Tag

jobs

Browsing

The Verge is reporting Twitter’s CISO, Michael Coates, is leaving the company to create his own security startup:

Twitter’s chief information security officer is leaving the company, sources familiar with the matter have told The Verge. Michael Coates, who joined the company in January 2015, is quitting to start his own company, sources said. Coates announced the move internally about three weeks ago, sources said, but had not announced the move externally.

Twitter declined to comment. Coates confirmed the move Wednesday afternoon.

News of Coates’ departure comes on the same day that Michael Zalewski, director of information security engineering at Google, announced his departure from that company after 11 years. (Zalewski was a high-ranking security executive at Google but not its chief security officer; that role belongs to Gerhard Eschelbeck, vice president of security engineering.) not And it comes two days after reports that Alex Stamos, Facebook’s chief security officer, plans to leave the company in August. The departures come at a time when tech companies are under mounting pressure to prevent their platforms from being misused by foreign governments and other bad actors ahead of the 2018 midterm elections.

There are a lot of high-level security executives leaving larger Silicon Valley companies as of late. I think of the three – Google, Facebook, and Twitter – the latter has the most interesting sounding set of challenges.

If you are a security professional interested in a new opportunity, the Twitter gig would definitely be worth looking into.

The Federal Bureau of Investigation is trying to recruit hackers to become cyber special agents to combat cyber terrorism, espionage, and other threats to the United States (emphasis added):

The number of resumes submitted as a direct result of the bureau’s presence at the conference was not readily available. (The story will be updated with those figures if and when we get them.)

Last year, the FBI recruited more than 1,500 special agents with cyber expertise, according to data from the bureau’s human resources department.

However, the hacker and cybersecurity communities are still wary of the federal government. This fact was clear during the Q&A portions of many of the talks and presentations featuring government representatives.

FBI Director James Comey alluded to some of these worries during a talk in January at the International Conference on Cyber Security.

“There is a wind blowing that I worry has blown what is a healthy skepticism of government power … to a cynicism so that people don’t want to be with us anymore,” he said. “We’ve got to do our best to speak into that wind to try to explain how we’re using our authorities in government.”

Having a presence at Black Hat and other similar venues is part of the FBI’s push to overcome this reality.

If there is one lesson to be learned from the recent OPM breach it is this: the United States government sorely needs to recruit top-notch cyber security talent (emphasis added):

That illustrates one reason cybersecurity, or more accurately cyber-insecurity as shown by the Office of Personnel Management data breach, remains on the Government Accountability Office’s 2015 high-risk list. “Although steps have been taken to close critical skills gaps in the cybersecurity area,” GAO says, “it remains an ongoing problem and additional efforts are needed to address this issue government-wide.”

Part of that effort should be recruiting bright, creative and eager folks like those in the Knights. Recruiters also should look for older cyber experts with valuable experiences. During a Federal Diary conversation with two Knight team members, it was clear they are impressed with the government’s mission, even while noting shortcomings in Sam’s recruiting efforts.

Kevin DiClemente, for example, recalled a recruiting call he received from the National Security Agency. Secrecy being endemic to the NSA, the caller ID indicated an unknown number. That might make sense for the agency’s regular business, but it’s not the best way to get recruiting calls answered. DiClemente mentioned the unknown number to the NSA recruiter, and, to the agency’s credit, subsequent calls were not cloaked in that level of secrecy.

Jason Cooper, another team member, said he had not considered a public-sector career before the collegiate competition. He encouraged government recruiters to increase school visits.

In the tell-us-something-we-dont-already-know department, a Department of Justice report details how the FBI is understaffed to tackle the current volume of cyber threats (emphasis added):

As of January 2015, The Federal Bureau of Investigation had only hired 52 of the 134 computer scientists it was authorized to employ under the Justice Department’s Next Generation Cyber Initiative launched in 2012, the report showed.

