President Obama has made cybersecurity a national security and economic priority of his administration. A panel of cybersecurity policy experts says the administration's top IT security achievement is the February 2013 issuance of Executive Order 13636, which aims to improve critical infrastructure cybersecurity and resilience (see Obama Issues Cybersecurity Executive Order).

The executive order consists of two major parts: Establishing a process to share cyberthreat information with the private sector and directing the National Institute of Standards and Technology to create a cybersecurity framework to safeguard critical infrastructure's IT assets.

In this special edition of the ISMG Security Report (click on player beneath image to listen), you'll hear the panel of experts debate the effectiveness of the executive order, especially the NIST cybersecurity framework. The panelists voiced varying positions on whether the government should test the framework to determine the value it provides, especially to small businesses.

Cybersecurity Though-Leaders

The panelists include:

Steven Chabinsky, general counsel and chief risk officer at CrowdStrike, which provides incident response and threat analysis services. He formerly served as FBI deputy assistant director for cyber. Obama recently named Chabinsky to the President's Commission on Enhancing National Cybersecurity (see Cybersecurity Commission Includes Former Heads of NSA, NIST). Larry Clinton, president and CEO of the trade association the Internet Security Alliance. Karen Evans, national director of the U.S. Cyber Challenge, who served in the George W. Bush White House in the post now known as federal CIO. Ari Schwartz, managing director for cybersecurity policy at the law firm Venable, who formerly held several senior cybersecurity jobs in the federal government between 2010 and 2015, including senior cybersecurity policy adviser at NIST and its parent, the Department of Commerce, as well as special assistant to the president and White House senior director for cybersecurity.

Panel Presents at Summit

This special edition was recorded after the panelists debated how the next president will deal with Obama's cybersecurity legacy, a session that kicked off Day 2 of the recent ISMG Fraud and Breach Prevention Summit in Washington.

Please check out our regular editions of the ISMG Security Report, which are posted on ISMG news websites on Tuesdays and Fridays. Here's a link to our previous report that examined global breach notification.

The ISMG Security Report theme music is by Ithaca Audio.

Executive recruiter Bill Liguori helps many organizations find CISOs. What skills are these companies looking for today? "Our clients are asking for folks who can be business thinkers first, but have a good depth of technology, security and engineering behind them. Because without that business concept, they're not going to build something that continues to grow the organization."

The CISO's role has evolved much as the CIO role has changed, Liguori, a partner at executive search firm Leadership Capital Group, says in an interview with Information Security Media Group.

"The CIO function used to be seen as "back-office, purely cost-center, non-strategic," he notes. But today, "every business is a technology business. Every business relies heavily on technology to acquire new customers and service customers. ... And security becomes integral."

In the past, security was one of those functions that was about protecting assets and responding to all threats, the recruiter says. "Now, it's becoming something that's more focused on the core operational side of the business."

Common Characteristics

The CISO's role is similar across most industries, Liguori says. "There's a lot of commonality across the spectrum when it looks to security leaders," he says. "A little bit of it is dependent on the industry - some industries are more highly regulated than others ... But if you look at it at a broad, macro level, [organizations are looking for] security leaders to be able to translate the needs of the business and the organization."

And recruiting CISO candidates with the right combination of business and technical skills is challenging, he says.

"Security folks - the good ones - are really hard to find. ... Most organizations have a whole slew of security leaders. But when you start diving into ... how do you find the good ones, it's finding those who understand how to continue to drive the business."

In the interview (see audio player below photo), Liguori also discusses:

How successful CISOs are dealing with evolving cyber threats, such as ransomware attacks and major data breaches; How the healthcare sector compares with other industries when it comes to expertise sought in CISOs; Predictions on what will come next in the evolution of the CISO's role.

Liguori is a co-founder and partner responsible for the healthcare, insurance, hospitality, media and professional services practices at Leadership Capital Group. Previously, he was a vice president at a London-based retained executive search firm and served in various leadership roles at the data aggregation software company Yodlee and at the IT services and consulting firm Sapient Corp.

