So you’ve decided to order cialis and do not know where to start? We can give you some advice. First, ask your doctor for advice in order to properly determine the dosage, when you do that, you need to decide for yourself exactly where you will be buying the drug. You can buy cialis online, or you can just buy it at the pharmacy. Buy cialis online has a number of advantages, one of which is price. The cost of the Internet will always be lower than in stores, and when combined with the free shipping, it will be the best choice. Besides the price there are a number of advantages over conventional pharmacies, one of which is anonymity. Also, you can always check the online store on reliability, read reviews about it and the opinion of other buyers. Read more.

NJROTC team wins San Diego Mayor’s Cyber Cup

The team and its mentors and supporters deserve a huge round of applause. While Ramona is a lovely town, it is not exactly the kind of bustling metropolis you normally associate with all things techie. But during its six years, the Mayors’ Cyber Cup competition has done an amazing job of raising awareness of cybersecurity as both a great career choice and a vital part of life in every corner of San Diego County, and beyond.

Communities really get behind their teams, as you can see from this local headline: Del Norte High students learn cybersecurity, vie for Mayor’s Cup. The eight finalists were teams from the following schools, listed here in the order they finished in this year’s competition: Ramona High School; Mira Mesa High School; Westview High School; Robert F. Kennedy Middle School; Troy High School; Canyon Crest Academy; Robert F. Kennedy High School; Del Norte High School.

About the San Diego Mayor’s Cyber Cup

For those not yet familiar with the San Diego Mayor’s Cyber Cup, this annual competition, now in its sixth year, seeks to find and encourage the best cyber security talent in California’s high schools. The competition starts with a practice round, which this year took place in late January. There were over 50 teams participating from more than a dozen schools! The teams score points for defending computer systems against attackers.

The practice round was quickly followed by qualification rounds in February, all conducted over the Internet. Then the top eight qualifying teams came together on March 15 in San Diego for the live, head-to-head competition, followed by an awards ceremony.

The Cyber Boot Camp Bonus

Each year, the top three teams in the competition win a check for their school. And in the past, the top team has been offered a five day “Cyber Boot Camp” hosted by security solution provider ESET. This intensive, hands-on learning, combines lab work with lectures from security experts, and ample career advice for those who are thinking of pursuing their interest in cybersecurity. (Yes, there is a huge shortage of people skilled in cybersecurity.)

Last year, the top three teams were invited, and in 2015, in a surprise announcement that had the awards ceremony on its feet, the top eight teams were invited! (Update: for more about the 2015 Cyber Boot Camp, see here.)

• 1. There’s more and more information technology to defend, but
• 2. The stock of people who have the skills to secure it is dangerously low.

These themes were echoed in a lot of this week’s conference sessions as well as in the many conversations that took place in the corridors and meeting places around San Francisco’s Moscone Center. Adding to the discussion were two new surveys that put some numbers to these themes.

I have included links to PDF versions of the reports here:

• State of Cybersecurity: Implications for 2015. An ISACA and RSA Conference Survey (of 1,500 ISACA certification holders and/or “RSA Conference constituents’)
• The 2015 (ISC)2 Global Information Security Workforce Study (surveying 13,930 information security professionals)

For me, the headline findings from the State of Cybersecurity survey were that 76% of respondents said their enterprise had experienced an increase in security attacks in 2014 compared to 2013; and 82% thought it was either likely or very likely that their organization would experience a cyberattack in 2015 (likely = 44%, very likely = 38%). In other words, attacks are on the rise and most organizations realize their systems are likely to be attacked.

A shortage of confidence and skills

The growing realization of the inevitability of experiencing a cyber attack is a welcome dose of realism, particularly now that security is finally grabbing the attention of the board. Nearly 80% of respondents to the State of Cybersecurity survey said their board of directors was concerned with cybersecurity.

However, this new reality is also scary when you read that less than half of the respondents to this same survey gave an unqualified “yes” when asked: “Are you comfortable with your security team’s ability to detect and respond to incidents?” To be clear, only 13% answered “no” to this question, however 41% answered “yes, but only for simple issues”. So less than 46% said “yes” outright. Why? The survey offered some explanations for this low level of confidence, notably the shortage of adequately qualified security staff.

