Timesdelhi.com

September 24, 2018
Category archive

national security

Russian indictments show that the U.S. needs federal oversight of election security

in America/Column/Congress/cybercrime/defcon/Delhi/democratic party/Department of Homeland Security/Election Assistance Commission/election security/elections/federal election/Federal government/Florida/Government/helsinki/India/national security/operating systems/Politics/president/presidential election/Ron Wyden/Russia/Trump/United States by

President Trump’s Helsinki summit with Vladimir Putin, on the heels of twelve Russian intelligence officials indicted for hacking the 2016 election, made it clear that this administration has zero commitment to protect our elections from future Russian attacks.

These events should remind us of an alarming fact we can no longer afford to ignore: our elections are not secure.

As a nation, we underfund and neglect election security. So, much like our aging infrastructure, our election infrastructure is severely outdated and crumbling before our eyes.

Unfortunately, in today’s hyper-partisan environment, even concerns over election security are divided along party lines. Case in point: after his trip to Russia last week, Republican Senator Ron Johnson declared “It’s very difficult to really meddle in our elections. It just is.”

To effectively safeguard our elections, we need to consider yet another conservative taboo: the federal government should have more power in setting election security standards. Our current decentralized, disjointed state-based system is no longer adequate for protecting our elections against foreign interference in the 21st century.

TechCrunch/Bryce Durbin

Right now, the federal government plays a very limited role in the oversight of election security. The Election Assistance Commission and Department of Homeland Security offer optional resources and issue non-binding guidelines for best practices, and states are free to come up with their own standards as they please. The results, unsurprisingly, are abysmal.

In 2016, for example, over two-thirds of all counties in the U.S. used voting machines that were over a decade old. Many machine used outdated softwares and ran in absurdly old operating systems such as Windows 2000. Thirteen states still use machines that are completely electronic, which makes themprone to glitches, and with no paper trails, the results cannot be audited.

Many experts have pointed out that our current machines could be hacked in a matter of minutes. Recently, a 14 year-old participant at DefCon breached a voting machine in 90 minutes, and was able to change the vote tally in the machine remotely, from anywhere.

Besides the machines, there are other major vulnerabilities in many states’ election security standards that would make hacking our elections a breeze for the Russians. Our voter registration databases are outdated and prone to infiltration. Many states have no post-election auditing requirements at all, and those that do are often insufficient, severely undermining our ability to identify and correct an attack.

While federalizing election security has long been castigated as an infringement of state rights, politicians are beginning to acknowledge its necessity. Senator Ron Wyden, for instance, recently introduced The Protecting American Votes and Elections Act of 2018, whichwould require every state to use election machines with paper ballots and mandate risk-limiting post-election audits (the “gold standard” of election auditing).

As Wyden argues: “Americans don’t expect states, much less county officials, to fight America’s wars. The Russians have attacked our election infrastructure and leaving our defenses to states and local entities, in my view, is not an adequate response. Our country needs baseline, mandatory, federal election security standards.”

TechCrunch/Bryce Durbin

Rather than providing concrete solutions, this Republican Congress continues to pretend that all of our election security problems can be solved by tiny, poorly designed federal grant programs alone. In this year’s omnibus spending bill, a bipartisan compromise provided a meager, but much needed $380 million federal grant to states for strengthening election security ahead of the 2018 election. However, the effectiveness of this grant is questionable, given it was earmarked for broad purposes and allocated by a formula that is not competitive or need-based.

Worse still, since states are not required to spend the federal grant allocated to them, some stateshave not even applied to collect their shares. Several state governments are impeding the use of this grant through a combination of delayed action and inaction. For example, Florida’s Republican-led state legislature has refused to authorize their election officials to use the grant before the 2018 election, even when the state is in desperate need for more election security funding.

While inadequate funding is a serious concern that needs to be addressed — House Democrats estimated that we will need $1.4 billion over the next decade to bring our entire election system in line with best practices — increasing federal grants alone would not be enough to secure elections in every state. The Secure Elections Act, a bill currently with the most broad-based, bipartisan support, will provide much needed federal funding to make up for the current shortfall, but as with this year’s federal grant, there is no guarantee states would use the funding in a timely and effective fashion — or at all — given state participation will remain voluntary under this bill.

