For å lykkes må du først ha feilet! Dette er en av de grunnleggende reglene i Silicon Valley og er med norske øyne en uvanlig, men suksessfull mentalitet. Janteloven er tydeligvis ikke gyldig i det som er et av de mest innovative områder i verden.
De aller fleste av verdens største IT selskaper befinner seg i området og det er kanskje ikke merkelig at også selskaper i informasjonssikkerhetsbransjen er godt representert i området. Kanskje ikke så rart at Silicon Valley også er et ettertraktet område for norske håpefulle bedrifter med gode ideer og produkter. Lykkes du her, lykkes du sannsynligvis over hele verden!
Nasjonal sikkerhetsmyndighet deltok i forrige uke i næringslivsdelegasjonen som fulgte kronprinsparets offisielle besøk i USA.
Sammen med Innovasjon Norges San Francisco kontor gjennomførte NSM et IT sikkerhetsseminar i Palo Alto/Menlo Park. Seminaret var et del-seminar tilknyttet til næringslivsdelegasjonen i forbindelse med kronprinsparets offisielle besøk i San Francisco. En rekke norske selskaper med spennende sikkerhetsprodukter og løsninger deltok i næringslivsdelegasjonen sammen med sentrale bedrifter/organisasjoner og myndighetsaktører fra Norge. Under seminaret traff de representanter fra amerikansk akademia, bedrifter, organisasjoner og investorer.
Seminaret ble avholdt hos SRI International og etter en innledning fra Program Direktør Ulf Lundquist i SRI International var det klart for NSM Direktør Kjetil Nilsens hovedtale. Nilsen fokuserte i sin tale på behovet for økt innovasjon og samarbeid for å forbedre sikkerhetstilstanden, gjennom å finne smartere løsninger og produkter.
Deltakerne fikk gode diskusjoner i den påfølgende paneldebatten om sikkerhet og personvern i Big data med Chief Information Security Officer (CISO) i Facebook – Joe Sullivan, CISO hos Wells Fargo – Rich Baich og Managing Director Trident Capital – Alberto Yepez. Debattens moderator var CISO hos Silicon Valley Bank – Nick Shevelyov.
Alberto Yepez byttet stol etter paneldebatten og gikk over til å intervjue den spanske gründeren Julio Casal Martin fra Alien Vault. Martin gav gode råd om hvordan han og selskapet har lykkes med å etablere seg i Silicon Valley. Her fikk de norske gründerselskapene gode råd fra både investorsiden og gründersiden som kanskje kan komme til nytte senere.
Seminaret ble avsluttet med en energisk Ted Schlein fra Kleiner Perkins Caufield Byers – et selskap som The Wall Street Journal beskriver som det største og best etablerte investeringsselskaper i Silicon Valley. Siden oppstarten i 1972 har Schleins selskap investert tidlig i AOL, Amazon, Citric, Compaq, Google, Netscape, EA, Symantec og Sun bare for å nevne noen…
Schlein fortalte de fremmøte at cybersecurity er ett av tre hovedinvesteringsområder for de fleste som investerer i teknologi bedrifter. Årsaken er den store behovet og etterspørselen for cybersikkerhet. Schlein gjorde et sterkt poeng av at IT bransjen er en av de få bransjene i verden som sier til sine kunder at kjøper du produktet «vårt» er vi nesten helt sikre på at det gjør det vi tror det skal gjøre, men det er ikke helt ferdig enda, så vi vil forresten oppdatere hyppig underveis. Oppdateringer du som kunde selvsagt må betale for!
Det ble også tid til å knytte nye nettverkskontakter i pausene mellom de ulike foredragene på seminaret. Som en av deltakerne uttalte det “Du vet ikke hvem du møter som har betydning for deg, før du har møtt dem. Men du møter ingen, dersom du bare sitter på kontoret”
Deltakerne besøkte på de tre dagene en rekke amerikanske selskaper som Microsoft, Oracle, Cisco og Palantir Technologies for å diskutere ulike områder knyttet til cybersikkerhet.
Hovedhensikten med NSMs bidrag og deltakelse er å bidra til økt innovasjon og samarbeid mellom myndigheter, bedrifter, akademia og andre miljøer i den hensikt å bidra til at det skapes nye og gode produkter som påvirker sikkerhetstilstanden i samfunnet på en positiv måte. For å få til dette er samarbeid og evne til å utveksle informasjon essensielt. NSM ser på deltakelsen i næringslivsdelegasjonen som en unik start på en forbedring av samarbeid og informasjonsutveksling.
Vi vil skrive mer om dette tema på et senere tidspunkt .
Nedenfor kan du lese hele innlegget til direktør Kjetil Nilsen i NSM:
Keynote, Stanford University, California, USA, May 8th, 2013
Dear audience, Dear organizers,
Thank you Ulf for the kind introduction. Thank you ladies and gentlemen for your participation here today. It’s a great honour for me to be delivering the key note speech here at the IT-security seminar at Menlo Park.
