First, a company named Newegg shipped counterfeit Intel i7 chips to customers. Customers received a clay mold and piece of scrap metal rather than a real processor. Intel and others are investigating this situation.

In another story, the Energizer Duo Charger, a laptop battery charger kit made of up hardware and software, was found to contain a Trojan Horse program in its optional battery charge monitoring software (note: the Trojan impacts Windows, but not Macintosh computers). When activated, the Trojan, which opens port 7777, can install files, read directories, and communicate with remote hackers. Energizer is cooperating with US-CERT to try to figure out how the code got into its product.

How are these stories related? Both describe an issue that gets little attention: cyber supply chain assurance.

The cyber supply chain is made up of a network of suppliers, distributors, business partners, and customers that share cyber business processes, develop technology, and distribute products. Since the cyber supply chain composes a vast network of companies, one weak organization or bad apple can compromise products and  create vulnerabilities for all downstream parties.

With the Intel case, it appears that someone corrupted the distribution chain. With Energizer, it seems like a rogue developer or software tester was introduced into the development cycle.

So here’s the problem: in general, we trust that the products we purchase are safe. Bad assumption, as the Intel and Energizer example points out. This also holds true for technology vendors themselves, who ultimately integrate a bunch of microprocessors, specialized chips, and software code together. Could any of these components be tainted? Absolutely.

Here’s a scary statistic: in a recent study, the U.S. Department of Defense found that only 2% of all the microprocessors and integrated circuits purchased are actually manufactured in the United States. This gives foreign adversaries ample opportunity to tamper with critical systems in a way that is extremely hard to detect.

Technology is developed by distributed groups of engineers and outsourced firms across the globe. Final assembly is often done offshore. Distributors install software on systems and then repackage them. Testing software security is often weak or ignored.

The Intel and Energizer stories prove that trusted products can be tampered with in the supply chain. We need to address this with the right knowledge, processes, and countermeasures. Continuing to ignore it will lead to more and more similar events.

Since one way to drive action is increased cybersecurity visibility and knowledge, I strongly suggest that anyone associated with IT, cybersecurity, privacy, national defense, or law enforcement read the new book, Fatal System Error, by Joseph Menn.

Now I have absolutely no financial interest in this book, nor do I know the author. In other words, I have nothing personal to gain by this recommendation. My goal here is to educate decision makers and the public at large about just how pervasive and sophisticated the cyber threat landscape has become.

Menn’s book demands some level of technical knowledge, but he does a great job of explaining things in a cogent and clear way. The book highlights:

1. The evolution of the cyber underground. How crimes and the criminal network developed techniques, skills, and attacks over time. The bad guys are evolving exponentially while the good guys’ skills and tools follow a logarithmic curve.
2. The challenges faced by law enforcement. The Internet opens criminal activity to dispersed adversaries across the globe. Many operate in nation states that have a vested interest in compromising the economic foundation in the west. In other words, we can’t touch most of the bad guys who openly laugh in our faces.
3. The sophistication of the attacks. The bad guys know who we are, who we trust, and how to exploit us. Think you are protected by law enforcement, banks, and security companies? Think again.

My hope is that those who read this book (author’s note: again, everyone should) become as concerned as I am and demand immediate action. We need things like public awareness campaigns, K through 12 education, information sharing, and global law enforcement agreements, and we need them now. Time is not our ally.

Joseph Menn and those that helped him with this book deserve a lot of credit. I hope it drives immediate action. If it doesn’t, I’ll join Menn in saying, “I told you so” to the industrialized world as we struggle to rebuild our digital economy.

Many, including the DHS, believe that the damage from a cyber attack could be much greater than what we experienced from 9/11. We need to act before it is too late.

There were two announcements yesterday around securing private clouds. New initiative king Cisco announced its “Secure Borderless Network Architecture,” which is actually pretty interesting. Cisco wants to unite applications and mobile devices through an “always-on” VPN. In other words, Cisco software will enforce security policies for mobile devices regarding which applications they can use and when–without user intervention. Pretty cool, but you would need a whole bunch of new Cisco stuff to make this happen.

On another front, industry big-wigs EMC, Intel, and VMware are pushing for a “hardware root of trust” for cloud computing. The goal here is to create technology that lets cloud providers share system state, event, and configuration data with customers in real time. In this way, customers can integrate cloud security with their own security operations processes and management. This is extremely important for regulatory compliance. (Note: Another reason why EMC/RSA bought Archer Technologies).