Our representative democracy cannot survive if we fail to preserve the fairness and integrity of our elections. While it’s too late to implement binding federal guidelines to secure the 2018 midterm, we should accept nothing less for the 2020 presidential election, as we can be certain the Russians will hack that election in order to help their preferred candidate, yet again.

Too many states have proven they are unwilling to take election security seriously. It’s time for the federal government to step in.

News Source = techcrunch.com

The United States needs a Department of Cybersecurity

in China/Column/computer security/Congress/cyberattack/cybercrime/Cyberwarfare/Delhi/department of defense/Department of Homeland Security/department of justice/executive/Federal Bureau of Investigation/Government/hacking/India/national security/Politics/Russia/San Francisco/Security/spy/United States/Washington by

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy.

For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13 Russians yet the attack on US sovereignty and stability has gone largely unanswered.  The $120 million set aside by Congress to address the Russian attacks remains unspent. We expelled Russian diplomats but only under international pressure after the poisoning of a former Russian spy and his daughter.

Recent sanctions are unlikely to change the behavior of the Putin administration. To put it bluntly, we have done nothing of substance to address our vulnerability to foreign cyberattacks. Meanwhile, our enemies gain in technological capability, sophistication and impact.

Along with the Russians, the Chinese, North Koreans, Iranians and newly derived nation states use cyber techniques on a daily basis to further their efforts to gain advantage on the geopolitical stage. It is a conscious decision by these governments that a proactive cyber program advances their goals while limiting the United States.

Krisztian Bocsi/Bloomberg via Getty Images

We were once dominant in this realm both technically and with our knowledge and skillsets. That playing field has been leveled and we sit idly by without the will or focus to try and regain the advantage. This is unacceptable, untenable and will ultimately lead to potentially dire consequences.

In March of this year, the US CyberCommand released  a vision paper called “Achieve and Maintain Cyberspace Superiority.” It is a call to action to unleash the country’s cyber warriors to fight  for our national security in concert with all other diplomatic and economic powers available to the United States.

It’s a start but a vision statement is not enough.  Without a proper organizational structure, the United States will never achieve operational excellence in its cyber endeavors.  Today we are organized to fail.  Our capabilities are distributed across so many different parts of the government that they are overwhelmed with bureaucracy, inefficiency and dilution of talent.

The Department of Homeland Security is responsible for national protection including prevention, mitigation and recovery from cyber attacks. The FBI, under the umbrella of the Department of Justice,  has lead responsibility for investigation and enforcement. The Department of Defense, including US CyberCommand, is in charge of national defense.  In addition, each of the various military branches  have their own cyber units. No one who wanted to win would organize a critical  capability in such a distributed and disbursed manner.

How could our law makers know what policy to pass? How do we recruit and train the best of the best in an organization, when it might just be a rotation through a military branch? How can we instantly share knowledge that benefits all when these groups don’t even talk to one another? Our current approach does not and cannot work.

Image courtesy of Colin Anderson

What is needed is a sixteenth branch of the Executive — a Department of Cybersecurity — that  would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.  By uniting our cyber efforts we would make the best use of limited resources and ensure seamless communications across all elements dealing in cyberspace. The department would  act on behalf of the government and the private sector to protect against cyberthreats and, when needed, go on offense.

As with physical defense, sometimes that means diplomacy or sanctions, and sometimes it means executing missions to cripple an enemy’s cyber-operations. We  have the technological capabilities, we have the talent, we know what to do but unless all of this firepower is unified and aimed at the enemy we might as well have nothing.

When a Department of Cybersecurity is discussed in Washington, it is usually rejected because of the number of agencies and departments affected. This is code for loss of budget and personnel. We must rise above turf battles if we are to have a shot at waging an effective cyber war. There are some who have raised concerns about coordination on offensive actions but they can be addressed by a clear chain of command with the Defense Department to avoid the potential of a larger conflict.

We must also not be thrown by comparisons to the Department of Homeland Security and conclude a Cybersecurity department would face the same challenges. DHS was 22 different agencies thrust into one. A Department of Cybersecurity would be built around a common set of skills, people and know-how all working on a common issue and goal. Very different.

Strengthening our cyberdefense is as vital as having a powerful standing army to defend ourselves and our allies. Russia, China and others have invested in their cyberwar capabilities to exploit our systems almost at will.