I would like to start off by thanking the Stanford Research Institute (SRI) for hosting today’s event. As you may know SRI was established back in 1946 as a non-profit research institute and is today an important contract research institute worldwide.
I greatly appreciate the Innovation Norway Office in San Francisco for their efforts in making this event a reality. They do important work with business development programs in Silicon Valley, offered to Norwegian Early-stage technology start-ups, with ambitions and the potential for international growth.
My main message, and why we are gathered here today is that Cyberspace knows no borders. Hence, we have to increase cooperation between the public and private sector, civil and military authorities as well between nations in order to meet the present and future information technology challenges.
The government has an important role to play in supporting innovation in the private sector and academia. The government is also a big customer and the main policymaker. This creates a situation where the public and private sector must cooperate and share information about challenges and solutions.
The Norwegian National Security Authority wishes to contribute to innovation and the development of products and solutions that creates a more secure society.
I would briefly like to draw up some of the principal ICT-security challenges that we see influences public and private sector today. I will then talk about why Governments are looking for increased innovation in the field of information technology.
2. ICT-security challenges in the 21st Century.
As the director of the Norwegian National security authority, I have the privilege to be working with a team of highly skilled academics and technicians. I’m not a technical expert myself, but I find a great interest in technology, especially in how technology affects the society we live in.
My organization holds the primary responsibility for information assurance, cyber security, incident handling, cryptography, as well as certification and accreditation of secure IT-systems. Like you, we are always on the outlook for the perfect if not helpful secure ICT-solutions.
So what are the security challenges we see today and why is innovation and public private cooperation becoming so increasingly important to people?
• Understanding the threats
Today we witness a steadily increase in ICT-security threats. We see adversaries are becoming more and more sophisticated, not only government actors, but also hacktivists or “cyber activists”, and criminals. We all know about the advanced threats towards critical infrastructure and the emerging cyber-crimes. In the last years we have even seen several disturbing attacks performed by hacktivist-groups like Anonymous.
Statistics from our Operational Department shows us that the number of ICT-security related incidents handled over the last four years have tripled in number. The amount of serious data breaches are steadily growing. The number of unrecorded data security breaches is likely to be huge. On several occasions the Norwegian Government has released public warnings about extensive cyber data espionage operations – targeting vital industry. The situation seems to be the same all over the globe, also in the US. The risk and threats are growing, and we have to meet the challenges now and in the future.
• Assessing the risks
It is first when you understand the threat, that you may start assessing related risks. A number of State actors today realize that one of the major ICT-risk-factors in the future will be their ability to build secure environments connected to the Internet.
The security risks need to be taken seriously. We see that there is a lack of understanding about the necessity of patching, upgrading, and a general lack of security awareness at all levels of society. The security threats are increasing, at the same time as the vulnerabilities are growing. We witness a worrying indifference when it comes to securing business sensitive data and that is something we need to change.
3. Why innovation in secure ICT solutions?
Today it is greatly recognized that Governments cannot deliver a safer online world alone. We need to work in close cooperation with the private sector, in order to ensure a safe public infrastructure, services and devices that can be provided to our employees and the general public. In order to succeed we need to share information and know-how. Today, Governments rely more than ever on the private sector for advancing on innovation in secure ICT solutions.
We are fully dependent upon secure ICT-systems and devices in order to uphold a well-functioning and efficient economy. That is what makes us vulnerable, a shared vulnerability across the different sectors of society and across national borders. ICT systems and devices are underpinning the production and protection of assets and more importantly the welfare and prosperity of our society. The ICT revolution with Internet in the fore front has had a tremendous impact on how we do business and industry, as well as for communication and social contact between people. The number of computers and other connected ICT-devices are growing at a speed we never would have imagined. We use connected devices ranging from smart phones and tablets, to SCADA-systems used in public critical infrastructure and the individual pace-makers, and new inventions will be added every year. Most of us don´t have the fantasy to imagine what inventions will come next. In this interconnected world of ICT, new inventions still are and will be of great importance for the development of our societal values and the way we live.
In the long run, innovation is the key to business specific and country specific competitiveness. Today it is recognized more than ever that governments have a role to play in facilitating innovation in technologically oriented societies. Innovation spans far and can be closely linked to research and development.
There are several ways to stimulate innovation, but one spoken truth that seems to be repeated in many forums is that large organizations are rarely able to demonstrate innovation or renew themselves greatly. Formalities and legal form are some of the mechanisms that are deemed to work against innovation. Innovation is not something that can be adopted by it self, but is created by a need for change,
In my view, exchange of ideas, between the public and private sector, civil and military authorities, are a vital part of the solution in helping industry produce secure enough products and devices that can serve the different user segments of our society.
This also means that the weight of responsibility for cyber security relies heavily on governments and businesses, as the users or customers do not always know; nor do they always have the capacity to care for their own needs. But I believe the market will demand more and more secure solutions in the future. So it really is a business opportunity.
4. What solutions are we looking for?
Cyber security has become a top priority among several States, thus not all countries have ICT or cyber strategies in place. Norway launched its ICT strategy last year.