These interesting announcement probably presage a 2010 RSA Conferernce trend: “all cloud all of the time.” Since ESG Research indicates that only 12% of midsized (i.e., 100 to 999 employees) and enterprise (i.e., more than 1,000 employees) will prioritize cloud spending in 2010, all of this cloud yackety yack may be a bit over the top.

Two other announcement worth noting here:

1. An actual leading voice on cloud computing security, the Cloud Security Alliance (CSA), teamed up with IEEE to survey users about cloud computing security. Users overwhelmingly want to see industry standards and soon. Bravo CSA and IEEE, I couldn’t agree more.

1. I like the F5 Networks/Infoblox announcement around DNSSEC. The two companies will offer integration technology between F5 load balancers and Infoblox DNSSEC. This partnership blends the security of DNSSEC with the reality of distributed web-based apps and infrastructure. Kudos to the companies, the federal government will be especially pleased.

See you at the show!

Great news for the industry, but further analysis provides a more succinct picture: while 61% of enterprises will increase spending, less than half (48%) of midsized companies will do so. Marketing VPs should take note and filter budget dollars toward enterprise sales and marketing programs.

Furthermore, information security spending intentions vary widely by industry. The industries most likely to increase spending include financial services (69% of organizations), health care (57% of organizations), and federal government agencies (56% of organizations). State/local government (47% of organizations), education (42% of organizations), and manufacturing (41% of organizations) are less apt to increase information security spending.

As for sales of individual security products, financial services, health care, and the federal government are looking at big enterprise security projects like identity management and information assurance, while state/local government, education, and manufacturing are more focused in tactical areas like network or endpoint security.

ESG’s data backs a theory I’ve had for a while: there are no more horizontal markets. Rather, different companies and industries use technology very differently.

Smart security vendors understand this and apply these lessons to their go-to-market execution. Others continuously struggle.

I doubt whether this year’s conference will be as lethargic. Security spending is on the rise and new regulations around data protection and breach notification are making their way through congress. With this as background, I believe the hot topics at this year’s conference will include:

1. Network security. ESG’s research indicates that this is the biggest security priority for most large organizations. I expect to hear about virtual devices and lightning fast multi-function security gateways. Good news for Cisco, Crossbeam, Fortinet, Juniper, and McAfee.
2. Endpoint security. There seems to be a renaissance in this category as endpoint agents consolidate and offer enhanced security protection. Advantage Kaspersky, Sophos, and Symantec.
3. Cloud security. There will be a lot of hype here about this security widget and the next, but the two real interesting things will be cloud security strategy (look for the good work done by the Cloud Security Alliance), and security SaaS. Cisco’s reputation service and Trend Micro’s Smart Protection Network are prototypical applications here.
4. Identity management. I expect massive changes in this area over the next few years as models like OpenID, Shibboleth, and PKI as a service take off. Lots of folks to talk to here including CA, IBM, Novell, and Oracle (if Oracle will answer my calls, that is), and PGP.
5. Data security. I’m hoping that the discussion is less about tactical technologies like DLP, eRM, and encryption and more about enterprise efforts around data security and information governanace. HP and IBM will have a lot to say here.
6. Cybersecurity. The Federal government is ramping up several efforts to bolster government security and improve security within critical infrastructure protection industries. Hopefully, I will have a chance to speak with DHS, US-Cert, and NSA about this.

The RSA Conference is a tale of two cities. Half of the people there are talking and learning about real security problems and strategies while the other half yacks about products. I’m hoping that my time is spent on the former.

“McAfee will pay partner sales reps $100 USD just for telling us about a Symantec 250+ node endpoint security renewal opportunity. Offer valid through end of Q1. McAfee will also pay $5,000 USD each to the eligible partner rep and SE for closing a 10,000+ node Symantec displacement in Q1, 2010.”

Now direct or channel partner sales spiffs are nothing new in the high tech world. McAfee CEO Dave DeWalt has certainly seen his fair share of these programs while at Oracle, Documentum, and then EMC. The objective couldn’t be simpler: fatten the financial incentive to change sales behavior and push one product over another.

