Vault podcast.</p></div>Cyber Attacks Are Increasing Against Critical Infrastructurehttps://www.cisoplatform.com/profiles/blogs/cyber-attacks-are-increasing-against-critical-infrastructure2022-12-26T19:15:26.000Z2022-12-26T19:15:26.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10919968096?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/_f_9I798cYA" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">The Critical Infrastructure sectors, 16 in total that are the foundation of a country and economy to operate, are coming under more pressure from cyber-attacks. The trend will not subside because of who is behind these sinister attacks!</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p">Subscribe to the Cybersecurity Insights channel where I post videos and interviews that detail the industry challenges and best practices. Cybersecurity Insights channel: <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/c/CybersecurityInsights" target="_blank">https://www.youtube.com/c/CybersecurityInsights</a></p></div>Albania Expels Iranian Diplomats Over Cyber Attackhttps://www.cisoplatform.com/profiles/blogs/albania-expels-iranian-diplomats-over-cyber-attack2022-09-13T00:48:32.000Z2022-09-13T00:48:32.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10810392886?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/peF-P0szZFI" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">Albania has expelled Iranian diplomats and severed diplomatic relations with Iran because of cyberattacks from the Iranian Intelligence Agency that targeted government services and websites. Such an icy diplomatic response has never happened before and it may open the door as a precedent for how many countries will respond to future nation state attacks.</p><p class="graf graf--p">For more strategic insights and discussions, follow me on the YouTube channel Cybersecurity Insights: <a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/cybersecurityinsights" target="_blank">https://www.youtube.com/cybersecurityinsights</a></p></div>Lloyd’s New Cyber Insurance Exclusions Aim to Avoid Payouts from Nation State Hackshttps://www.cisoplatform.com/profiles/blogs/lloyd-s-new-cyber-insurance-exclusions-aim-to-avoid-payouts-from-2022-08-23T04:07:58.000Z2022-08-23T04:07:58.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10783864253?profile=RESIZE_400x&width=400"></div><div><p> </p><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/sz3q4BhtKEE" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">The recent announcement by the insurance giant Lloyds of London, may be the biggest cybersecurity news of the year. It might not seem all that relevant, but strategically, this will likely shift the entire industry and politics of cybersecurity.</p><p class="graf graf--p">In the podcast, I go over the reasons behind the exclusions, how it impacts insurance customers, and what conditions are likely to be excluded.</p><p class="graf graf--p graf--empty"> </p><p class="graf graf--p"><strong class="markup--strong markup--p-strong">Links:</strong></p><p class="graf graf--p"><strong class="markup--strong markup--p-strong">Cybersecurity Insights channel: </strong><a class="markup--anchor markup--p-anchor" href="https://www.youtube.com/CybersecurityInsights" target="_blank">https://www.youtube.com/CybersecurityInsights</a></p><p class="graf graf--p"><strong class="markup--strong markup--p-strong">Lloyd’s Market Bulletin Y5381 State backed cyber-attack exclusions </strong><a class="markup--anchor markup--p-anchor" href="https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf" target="_blank">https://assets.lloyds.com/media/35926dc8-c885-497b-aed8-6d2f87c1415d/Y5381%20Market%20Bulletin%20-%20Cyber-attack%20exclusions.pdf</a></p></div>US Sanctions Blender.io for Supporting Terrorhttps://www.cisoplatform.com/profiles/blogs/us-sanctions-blender-io-for-supporting-terror2022-05-10T05:45:55.000Z2022-05-10T05:45:55.