Counterpunching those efforts requires our own national mandate executed with Cabinet level authority. If we don’t bestow this level of importance to the fight and set ourselves up to win, interference in US elections will not only be repeated …  such acts will seem trivial in comparison to what could and is likely to happen.

News Source = techcrunch.com

Lessons from cybersecurity exits

in Adobe/Bain Capital/Business/ceo/chief information security officer/CIO/Column/computer security/CTO/cyber/cybercrime/Cyberwarfare/Delhi/Director/Economy/Entrepreneurship/head/India/IPOs/LinkedIn/Marc Andreessen/mulesoft/national security/nea/Okta/palo alto networks/partner/Phantom Cyber/PhishMe/Politics/Private equity/sailpoint/Sendgrid/splunk/Symantec/TPG Growth/trident capital/True Ventures/Twilio/unicorn/venrock/Venture Capital/zscaler by

To: ceo@cybersecuritystartup.com

Subject: Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

Evident.IO Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

Sep 2013

True Ventures

$1.5m

$5.25m

$6.75 m

22%

44X

Nov 2014

Bain Capital

$9.8 m

$18.1m

$28.0 m

35%

10.7X

Apr 2016

Venrock

$15.7 m

$35.0 m

$50.7 m

30%

6X

Feb 2017

GV

$22.0 m

$73.6 m

$95.5

23%

3.1X

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunk for $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets ask – why did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of Evident.io and Phantom Cyber.

Phantom Cyber Investment Rounds and Return estimates

Date

Select Investors

Round Size

Pre

Post

Dilution

Estimated Returns / Multiple of Invested Capital

April 2015

Foundation Capital

$2.7m

$8.3 m

$11.04 m

14.50%

31.7

Sep 2015

Blackstone

$6.5m

$26.7 m

$33.2 m

15.90%

10.5

Jan 2017

KPCB

$13.5m

$83.0 m

$96.5 m

13.90%

3.6

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million).  But not everyone is as driven, successful and it’s ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

(68% of security exits occur below $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you don’t believe Dino, let’s look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. That’s a nice number, correct? At the first look, you’ll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. It’s not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence again — very slowly. $68 million. Ouch!

PhishMe Investment Rounds

Date

Round size

Select Investors

Pre-money Valuation

Post

Dilution

Returns / Multiple of Invested Capital

July 2012

$2.5m

Paladin

$10 m

12.5 m

12.20%

32.0

March 2015

$13 m

Paladin

$61 m

$74 m

13 %

5.4

July 2016

$42.5 m

Bessemer

$155 m

197 m

21%

2.0

(Data Source: Pitchbook)

Two years ago  in Cockroaches versus Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But aren’t we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they don’t need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of Evident.io. They pointed out that the founders — Tim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are one of those possibly, wouldn’t you agree?

Besides indigestion and fatigue, the CISO roles have become demanding. William Lin, Principal at Trident Capital Cyber, a $300m fund pointed out that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they are managing their time more cautiously and not looking forward to meeting one more startup.

Erik Bloch, Director of Security Products at SalesForce says that while he keeps an open mind and is willing to look at innovative startups, it takes him weeks to arrange calls with the right people, and months to scope a POC. And let’s not forget the mountain of paperworks and legal agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he pointed out.

So, my dear founder, as the road gets harder, funding slows down. Look at 2017 —  despite all those big hacks, Series A funding dropped by 25% in 2017. Clearly, many of our seed funded companies are not delivering those Fortune 100 POC milestones. And are unable to raise a Series A.  Weep, if we must, but let us remind ourselves that out point solutions are not that impressive to the CISOs.

All the founders I know are trying to raise a formulaic $8m Series A on $40m pre. But not every startup that wants 8 on 40 deserves it. Revenues and growth rate, those quaint metrics matter more than ever. And some investors look for the quality of your customers.  Aaron Jacobson of NEA, a multi-billion dollar venture fund says, ”A key value driver is a thought-leader CISO as a customer. This is often a good indicator of value creation.“

Stage

Expected Revenue Run Rate

Estd. Round Size

Angel

None

Up to $2m

Series A

$1.5m to $3 m

$5m to $8m

Early VC

$5 m to $8 m

$15m to $25m

Late Stage VC

$6m to $10m

$30m to $50m

When markets get crowded and all startups sound the same, investors seek quality, or move to later stages.  They like to see well proven companies, that have solved a lot of basic problems. And eliminated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, the later stage valuations are rising faster. Money is chasing quality, growth and returns.

