As I was going through the plan, what struck me first was the fact that the U.S. has publicly called out to the world that cyberspace will be added as one of the operational domains, retaliating to any attacks against it in the same way it would to attacks by land, sea, air and space. Saying that it plans to aggressively train, organize, collaborate, and strengthen relationships with global partners sends a strong message to the international community about its intentions to take full advantage of cyberspace’s potential, as well as how the government plans to deal with and respond to threats against this domain. While the plan still leaves many questions around attribution and countermeasures against any such attack, I think the clear and unambiguous addition of the domain is an important step to deter cyber attacks targeting the U.S. government and our nation’s critical assets and infrastructure.

Unfortunately, a significant portion of the document is simply reiterating the government’s “business as usual” tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, “no one ever got fired for buying from” large companies and contractors. DoD and other agencies turn to these organizations to build offensive and defensive technologies without paying much attention to smaller, more innovative companies that, in my opinion, develop far better, more effective technology. From my experience, this has historically been the case with the military (just ask the innovative arms manufacturers that couldn’t get the military to adopt new weapons in the Civil War).

I did, however, find a glimmer of hope in the plan’s Strategic Initiative No. 5: “DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.” While I’m pleased to hear the government would like to work with small, nimble companies that I believe provide the rapid technological innovation that the document calls for, the reality is what I just outlined: the DoD tradition and evaluation/purchasing structures favor large companies and contractors.

The problem with the claim is the government sets an extremely high bar that almost guarantees they can’t do business with smaller companies. Take, for example, the cost of trying to meet common criteria and update certifications. The average vendor does not have the resources to put their products through all of the regulatory requirements needed for most defense-related implementations. Small businesses generally cannot afford the quarter of a million dollar certification programs that large companies can. As a result, historical precedent has shown that the DoD primarily goes with incumbents.

I commend the government for recognizing the need to innovate technology very rapidly to keep up with evolving cyber threats. Smaller, innovative companies can play a critical role for defending our nation’s networks and systems from more sophisticated attacks. However, I cannot fully believe the DoD is serious about this claim until there is action behind it. It’s a great vision, but there still exists structural impediments that don’t allow smaller companies under normal operating procedures to fulfill that promise.

As a smaller company that provides highly innovative and effective application whitelisting-based endpoint protection solutions, CoreTrace stands ready to help the DoD and other agencies deliver on the cybersecurity vision. My challenge to the DoD is this: If you say working with innovative companies is part of the national cyberwarfare strategy, prove it by bringing companies like CoreTrace in and streamlining the evaluation/procurement bureaucracy. Let us all help make your strategy a reality.

On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.

In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.

Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.

In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.

Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.

According to the article, “Time for America to Get Cyber-Serious,” today’s cyber crimes go beyond draining personal bank accounts, but pose a threat to the freedoms, prosperity and security of all Americans. While the Department of Defense sees cyber attacks as a growing threat to the 3.5 million commercial computer systems they depend on to conduct military operations and protect our national security, online threats are a growing problem that’s not just limited to the public sector. Like the DoD, organizations everywhere are susceptible to malware attacks that target specific systems.

With government and private information networks increasingly under attack, a trend recognized in 2001 by the Government Accountability Office continues to hold up a decade later; the biggest difference is today’s online threats are more severe and potentially more dangerous than ever before.

Daily, DOD identifies and records thousands of “cyber events,” some of which are determined to be attacks against systems and networks. These attacks may be perpetrated by individuals inside or outside the organization, including hackers, foreign-sponsored entities, employees, former employees, and contractors or other service providers.

As the bad guys continue to come up with new ways to compromise our systems and network security, one of the ways we can get ahead of these evolving threats is to implement proactive solutions that stop the onslaught of new viruses and malware variants. Application whitelisting is one such solution that stops unapproved applications (like malware payloads) or memory attacks from running on a system, without requiring any advanced information about malicious threats.

You would expect an application whitelisting supplier to suggest the technology as a part of the new proactive defense arsenal– but what are the other ones? I would love to hear your opinions on the subject. What are the “must have” components that make up a modern, proactive security suite?

So, is it time to get “cyber-serious”? You bet it is. With new threats on the horizon, both the public and private sectors need to shed their dependencies on reactive solutions that cannot stop modern attacks. If we expect to stop the threats of tomorrow, we need to become proactive and make network endpoint security a priority today.

That message was reaffirmed this week in the Wall Street Journal. In the article, “Time For Mac Users To Think About Viruses,” Ben Rooney makes the point that Mac lovers should no longer feel smug about not getting viruses, or at the very least begin thinking about virus protection.

A pair of recent in-the-wild attacks attempting to scare Mac users into believing their machines were infected by viruses is another sign that hackers are moving beyond Windows-based PCs, and targeting other operating systems and platforms, as well. But while Mac malware may be low in numbers today, as Ed Bott points out in the recent article, “What a Mac malware attack looks like”, we would be naive to write off these types of attacks.

“It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it’s not particularly well done is like dismissing an entire computing platform because of a single poorly written app.”

The past decade has taught us that cyber criminals like to set their sights on popular systems and emerging platforms. That said, as Macs continue to gain market share, it’s not a stretch to think that we will continue to see more Mac malware in the future. This is why now is the time to start thinking about how businesses can protect themselves.

But don’t take my word for it; listen to the words of really smart folks like Bill Brenner at CSO. You can start by reading Bill’s article “Apple’s Mac OS X NEVER had superior security.” It is an excellent read.

That’s the straightforward, yet disturbing message that hacker-for-hire, Marc Maiffret, made after his team, hired by a large California-based water system to probe the vulnerabilities of its computer networks, took control of the equipment to add chemical treatments to drinking water within one day, hypothetically making the water undrinkable for millions of homes.

Maiffret’s team discovered the system’s weakness when they found county employees had been logging into the network through their home computers, which left a gaping security hole. According to the LA Times article, “Virtual war a real threat,” this type of vulnerability is not uncommon. In fact, similar weaknesses in industrial control systems that run electrical grids, pipelines, chemical plants and other infrastructures exist across the country.

These types of examples underscore the urgency to secure critical U.S. infrastructure. While the Department of Homeland Security is working to help secure the country’s crucial infrastructure facilities, the reality is the companies, themselves, are the ones ultimately responsible for protecting their networks. But even with both entities striving to achieve the same goal, many experts including Scott Borg, head of the U.S. Cyber Consequences Unit, believe there’s still work to be done.

“If we don’t get our act together, the consequences could be dire.”

While vulnerabilities in these systems exist, reactive security solutions are no match for more sophisticated attacks like Night Dragon and Stuxnet, which target system controls of critical infrastructure companies.

To prevent the execution of all unauthorized applications from exploiting their computer networks, organizations need to take a proactive stance to stop malicious software from running on their system, despite their employees’ normal, but risky behavior. Application whitelisting technology prevents the execution of all applications that are not pre-approved for each computer in the infrastructure, including malicious and legitimate remote control applications used by these types of attacks to penetrate the network.