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10476489667?profile=RESIZE_400x&width=400"></div><div><p>US Treasury sanctions a cryptocurrency mixing site for supporting North Korean hackers who have been stealing hundreds of millions of dollars. Blender.io is a virtual currency mixing site that obfuscates the origins of cryptocurrency coin transactions. </p><p>Mixing services are privacy tools that malicious entities can also use for laundering illicit funds. In this case, the Lazarus Group, a North Korean government sponsored hacking group, recently stole $620 million worth of virtual tokens from the popular online game Axie Infinity. </p><p>It is normal practice for cryptocurrency exchange sites to band together to proactively block transactions from coins acquired by cyberattacks, thus making it very difficult for the thieves to swap them for other assets. Blender.io then processed over $20 million of those tokens, essentially laundering them, undermining legitimate sites from blocking their liquidation. This constitutes as support for terrorist activities which threaten national security interests, in direct violation of the Office of Foreign Assets Control (OFAC) rules.</p><p>When organizations support international crime and terrorism, they should be held accountable.</p><p><a href="https://home.treasury.gov/news/press-releases/jy0768">https://home.treasury.gov/news/press-releases/jy0768</a></p><p> </p></div>Video – Announcing 2022 Cybersecurity Predictionshttps://www.cisoplatform.com/profiles/blogs/video-announcing-2022-cybersecurity-predictions2022-01-15T23:00:29.000Z2022-01-15T23:00:29.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/10014880654?profile=RESIZE_400x&width=400"></div><div><p style="text-align:center;"><iframe title="YouTube video player" src="https://www.youtube.com/embed/P0bKgPtmTy0" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="hx hy fy hz b ia ib ic id ie if ig ih ii ij ik il im in io ip iq ir is it iu dn gv">2022 will be a very tumultuous year for cybersecurity professionals. The underlying fundamentals that drive major shifts of the cybersecurity industry — technologies, threats, and economic factors, will introduce new risks and combine to significantly increase the relevance and challenges of protecting digital assets and capabilities.</p><p class="hx hy fy hz b ia ib ic id ie if ig ih ii ij ik il im in io ip iq ir is it iu dn gv">Top 10 Cybersecurity Predictions</p><p id="cbbe" class="hx hy fy hz b ia ib ic id ie if ig ih ii ij ik il im in io ip iq ir is it iu dn gv">— <a class="dy mx" href="https://www.linkedin.com/pulse/10-cybersecurity-predictions-2022-matthew-rosenquist" target="_blank">LinkedIn article</a><br />— <a class="dy mx" href="https://matthew-rosenquist.medium.com/top-10-cybersecurity-predictions-for-2022-5373839b3bd3">Medium article</a><br />— <a class="dy mx" href="https://www.researchgate.net/profile/Matthew-Rosenquist/publication/357435475_2022_CYBERSECURITY_PREDICTIONS_-_10_INDUSTRY_PREDICTIONS/links/61ce36e4da5d105e550be9ec/2022-CYBERSECURITY-PREDICTIONS-10-INDUSTRY-PREDICTIONS.pdf" target="_blank">Download direct PDF</a></p></div>The Problem of Banning Offensive Technology Saleshttps://www.cisoplatform.com/profiles/blogs/the-problem-of-banning-offensive-technology-sales2021-11-26T17:53:01.000Z2021-11-26T17:53:01.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9853247859?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">I like the concept of ‘banning’ the sale of offensive cyber weapons to potential adversaries, but what defines technology as offensive versus defensive?</p><p class="graf graf--p">Israel just announced it will ban the sales of hacking and surveillance tools to 65 countries: <a class="markup--anchor markup--p-anchor" href="https://amp.thehackernews.com/thn/2021/11/israel-bans-sales-of-hacking-and.html" target="_blank">https://amp.thehackernews.com/thn/2021/11/israel-bans-sales-of-hacking-and.html</a></p><p class="graf graf--p">Tech is just a tool. It is how you use it, that will determine if it is offensive or defensive.</p><p class="graf graf--p">Is a vulnerability scanner offensive? Sure, attackers can use it to find weaknesses to exploit in their targets. However, in the hands of the cybersecurity team, it is used to identify vulnerable systems that need to be patched, thereby improving security.</p><p class="graf graf--p">Perhaps, such bans should apply to all digital technology. If you don’t trust how potential customers may use a tool, you shouldn’t be selling them anything. But in doing so, you limit the prosperity, influence, and value of your own organizations.</p><p class="graf graf--p">Finding a practical balance is very difficult. Not sure any country has it figured out, but it is something that needs to be done.</p><p class="graf graf--p">Cyberethics must play a more prominent role in our global digital ecosystem!