Median Post-Money Valuation by stage for cybersecurity companies (Source: Pitchbook)

The security IPOs offer a sobering view. This is a long journey, not for the faint of heart. Okta moved fast, consumed ~4X more capital as compared to Sailpoint and delivered great returns.

Company

Year Founded

Years to IPO

Total Capital raised prior to IPO

Revenues (2017)

Post Money of last round prior to IPO

Market Cap at IPO

ZScaler

2008

10

$180m

$176 m

$1.05 bn

$3.6 bn

Okta

2009

8

$231 m

$160 m

$1.18 bn

$2.1 bn

Forescout

2000

17

$159 m

$220 m

$1.0 bn

$806 mn

SailPoint

2004

13

$54.7 m

$186 m

N/A

$1.1 bn

Security IPOs (Source: Momentum Cyber, Pitchbook)

Innovating with go-to-market strategies

In the near term,  the big challenge for you, dear security founder, is selling in an over crowded market. If I were you, I’d remember that innovation should not be restricted to merely technology, but can extend into sales and marketing. We lack creativity when it comes to marketing – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat award for developing this godforsaken Infosec Startup Bingo. If you find any startup vendor that uses all these words, and wins this bingo, please DM me ~ I will promptly shave my head in shame. We got here because we do not possess simple marketing muscles. We copy each other while our customers roll their eyes when we pitch them.

Sid Trivedi of Omidyar Technology Ventures wants to work with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That approach works like magic. Overwhelming majority of the software IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you go top-down in a hurry, you can crash and burn. I am aware of an impatient security vendor who used executive level pressure at a Fortune 50 company. They kicked their way into the POC. And got kicked out by the infosec team. The furios infosec team destroyed the vendor in a technical assessment. I was told that the product was functional but the vendor’s impatience and political gymnastics killed the deal. Let us not forget simple truth: many times CISOs turn to their subordinates for advice and decision-making, so don’t just sell to the top. Nor ignore the rest of the people in the room.

With more noise, the buyers freeze. Margins shrink. Revenues and growth slows down. Which means it’s harder to get to your milestones before your next round. Running out of cash is not fun. Nor is a down round, layoffs and such. So while this is easier said than done, please raise less and do more. And maybe, just maybe, you can keep 40% of a $350 million exit.

If you have questions or existential dilemmas, you can always find me, chatting with a friendly VC in South Park.  Or I’m always around in a trusted secure world of Signal.

Stay safe at that annual security stampede called RSA.

Kindly,

Mahendra

PS: Let’s not forget to express our gratitude to those analysts at Momentum Cyber and Pitchbook for painstakingly tracking every investment, analyzing and presenting meaningful data. They help us look at the forest, and make our journey easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.

News Source = techcrunch.com

EU uses Privacy Shield review to press for reform of U.S. foreign surveillance law

in Delhi/EU-US Privacy Shield/Europe/European Union/Government/human rights/India/mass surveillance/national security/personal data/personally identifiable information/Policy/Politics/privacy/safe harbor/Security/snowden/TC/United States/Washington by

A one-year-old data transfer mechanism that’s used by thousands of companies to authorize transfers of personal data between the European Union and the U.S. for processing has been given the thumbs up after its first annual review.

“The Commission’s general view is that the American authorities are living up to their commitments and that the system works,” said Commissioner Vera Jourova today. “The US side have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield. Such as new redress possibilities for EU individuals and co-operation channels with European data protection authorities.”

But while the Commission said the implementation is, in its view, functioning well at this nascent stage it also wants to see improvements — and has made a number of recommendations.

These include more proactive and regular monitoring of US companies’ compliance with their obligations under Privacy Shield; raising awareness for EU users that a complaint pathway is open to them if they have concerns about how a US company is handling their personal data; and closer co-operation between U.S. and EU authorities to enforce privacy, such as by developing guidance for companies and enforcers.

The Commission said it will work with U.S. authorities to follow-up on its recommendations in “the coming months”, as well as continuing to “closely monitor” the functioning of the data transfer framework, including the U.S. authorities’ “compliance with their commitments”.