Breach Preparedness , Data Breach , Risk Management

Microkernel 'seL4' Aims to Lock Down Avionics, Cars, SCADA and More Jeremy Kirk (jeremy_kirk) • June 3, 2016    

There's a custom drone sitting in a laboratory in Sydney. Unlike many drones, no hacker has been able to take control of its flight systems.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The quadcopter represents years of work by researchers with Australia's national research agency, Data 61. What makes the drone's critical software ultra secure is a relatively tiny operating system that has been optimized for maximum security benefit.

The operating system, called seL4, was a breakthrough for Australian researchers aiming to develop secure systems for use in everything from in-flight computers to automotive controls to SCADA infrastructure.

The seL4 microkernel is a stripped down, slim version of the core code of an operating system. Kernels are especially security-sensitive because the code they run is allowed access to all other parts of a computer's hardware and software.

Mathematically Proven

Microkernels have been developed for more than four decades. But in 2009, researchers in Australia had a major breakthrough: they mathematically proved that seL4 will only behave according to a strict specification, a concept referred to as formal verification.

A mathematical proof demonstrates that seL4 contains no software vulnerabilities at all. "The proof shows that the code implements the specification, and no more and no less," says Ihor Kuz of Data61's Trustworthy Systems division. "So if the specification doesn't have a buffer overflow, there's no buffer overflow."

The seL4 microkernel maintains a strict separation between critical and non-critical functions. So if a hacker compromises an application running on top of seL4, access to other parts of the system are completely sealed off. There's simply no attack surface, and a hacker can't access or read or write to other parts of the system.

The microkernel's security, however, is dependent on some assumptions the researchers have made. For example, it could be undermined if the hardware platform it runs on contains deeply embedded spying code or has its own software vulnerabilities.

"We can't do anything against a hardware backdoor," says Gerwin Klein, research group leader for Data61's Trustworthy Systems. "Ultimately, if you can't trust what you're running on, you can't do much against that."

Also, Klein says the mathematical proof assumes that the behavior of the instruction set that the binary runs in is its actual behavior in the real world. "That's not something you can prove," he says. "It's something you write down."

Australia's Data61 research agency has developed a drone that uses an ultra-secure operating system called seL4 that is free of software vulnerabilities, making it resistant to hacking attempts.

Microkernel Gets a DARPA Shakedown

Kuz demonstrated an attack against the drone. Its mission computer - which is responsible for communicating with ground-based systems and instructing the flight controller - runs on seL4. If a hacker wanted to interfere with a flight, it's this computer that would be targeted.

Also running on top of seL4 is a virtualized instance of Linux, which controls the drone's camera. It's considered a non-critical system, and the camera communicates over Wi-Fi to send images. Kuz attacked the Linux instance, sending a fork bomb, which is a classic denial-of-service attack for Unix-based systems.

The camera crashes. But there's no way for Kuz to cross seL4's barrier to the mission computer, and the drone's flight systems are unaffected. "Whatever happens to the Linux stays in the Linux," Kuz says. "It's a little bit like Vegas."

Data61 has been working closely with the U.S. Defense Advanced Research Projects Agency to see how seL4 holds up in trials. Last year, a Boeing Little Bird helicopter was fitted with seL4 for an in-flight penetration test. The helicopter's critical systems couldn't be hacked.

The test was part of DARPA's High-Assurance Cyber Military Systems, a program that involves defense contractors such as Boeing and Rockwell Collins.

Commercial Use?

Data61's microkernel could be useful for a variety of industries where highly secure systems are needed. seL4 was released as open-source software about two years ago, so anyone can use it. Vehicle manufacturers would be prime candidates, especially after a flood of research has demonstrated that there are pervasive vulnerabilities in many of their software systems.

In mid-2015, for example, researchers Charlie Miller and Chris Valasek found that a vulnerability in a telematics unit could be exploited to gain control of a Jeep Cherokee's brakes. Fiat Chrysler recalled 1.4 million vehicles after the demonstration, which drew wide attention as it involved a journalist from Wired magazine driving the vehicle on a California highway.

On a related note, seL4 could be used in a vehicle's controller area network - a.k.a. CAN bus - which interfaces with a variety of sensors and systems. "Having an architecture and platform that provides isolation but integration would be of value," says Kevin Elphinstone, a principal researcher with Data61.