Whether it is endpoint software, televisions, or used cars – this is how sales works. When it comes to cybersecurity, however, I have a bit of a morality problem with these types of sales tactics. Should an organization’s security defenses really be influenced by how much money a sales rep receives? McAfee may have a truly competitive product to Symantec, but what if a vendor with a sub-par offering (or worse yet, a cybercrime organization posing as a security vendor) offered sales reps $10k for a Symantec displacement? Sales guys get rich while organizations’ security declines.

Should we really trust the confidentiality, integrity, and availability of our critical infrastructure to the security vendor with the most creative sales/channel incentives – or should we focus on real security here instead? I think the answer is obvious.

Congress often scrutinizes the medical industry to make sure that pharmaceutical companies do not have undue influence on physicians. While it is not a matter of life and death, the same moral argument should apply here.

At the very least, sales reps should disclose that they are being incented during the sales cycle. If they aren’t willing to disclose this, security and purchasing managers should make sure to ask security sales reps and resellers whether they are being “spiffed” on sales. This information will help buyers understand the sales motivation and use this information as part of their decision process.

I am not trying to knock McAfee, as it sells a leading endpoint security product and it is simply following a long tradition of sales incentive tactics in the industry. That said, security is not a game – product decisions could ultimately make sensitive systems and information extremely vulnerable.

When it comes to security, I’d like to see an industry moratorium on security spiffs or at least full disclosure. Sales numbers and individual salaries have no role to play in securing our digital assets.

Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.

Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.

I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.

Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”

Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:

1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.
2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.
3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.

The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.

I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.

I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.

In general, I admire Cisco, but I’m not sure where it is going with security. I’ve written a few blogs about flat revenue, changing agendas, and product commitments in the past that I’m sure haven’t played well in San Jose. The pushback I tend to get is that Cisco builds security into all of its products so individual security products aren’t the right thing to focus on.

Hmm, this may be so but in my humble opinion Cisco is fighting on two fronts and right now it can’t win on either one. Allow me to elaborate.

Front number one is traditional security products. Aside from a few exceptions like IronPort, Cisco security products haven’t kept up with the competition. You can build all the security you want into products but you still need firewalls, IDS/IPS, gateways, etc. Cisco is losing a lot of these security product sales. The other problem here is that Cisco doesn’t cover all security areas. It has no desktop presence, limited application presence, no database presence, etc. This is the front where I’ve been most critical of Cisco. The only way Cisco can bounce back here is with a big acquisition (McAfee, Check Point?) or with a lot of strategic little ones.

Front number two is business security solutions. What I mean by this is more end-to-end security solutions that secure enterprise or vertical industry business processes. I believe Cisco is trying to go in this direction based on its new positioning and tag lines like, “enabling the next-generation workforce to collaborate with confidence.” Cisco’s instincts are spot on — enterprise organizations are now trying to secure business processes not just IT infrastructure. The move to secure business solutions means that deals get bigger and executives get involved with security decisions. Good news for Cisco except that it can’t hold a business security solutions candle to others like HP, IBM, Accenture, SAIC, etc. When push comes to shove, these others have vertical industry and business process mojo that Cisco just doesn’t have.

Cisco should go after the business security solutions market but it can’t just throw around new marketing initiatives and succeed like it has in the networking space. I suggest that Cisco do one, a few, or all of the following:

1. Buy a services company. Dell, HP, and IBM are all using services as a differentiator and winning the secure business solutions battles (note:  I realize that a professional services acquisition would be far more strategic for Cisco than security alone). I don’t think Cisco can win by being Switzerland with everyone else. Cisco needs to acquire someone like CSC or (dare I say?) Unisys for services muscle. This will help with UCS sales AND business security solutions. Note that HP is very successful at selling business security solutions yet it has few security products. The reason? Services strength, global reach, business process expertise, and lots of industry experience.
2. Double down on identity management. In my mind, the identity space is perfect for Cisco. Why? The technology is rapidly changing and it will likely end up as a network service. Identity is also a key component of cloud computing. Cisco owns Securent and Rohati but that’s not enough. Courion is out there as a product and Ping Identity as a SaaS/network service (note: I like the Ping or network services play best). Alternatively, if Cisco buys a professional services company, it could make identity a core skill set and work with independent leaders like CA and Oracle.
3. Get vertical. Cisco does a bit of this but it is mostly through its sales and marketing effort. My contention is that Cisco should acquire and build vertical solutions for health care, financial services, and the Federal government or get super aggressive with partners (note: HP and IBM may have locked up the best ones). Cisco can’t just deliver pipes, it needs entire secure solutions.
4. Go deep with compliance. For years Cisco looked at compliance as a subset of security management. This may have been true 4 years ago but is no longer the case. Since increasing regulation impacts all industries, Cisco’s commitment here could complement all of my other suggestions.