Its review report is also being sent to the EU parliament, Council and Article 29 Working Party so additional responses from other EU institutions are likely in the coming months.

Pushing for FISA Section 702 reform

Jourova also confirmed the EC is actively lobbying U.S. politicians engaged in the debate around reforming Section 702 of the Foreign Surveillance Intelligence Act (FISA). So while US intelligence agencies are pressing hard for the controversial portion of the law which allows the US government to intercept the communications of foreign intelligence targets to be made permanent, EU officials are pushing in the polar opposite direction.

Their lobbying position is strengthened by the fact that some 2,400 companies have now signed up to the EU-US Privacy Shield program — including tech giants such as Google, Facebook and Microsoft. The EC has the power to suspend the mechanism at any time if it feels it’s no longer providing adequate privacy protection for EU citizens’ date.

Jourova said today that the EC is hearing two lines in Washington regarding renewal of FISA 702:  One view being that Congress will reauthorize the current version of the law; and the other being that, as she put it, “there is a space for improvement in our interests — that the protection of non-American citizens could be added”.

Should the latter come to pass Jourova said it “would be very good news” for Privacy Shield, noting that the data transfer mechanism currently relies “for a very large extent” on a Presidential Policy Directive, signed by the Obama administration in 2014 (PPD-28), which imposes a number of limits on signal intelligence operations.

Having privacy provisions for foreigners’ data included in FISA would offer “much stronger protection” and be a “much more sustainable solution”, she continued, adding: “Yesterday I spoke to several Congressmen and Congresswomen… We are lobbying for improvements in this Act but we have to wait until the end of the year.”

That said, in a fact sheet relating to the review of Privacy Shield, the EC asks but does not comprehensively answer the question: “How many access requests from surveillance authorities were received by companies under the Privacy Shield?” — instead it just pulls out a few figures disclosed by Privacy Shield-certified companies that already publish transparency reports, claiming they are ‘illustrative’ of the fact that “as a percentage of total user accounts” the number of accounts affected by requests for government access to personal data “remains limited”. (A more pertinent question might be what proportion of the access requests directly involve EU citizens’ data?)

So it very much remains to be seen how red the EU’s line will be if US intelligence agencies get their way and knock back any sympathetic reform of FISA’s Section 702.

Safe Harbor -> Privacy Shield

The EU-US Privacy Shield is the replacement for the Safe Harbor arrangement which was struck down by Europe’s top court two years ago after a legal challenge by a privacy campaigner successfully argued that data protections were not adequately equivalent under the arrangement on account of U.S. government mass surveillance programs (which had been revealed by the Snowden disclosures to be harvesting EU citizens’ personal data via the NSA’s Prism program).

Safe Harbor had stood for 15 years, and EU and US officials scrambled to negotiate a new agreement to try to restore legal certainty for businesses that rely on being able to process users’ personal data in the US. The result was the EU-US Privacy Shield, which launched for signs ups in August last year.

More companies have signed up to the scheme in its first year than signed up to Safe Harbor in its first 10 years of operation, Jourova said today.

However the new data transfer mechanism has drawn criticism from the start, such as for lacking adequate privacy safeguards, and for the complexity of complaint processes it provides EU citizens seeking redress from a US company.

Ongoing concerns have also been voiced by the bloc’s influential data protection chiefs. And both it and alternative mechanisms for authorizing personal data transfers out of the region are facing legal challenges within the EU.

Jourova said that an extant challenge against so-called standard contractual clauses (SCCs) — which are used by the likes of Facebook (and many other companies) to transfer personal data between their EU and US businesses, and which earlier this month the Irish High said it would refer to Europe’s top court for a preliminary ruling — is relevant to Privacy Shield because it could also have implications for the latter’s future viability (i.e. if the ECJ decides SCCs do not in fact offer adequate protection for citizens’ data).

Although she once again expressed confidence in Privacy Shield’s legal robustness, saying it had been negotiated with knowledge of the earlier Safe Harbor ruling. “This court challenge will be the first one, probably when I consider the timing, which will declare something new on the functioning of Privacy Shield,” she said of the referral of the challenge to SCCs to the ECJ. “It has relevance for Privacy Shield.