</p></div>New Ransomware Bill Disallows Payments But Only Benefits Financial Sectorhttps://www.cisoplatform.com/profiles/blogs/new-ransomware-bill-disallows-payments-but-only-benefits-financia2021-11-13T18:46:40.000Z2021-11-13T18:46:40.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9798893266?profile=RESIZE_400x&width=400"></div><div><p>Recently introduced Ransomware and Financial Stability Act (H.R.5936) is the right direction for undermining ransomware attacks, by disallowing payments, but it just does not go far enough. This proposal only benefits traditional financial institutions. Ransomware potentially impacts every business, person, government service, and even the cryptocurrency world!</p><p> </p><p>We need to ban all ransomware payments to truly discourage attackers in an effective way!</p><p> </p><p>News Story - <a href="https://threatpost.com/congress-ban-ransomware-payouts/176213">https://threatpost.com/congress-ban-ransomware-payouts/176213</a></p></div>We Must Crush Digital Misinformation Before It Destroys Societyhttps://www.cisoplatform.com/profiles/blogs/we-must-crush-digital-misinformation-before-it-destroys-society2021-04-20T03:22:35.000Z2021-04-20T03:22:35.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/8812673059?profile=RESIZE_400x&width=400"></div><div><p>Digital communication is connecting people around the globe with tremendous benefits but is also being misused in terrible ways that take advantage of the community. As a society, we are bombarded by misinformation under the guise that it is fact, leading to terrible fractures, victimization, and grief to the detriment of individuals and society as a whole. </p><p>The truth is obscured online and in the media. Something must be done to curb this growing trend and restore the mechanisms that provide factual reporting of news.</p><h2>Fact from Fiction</h2><p>It is not the people’s fault. When sources, that are believed to be truthful, are presenting inaccurate or misleading information, there is no grounding for what is real. People are easily swayed. To exacerbate the problem they then form social groups where misinformation is then further propagated. Manipulating what people believe to be true has fueled hate, racism, sexism, and violence.</p><p>We see countries where freedom-of-speech does not exist, ruled by dictators or controlling governments, that use these tactics to control and dominate their citizens. It is most apparent in countries where the government controls ALL the media and news stories. The only information available is that which supports the regime. In some cases, an entire nation can be made to believe outlandish claims, such as a ruler is godlike, has supernatural powers, or is loved unilaterally by everyone. The pen can be mightier than the sword -- the digital equivalent even more so.</p><p>Here in the United States, fake stories and narratives deter people from believing science, inoculating children, and it all came to a head during the last presidential election. It undermined the confidence in our election process to the brink of insurrection. It turned neighbors against each other and threatened our democracy.</p><p>Simply put, the digital world is a blender where it is impossible to identify the difference between factual news and all other narratives. The media industry has not solved the problem, but rather they have often moved to capitalize on sensationalism, leaving reputable news providers at a disadvantage.</p><p>It is time we do something formal to stop the manipulation of our citizens and our democracy by strengthening the pillars of truth.</p><p>As much as I dislike regulations, I recognize that when the normal incentives of a system fail to self-correct situations that harm the people, it is time for regulations to define the guard rails for what is allowable.</p><p>Freedom requires free-speech, but liberty requires truth. We need a framework that provides both! </p><p>No easy solution exists, but I have a crazy yet plausible idea to undercut the growing problem of digital misinformation. </p><p>It is a simple solution to understand but potentially challenging to implement. </p><div class="js-reframe"><iframe src="https://www.youtube.com/embed/rsM2elQKNVc" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></div><p> </p><h2>A Simple Proposal</h2><p>A straightforward regulation must be enacted. </p><p>First, any online or digital site that uses the word ‘News’ in its title, content, or self-references must only publish facts. No satire, opinions, editorials, user-comments, nothing. For that, they need to push the content to another site that does NOT purport it to be factual ‘news’.