Although cyber task forces have been set up at all 56 FBI field offices, five of them did not have a computer scientist assigned to them, the report by the Office of the Inspector General found.

Cyber security threats are among the Justice Department’s top priorities and there has been a slew of damaging cyberattacks against private companies and U.S. government agencies in the last couple of years.

The FBI budgeted $314 million on the program for the 2014 fiscal year, including 1,333 full-time employees, the report by the internal watchdog said.

Lower salaries compared to the private sector made it difficult for the FBI to hire and retain cyber experts, the Office of the Inspector General said in the report.

No surprises here. Not only is the salary low, but the quality of life is not exactly what most techies are looking for in an employer. The FBI really needs to reconsider not only its recruiting efforts, but also some of its internal human resources policies before cyber security geeks will consider them a viable opportunity.

As a result of the recent massive OPM breach, it is quite obvious the United States government urgently needs to find experienced and talented cyber security professionals capable of protecting government data system (emphasis added):

OPM officials were quick to identify aging legacy systems as the main culprit behind the massive data theft. Of course, such vulnerability encourages more attacks and more extensive damage. With no foreseeable abatement and – to the contrary – the prospect of increasingly sophisticated cyber invasions, with at least some appearing to implicate enemy nation states, more than new and enhanced infrastructure is needed. Implementing critically needed structural improvements will take time. Right now, however, experienced, talented and top-flight cybersecurity professionals should be hired and quickly brought on board. Once in place, the cyber experts should make a comprehensive assessment of existing systems, identify and thoroughly examine their vulnerabilities, and then develop the most comprehensive and iron-clad cyber defense possible – one that withstands attacks of evolving sophistication and is subject to ongoing monitoring. The enhanced program also should be capable of quickly and effectively responding to incidents.

As part of a series of cyber security bills enacted last year, Congress passed the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014 (the Act). The law is intended to help the Department of Homeland Security (DHS) recruit and retain cybersecurity professionals. For DHS, which is responsible for securing civilian government computer systems, a top-flight and expertly trained cybersecurity workforce is an absolute necessity to carry out its security mission.

The Act supports DHS’s efforts to overcome workforce deficiencies by authorizing the Secretary of Homeland Security (the Secretary) to create new cybersecurity positions and offer comparable pay to that which like professionals earn at the Department of Defense. The Act also requires that for four years, the Secretary submit annual reports on DHS’s cybersecurity hiring plans for filling critical needs, and metrics to measure progress on the recruitment and retention of cybersecurity professionals. These measures are to be complemented by other recent laws and DHS initiatives.

The government needs a combination of the right type of situational awareness tools coupled with highly trained and talented cyber security professionals capable of understandings how to work these tools to locate intrusions and react accordingly. This is no easy nor inexpensive task – it requires a lot of funding to get this right.

At this juncture, US government agency leadership needs to stop playing games and fund worthwhile cyber security initiatives before, say, buying new carpet for the command-deck.

re/code on famed security researcher Mudge – aka Peiter Zatko – leaving Google to join US government service to help automate software security assurance:

Peiter Zatko, a respected computer security researcher better known by the nickname Mudge, says he’s leaving his job at Google to explore ways to help U.S. government make software more secure.

Zatko announced the move on Twitter.

An Obama Administration official tells Re/code that recent advances in using automated methods to analyze software code for vulnerabilities have spurred interest in government circles to see if there’s a way to standardize how software is tested for security and safety. “The Administration has had some discussions about the potential pros and cons of such a system and how it might be implemented,” the official said. The administration is interested supporting a feasibility study to determine if such techniques could work, the official said, but stressed that no plans have been finalized.

A former researcher with DARPA, the research arm of the U.S. Department of Defense, he joined Google along with fellow DARPA alum Regina Dugan to work on security research at the search giant’s Advanced Technologies and Projects Group.

This appears to be a big win for the US government, which is in bad shape lately and in need of brighter minds to help it close the many remaining open gaps.