“We have… tailored Privacy Shield on the basis of the very clear criteria set by the European Court of Justice in the Schrems [Safe Harbor] case. And that’s why I believe in continuity. I believe in the new court rulings which will consider Privacy Shield in all its parameters and will fairly assess whether it brought the necessary protection of EU people’s private data or not. And I am confident that Privacy Shield will withstand such court scrutiny.”

Unlike the prior arrangement, Privacy Shield bakes in regular (annual) reviews of the mechanism to ensure it is functioning as intended. And it’s the results of the first review that the EC has announced today.

Trust vs the Trump administration

Despite professed confidence in Privacy Shield from the EC, the mechanism has looked especially precariously placed since Donald Trump took office. The U.S. president’s decision in January to use an executive order to strip privacy rights from non-Americans under the US Privacy Act was seized upon by critics of the Privacy Shield. (Although the European Commission said the mechanism does not rely on that law for the adequacy protections necessary for it to continue to stand; rather it’s leaning on the aforementioned PPD-28).

Jourova said today that the inaugural review of Privacy Shield was especially important because of the change in US administration. Though she also had praise for US commerce secretary Wilbur Ross (but managed to make positive political noises without once mentioning president Trump by name).

“I had a very good working relationship and a very high level of trust with the people negotiating Privacy Shield under Mr Obama’s administration,” she said, discussing the difference of approaches of the two administrations to Privacy Shield. “I wondered whether we can continue based on this spirit of trust and after the second visit in Washington and after the second meeting with Wilbur Ross I can say that I tend to trust. I am positive about the approach of the American administration.

My second visit dispelled my doubts whether ‘America first’ doesn’t mean ‘American only’. Which would be bad news for the EU.

“I can say that my second visit dispelled my doubts whether ‘America first’ doesn’t mean ‘American only’. Which would be bad news for the EU.”

“Of course there is still some difference between the US and the EU — how we understand the conflict of the two priorities: Being more secure, being more protected from the privacy point of view. What I can say is after we tested and scrutinized the situation in the United States the privacy and the protection of privacy is very high on American soil,” she added. “Of course there is an emphasis on security but this is for us to balance it properly in the Privacy Shield — that both priorities, and from our point of view especially the priority of protection of data, is strongly enhanced and promoted.”

She did raise specific concerns about the Trump administration’s ongoing failure to appoint a permanent privacy ombudsperson, as required by Privacy Shield, as a key cause of concern in Europe. Asked by TechCrunch last month — after her visit to Washington — why the U.S. government has yet to nominate a permanent ombudsperson, Jourova said it was something she had asked and “stressed” in importance during the Privacy Shield review.

She was asked about this again today, and told journalists that the EC wants the post filled permanently “as soon as possible” — but also that it “didn’t want to give any deadline”. So, for whatever reason, the EC is avoiding the risk of pressing its demands too hard at this early stage of working with the Trump administration.

“I already was clear in Spring with my partners in the US that we want to have the fully fledged ombudsperson in place soon,” she added. “We were asked to be patient because, with the big change in the administration, it will take more time. But I made it very clear that now we expect them to act very quickly. But no concrete deadline.”

She was also asked about the fact the U.S. Privacy & Civil Liberties Oversight Board currently has just one standing member — out of what should be a total of five.

“We were promised that the situation will be improved soon but the procedure is rather lengthy,” she said on this. “So we, again, as in the case of ombudsperson, we didn’t give any deadline — but we make quite clear via the report that we expect the solution as soon as possible.”

Complaints and compliance

Discussing another EC recommendation, focused on the issue of complaints being made under Privacy Shield and the need to raise awareness among citizens that they are able to complain, Jourova said “practically no” complaints have been received by US companies from EU citizens, via the provided route. However she suggested this could be a result of a lack of awareness that a complaint pathway exists.

“We should not be complacent,” she said. “It might mean that people lack information. This is also the task for us — the European Commission — to inform the citizens about the possibility to get better redress and first of all to have their complaint dealt with properly.”

She said the EC also wants the US to engage in “a more proactive” and regular search for false claims by companies that they are signed up to the Privacy Shield scheme; and wants better ongoing monitoring of compliance by private US authorities.