</p><p>News sites will then be fully accountable for what they publish. They must do fact-checking and will be held accountable under Section 230 of the Communications Decency Act. Punishments will include fines, regulatory business enforcement (e.g. shut-down), and criminal charges if related to fraud or political manipulation. They will also be civilly liable including possible punitive damages when harm is done to innocent citizens or businesses. </p><p>This will drive significant changes in the News industry, separating those who are trying to ethically report facts from those who are willing to sensationalize stories for more viewers, supporters, and advertising revenue. It now separates the two so each market can compete with like vendors, thereby evening the playing fields.</p><p>Secondly, all other sites, not under any kind of banner of ‘News’ are free to post whatever they desire. It would be the place for entertainment, satire, far-right/left or middle political narratives, fake stories, fiction, opinions, comments, and editorials. The benefit is such content would not be subject to Section 230 and perfect for most social media platforms. The caveat is they would be forbidden to label, infer, or market such content or sites as providing ‘news’.</p><h2>No Perfect Solution</h2><p>The key is to delineate between factual and non-factual information in a way that is easy and consistent to be recognized by citizens. </p><p>Neither side, legitimate news outlets nor entertainment venues, will like this idea -- which makes it such a good compromise. </p><p>The group who will ABSOLUTLEY oppose this idea the most will be the people and organizations who purposefully try to deceive the public for their gain. It holds them accountable financially and criminally.</p><blockquote><p><span style="font-size:18pt;"><em>Freedom requires free-speech, but liberty requires truth.</em><em> </em></span></p></blockquote><p>We need a viable framework that provides both to empower citizens without sacrificing rights!</p><p>Every citizen has the right to exercise free speech and we all should step forward to protect our liberty. </p><p>Let’s clean up our act. We are in a hole and it is time to work our way out. It won’t be easy, but if we do nothing, it will be more difficult tomorrow and every day thereafter.</p><p> </p><p> </p><p>If you like this idea, share it, talk about it. Send it to your representative. Leave a comment.</p><p>If you hate it, explain why.</p></div>Should Governments be Responsible for Protecting the Internet?https://www.cisoplatform.com/profiles/blogs/should-governments-be-responsible-for-protecting-the-internet2020-10-13T21:05:50.000Z2020-10-13T21:05:50.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/mEPln0d6rGM?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p><span>D</span>oes society want governments to take on the role of protecting the Internet? Should the Internet be considered a Critical Infrastructure and therefore be overseen by governments? Will such actions undermine privacy and liberty or will it be demanded by citizens to protect personal access and online security?</p><p><span>The Singapore government recently announced a policy shift to protect citizens' access to safe networking, just as it provides critical infrastructure resources like clean water and sanitation. This precedent may be hotly debated by populations in countries around the world as each nation will ultimately need to determine what is best for them. </span></p><p></p><p><span>Subscribe to my new </span><a href="https://www.youtube.com/channel/UC4hKNPYJVm5MAgkFdGXSc7A"><span>YouTube channel for more Cybersecurity Insights</span></a><span>, rants, news, and perspectives.</span></p></div>Privacy is at risk when security fails - especially for surveillance camerashttps://www.cisoplatform.com/profiles/blogs/yyy2020-12-29T22:24:57.000Z2020-12-29T22:24:57.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/77w-g1KzCAc?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p>A recent incident involving city surveillance video data highlights some of the criminal privacy risks of public camera and biometric programs. Without strong cybersecurity, everyone’s privacy could be undermined by cyber attackers, criminals, and malicious insiders.</p></div>