In my opinion, several steps need to be taken to address the security challenges we face.
• Risk management
An important part of the solution is proper risk management. We need to identify and classify our assets according to their criticality; we must assess the vulnerabilities with respect to these assets, and understand the threats they are facing. Only when we know our own risks we may make informed decisions. An appropriate risk management system is fundamental when it comes to managing protective security. In the digital world, the public and private sector share those risks. This also mean we have to share the solutions in order to move forward.
• Creating a competitive market place and competitive advantage
In my view, there is a strong need for a stronger market for ICT-security. Today the competition in the ICT marketplace focuses mostly about delivering functionality, because that is what the customer wants. This has started to change in my opinion, as the threats are increasing and more and more users, businesses and governments, will be aware of security threats. This often, due to the fact that they have experienced an incident due to lack of proper security measures. Security will be incorporated in future technology solutions. Providing user-friendly and secure solutions will become a market advantage!
I believe we are moving into a new market of rational thinking when it comes to ICT security. Some of us have compared this situation with the car industry 60 years ago.
New cars offered a lot of different functionalities, but they were pure death traps regarding safety. Over the past 60 years, the car industry has done a lot of self-regulation through innovation and standardization. Today these companies are competing on safety. You will hardly find a new car today that doesn’t have a safety belt and several airbags. Safety belts are not extra-equipment that you as a customer can choose to opt out on. The security should be built-into the devices we buy, just as the safety belts and the air-bags are in our modern cars. The public authorities, are fully dependent upon market developments in this field. Public-private cooperation should support development in this field.
• True public-private partnership
Innovation in public-private partnership is an important factor for success. A real partnership and collaboration is needed, not only nationally, but also globally. We need cooperation between Governments and Industry – crossing national borders. A true public private partnership is all about trust, information sharing, collaboration, funding, research and education.
To make this work, we need to establish an ecosystem of businesses, innovators, investors, academia and public sectors. Everybody has an interest in being a part of the eco system. We have to build on this basic interest. From the governments perspective it is important to create predictability in the governments need for products. I know that my organization can’t do this alone. We need your innovation and creativity to help us create products and solutions that creates a more secure society.
Building robust ICT-security solutions should be at the centre of attention when developing new products. Equally important are solution that helps us to deal with attacks in an effective way.
The key to efficient cyber security management consists of building well-functioning information sharing schemes, based on trust. Trust will be promoted when mutually beneficial initiatives are being worked out and implemented at the right level according to the need for information sharing.
In Norway, we have some important experiences when it comes to public-private partnerships. For years, my organization has been working closely with businesses such as Thales Norway and Kongsberg Group, developing crypto devices used for classified information. We consider this a success. Now, we need to expand the scope ………
The NSM has also developed an Early Warning System, VDI, set to monitor traffic from and to the internet, so as to help public and private businesses handling information about important security incidents in their own ICT systems. The VDI is operated by NSM. The private businesses are categorized as members and partners. Their participation is voluntary. In fact, they pay a membership fee. This we have done with good results since 2000.
• Requirements and standardization
When addressing such a competent audience as you, I can’t continue without briefly mentioning the use of requirements and standardization. International standardization and governmental requirements are important market drivers for IT-security. Standardization and requirements are also of great importance when it comes to the protection of personal data and national critical infrastructure
• International cooperation
For me, it´s obvious no country, no sector, no business can handle the security challenges, set by the rapid technological developments, alone. Collaboration is essential. Common challenges have to be met with common solutions, crossing national boundaries.
4. Some concluding remarks
To wrap up my main message here today, I believe in the innovative character of a global marketplace. Secure solutions will be a business advantage in the future, just look at the car industry as mentioned as an example. If you come up with a brilliant solution, you might become the market leader of tomorrow, filling the gap in the market place for cyber security. I also believe in industry setting standards and governments setting minimum requirements. This is necessary, both to secure proper functionality and to secure our societal values.
Today, even business continuity depends on robustness in ICT-systems and devices, as goes for proper incident response. This is especially true in a world of increasing inter-connectedness and interdependencies.
The need for innovation in the cyber domain is not something that is confined solely to the national arena. The Internet is a global network that does not stop at national borders nor do the threats and risks that make out global challenges. The same has to be said for potential solutions to these challenges. Increased cross border cooperation in meeting the needs of secure information and communication technology is what we need today!
In other words, there is not only a national market, but a huge global market for proper ICT-security solutions. The commercial market forces are probably able to find solutions, but they are also dependent on the strategic choices and feedback that governments give to them. Governments will formulate the terms but will also represent the end users in this new world of cyber or ICT.
And we should remember to remind ourselves that a lot of the security challenges probably seemed unmanageable at some point in time, but that the solutions found over time proved to work.
Finally I will call for increased collaboration between governments, industry and partners in developing networks to confront escalating global cyber threats. Now is the time to collaborate!
Thank you all for listening. I hope you will enjoy this seminar and please use your time to meet new people. I wish you all the best in making our information technology future more secure!