Cisco has dabbled with a similar business security solutions strategy. For example, ScanSafe is a potential great adjunct to UCS, data center products, and cloud/service provider sales and marketing. That said, Cisco has yet to jump in with both feet.

Note to John Chambers: If you want to compete with HP and IBM you need more than marketing magic that sits on the network — you need real business security solutions.

Given its security leadership history, I believe Cisco can be successful here with the right investments but I don’t believe that Cisco can fake its way through, or compete on security products and business security solutions from its current weak position.

The President outlined his plan last May and appointed Howard Schmidt as his Cybersecurity Coordinator late last year. As for the 111 congress, it passed the Federal Data Breach Bill (H.R. 2221) earlier this year and just last week the House passed the Cybersecurity Enhancement Act (H.R. 4061) by an overwhelming vote of 422 to 5.

Just what is the Cybersecurity Enhancement Act? The bill is really focused on cybersecurity research, development, and training. Agencies participating in the National High-Performance Computing Program must provide the congress with a cybersecurity research plan, update an R&D implementation plan annually, and create new plans every three years. Additionally, the bill funds NSF cybersecurity scholarships in exchange for post graduation government service. The bill also seeks to build cybersecurity collaboration between academic, government, and International institutions and pushes the development of technology standards for cybersecurity.

On balance, this is a good bill that certainly heads in the right direction. That said, I have a few suggestions for fine-tuning this bill as it moves along:

1. Start earlier. In South Korea, 2nd graders receive training on how to be a good Internet citizen. A cybersecurity bill (either this one or a follow-on) should fund K-12 cybersecurity programs as well. Young children on the network are at least as vulnerable as adults.
2. Push for continuing education. It is ironic that with the unemployment rate as high as it is, many security positions remain unfilled. Unemployed or underemployed adults with mortgages and children would enthusiastically participate in cybersecurity training if it were available. Note to the President: This should be a funding priority as it is all about 21st century job creation.
3. Broaden cybersecurity training. Yes, we need firewall administrators and security researchers but we also need security professionals who also have strong business, legal, and social sciences skills. This position was well articulated to Congress in June of 2009 by Cornell Professor Fred B. Schneider. We need to create a holistic security program like Dr. Schneider suggests who understand security technologies and its implication on business, law, and society.

One other note about the legislation: The stipulation that calls for a new R&D plan every 3 years is misguided. Security threats change on a weekly basis so three years is far too long a timeframe.

With all of my suggestions aside, I applaud the 111th congress for truly collaborating on this important legislation. I strongly urge the Senate and President to fast track this bill.

1. In your opinion, which of the following factors is holding your organization back from using server virtualization more prominently throughout the enterprise? (Choose all that apply)

• Lack of virtualization skills/knowledge within IT (42%)
• Security / regulatory concerns (10%)
• Organizational complexity – separate groups mange different elements (32%)
• Software licensing/support from ISVs (10%)

2. As you move forward with virtualization, which of the following IT groups need to become more educated and involved in the project? (Choose all that apply)

• Security / Compliance group (45%)
• Server Group (52%)
• Networking group (72%)
• Application developers (31%)
• Storage Group (50%)

ESG Research indicates that server virtualization is one of  IT’s top priorities and it will generate a lot of IT spending in 2010. Ironically, it seems like that spending must be on hypervisors, virtualization tools, servers, and storage rather than on training and IT collaboration.

In my humble opinion, server virtualization technology is at a tipping point. Yes, we’ve squeezed a lot of value out of it to consolidate Windows server workloads, but future “dynamic virtual infrastructure” will require a lot more thought around IT processes and architecture. This means a lot of collective IT thought and preparation by virtualization-savvy IT folks.

If we are going to reach this plateau, the ESG and webinar data indicates that we better pay attention to people and process problems — not just technology problems. Without this the whole virtualization gravy train could slow down or come to an abrupt stop.