“The Privacy Shield is placed in a challenging triangle for each regulator. It aims at striking the right balance between data privacy, security and business interest,” she said in her introductory remarks, describing Privacy Shield as both a “continuous work” and “a trust building exercise”.

“I’ve always said that the Privacy Shield was not a document lying in a drawer never checked. Both the US and the Commission will actively monitor it and the annual review is a key moment in that process.”

The EU’s influential WP29 group that’s comprised of the heads of member state’s data protection authorities is working on its own analysis of the operation of Privacy Shield — having sent its own representatives to Washington as part of the EU review delegation (as well as firing off some warning shots ahead of time).

A spokeswoman told us the group is expected to release an official statement on Privacy Shield at its next plenary meeting — likely by the end of November or beginning of December.

News Source = techcrunch.com

GCHQ Cyber Accelerator doubles down for second intake

in Accelerator/cyber security/Delhi/Europe/gchq/GCHQ Cyber Accelerator/Government/India/national security/Politics/Security/Startups/TC/United Kingdom by

A cyber security accelerator with links to the UK’s GCHQ intelligence agency is doubling down for a second program that’s larger and longer than the inaugural bootcamp which kicked off in January.

The second cohort, announced today, will go through a nine month program vs three. There’s also more of them: Nine startups vs seven. And more cash on the table for selected teams, with £25,000 apiece vs the original £5k grant.

Startups in the first cohort were not required to give up any equity to participate, with neither GCHQ nor Wayra investing at that point. We’ve asked whether that situation has changed for the second batch of teams now that the program has been expanded and will update this story with any response.

The expanded program will offer selected teams access to technological and security expertise from GCHQ, the National Cyber Security Centre and Telefónica, which is the partner organization running the accelerator program (under its Wayra UK bootcamp banner), as well as the usual mix of mentoring, business services and office space.

The nine startups selected for the program play in a wide range of areas, from age verification online, to security skills, to blockchain cybercrime to IoT (in)security.

They are:

  • Cybershield detects phishing and spear phishing, and alerts employees before they mistakenly act on deceptive emails 
  • Elliptic detects and investigates cybercrime involving crypto-currencies, enabling the company to identify illicit blockchain activity and provide intelligence to financial institutions and law enforcement agencies
  • ExactTrak supplies embedded technology that protects data and devices, giving the user visibility and control even when the devices are turned off
  • Intruder provides a proactive security monitoring platform for Internet-facing systems and businesses, detecting system weaknesses before hackers do
  • Ioetec provides a plug-and-play cloud service solution to connect Internet of Things devices with end-to-end authenticated, encrypted security
  • RazorSecure provides advanced intrusion and anomaly detection for aviation, rail and automotive sectors
  • Secure Code Warrior has built a hands-on, gamified Software-as-a-Service learning platform to help developers write secure code
  • Trust Elevate solves the problem of age verification and parental consent for young adults and children in online transactions
  • Warden helps businesses protect their users from hacks in real time by monitoring for suspicious activity 

For cyber security startups joining the program it’s proximity to the UK’s domestic spy agency and the chance to impress spooks — and potentially tap into a chunk of the £165 million ($250M) Defence and Cyber Innovation Fund announced by the government two years ago — that is surely the biggest draw here.

The government said the aim of the fund was to widen procurement for security technologies via investing in cyber security and defense startups. It has been said to be “loosely inspired” by In-Q-Tel — aka the CIA’s VC arm.

parliamentary question to the UK secretary of state for defense last month, asking how much of the money had been allocated so far and for what purposes, suggests around £10M per year apiece is being made available for defense and cyber security related support — including investing in startups.

“£10 million out of the £155 million is available in this financial year to the Defence Innovation Fund, to support innovative procurement across Defence. The Fund is harnessing the best ideas from inside and outside of Defence through activities such as themed competitions and the Open Call for Innovation, delivered using the Defence and Security Accelerator,” said Harriett Baldwin, responding to the parliamentary question.

“The government also allocated £10 million to establish a Cyber Innovation Fund. This supports the UK’s national security requirements by providing innovative start-ups with financial and procurement support,” she added.

The GCHQ Cyber Accelerator is part of a wider £1.9 billion investment aimed at significantly transforming the UK’s cyber security capabilities via a national strategy.

Featured Image: GCHQ/Crown Copyright

News Source = techcrunch.com

1 2 3
Go to Top