Products using seL4, however, may still be a few years away from reaching market. DARPA has given a number of grants to small enterprises, including a space company and a SCADA one, to use seL4. But because a microkernel is at the foundation of a product, it can take as long as five years to complete development, says Gernot Heiser, a computer science and engineering professor at the University of New South Wales.

There will likely still be a role for security software, even with systems using seL4. If untrustworthy software is used alongside seL4, there may still be a need for firewalls or intrusion detection systems, Klein says.

But not for seL4 itself. "The rootkit and virus scanners - they have a great business model, which is based on not solving the problem," Heiser says. "We hope to put them out of business."

Authentication , Mobility , Payments

Visa Unveils Prototype Ring of Payment Power Everyone Can Play Point-of-Sale Superhero ... Until the Credit Runs Out Mathew J. Schwartz (euroinfosec) • June 3, 2016    

Asking how many different technologies consumers will tolerate when it comes to paying for their goods and services is a bit like asking how many more superheroes moviegoers will countenance in the latest "Avengers" film.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The answer so far seems to be: More is more, plus or minus one Ant-Man.

Continuing on the superhero tip, anyone who wants the seeming superpower of being able to wave their hand over a point-of-sale terminal to pay for goods and services: Your moment has arrived - so long as your credit holds out.

Behold the first-ever "payment wearable ring," unveiled by Visa this week. It blends a "secure microchip" made by Gemalto with an embedded NFC-enabled antenna, and it's water-resistant to a depth of 50 meters (55 yards).

To be clear: You can't have one. Well, at least not yet, unless you're one of 45 athletes heading to the 2016 games in Rio de Janeiro in August that Visa plans to bestow the ring upon - "place the ring, speak the oath," and so on. That's assuming, of course, that the games go ahead, in light of Zika virus warnings, although the World Health Organization has downplayed the threat, unless you're a pregnant woman or her partner. (Everyone feel safe now?)

You Will Pay

The ring is a reminder that payment card brands love to give consumers different ways to pay. Hence consumers' options range from payment cards and contactless payment cards to Apple Pay and that innovatively named alternative, Android Pay, née Google Wallet.

Of course, this isn't a one-way street. Many consumers have adopted Apple Pay, for example, which logged $10.9 billion in worldwide usage last year, Reuters reports. It adds that most of that usage was in the United States, and that adoption in the other six countries to which it's been rolled out has struggled. No doubt that's because countries such as the United Kingdom already have contactless payment cards, which logged £52.4 billion ($75.5 billion) in U.K. spending just in the month of February, the UK Cards Association says. Also, it's far easier to use that type of card than to start up an app while everyone waiting behind you in line fake-whispers "smartphone addict" under their breath.

Soon, consumers may also have the option of payment rings. Despite the sartorial challenges - do you attempt to color-coordinate? - there also exists the potential for payment missteps, for example when you forget that it's Visa on the left and MasterCard, patent permitting, on the right. Whether other brands would have the option of becoming anklets, bracelets or toe rings remains unclear.

Behold: The Super Stare

In other "body parts meet payment technology" news - no mad scientists to see here, please move along - Wells Fargo has reportedly been testing new types of biometric authentication that don't involve fingerprints. Yes, we're living on the biometric edge (see Can Selfies Fight Payment Card Fraud?).

Now, the bank has been looking to eye scanning as an authentication technique, which it considers to be more secure, and which it plans to roll out for users of its commercial banking app, with a face- and voice-recognition system as an alternative, The Los Angeles Times reported earlier this year.

The eye scanning - users won't have to blink - requires users to look to the side, so the app can read the unique pattern of blood vessels in the whites of their eyes, and only takes a few seconds.

"An early prototype was faster, but customers thought it was too fast and that nothing was happening," Secil Watson, who oversees online and mobile applications for Wells Fargo commercial banking, told the newspaper.

As would-be superpowers go, it's hardly on par with DC Comics superhero Superman being able to shoot lasers from his eyes.

But for anyone who seeks the marginally super power of being able to pay or authenticate more quickly, behold: Your time has come.