When it comes to hiring security professionals “more than 50 percent of the survey respondents reported that less than one-quarter of applicants are truly qualified for the open positions.” When you think about it, that’s a fairly staggering shortfall. The consequences of this situation, none of which bode well for an organization’s ability to resist and respond to cyber attacks, include:

• Some security positions will be under-filled
• Some security hires will not be up to speed right away
• Some security positions will be unfilled for an uncomfortably long time
• Some security positions may never be filled

The survey found that nearly two thirds of organizations had trouble filling a security position in less than three months, with nearly one in 10 reporting they could not fill the position at all.

To drill deeper into the cyber skills shortage you need to look at the GISWS (Global Information Security Workforce Study), the headline number from which is this: 62% of respondents say that their organization has “too few security professionals”. This is up from 56% two years ago, and while there are several reasons for this situation, pay and job satisfaction are not chief among them (these factors are explored further in the study). The shortage is mainly a combination of:

• More work to be done because there are more things to secure (think BYOD, Cloud, IoT, Big Data, plus economic expansion)
• More attacks from all sides (think criminals, nation states, and hacktivists)
• Not enough people entering the field (think about a skills gap > 250,000 by 2016 in the U.S. alone)

While a majority of security professionals report that they are satisfied with their jobs, a majority of organizations report they just cannot get enough of them. I recommend you review the full report for the details, including the surprise #1 factor for success as an information security professional (hint: it’s not technical skills). The bottom line, according to analysts at Frost & Sullivan, is that if current trends continue, the global shortfall in the information security workforce will reach 1.5 million by 2019.

Closing the Cyber Workforce Gap

Changing those trends, more specifically increasing the supply of appropriately skilled security professionals, was the focus of a number of RSA conference events, none more so than the ESET-sponsored luncheon: “Cultivating a New Generation of Cyber-Workforce Talent.” This invitation-only session was addressed by Michael Daniels from the White House and Phyllis Schneck from DHS. Their remarks were followed by a panel that included Eric Basu from the board of San Diego’s Cyber Center of Excellence, of which ESET North America’s CEO is co-chair (it was cool to hear shout-outs from the speakers to San Diego and ESET and Securing Our eCity for all the work being done here to raise security awareness and promote cybersecurity as a career choice).

When it comes to IT security as a career it is important to realize there are many aspects to this profession, and the GISWS is a great way to find out which aspects the security pros consider critical right now and in the near future. The chart below shows the top six skills and competencies that survey respondents said they needed to acquire or strengthen “to be in position to respond to the threat landscape over the next three years”

To be clear, there are many efforts underway already to get more people into the information security field. In the U.S. a lot of this activity is being driven by NICE, the National Initiative for Cybersecurity Education, which has a major Cybersecurity Workforce Component. The main non-profit skill certification bodies are also heavily involved, including CompTIA and (ISC)2, which recently introduced the Certified Cloud Security Professional program.

What is not clear is the extent to which the training and education being offered today matches the projected need, both in terms of scale and content. The 2015 (ISC)2 Global Information Security Workforce Study gives some good pointers, but ongoing research is needed. One area of improvement that must not be overlooked is the ability of Human Resource departments to put appropriate candidates in front of hiring managers, or rather, not overlook suitable candidates due to a lack of understanding of security skills and roles, but that’s a whole other blog post right there.

(Note: Stephen Cobb is a security researcher with ESET and this article first appeared on We Live Security.)

For the definition of cybercrime let’s use this one: “crimes in which computer networks are the target or a substantial tool” (Koops, 2011). That neatly covers the long and growing list of high profile incidents that have come to light over the last 18 months, including the illegal hacking into, theft of data from, and/or denial of service attacks against: Target, Home Depot, JPMorgan Chase, Sony Pictures, Microsoft Xbox Live, Sony PSN, eBay, NSA, Adobe, Apple iCloud, and Community Health Systems.

Cybercrime prevention, deterrence, and cost

Note that this article is mainly about cybercrime deterrence, not cybercrime prevention. The latter encompasses the things that we do to protect our systems and data from criminals, things like strong authentication, encryption, and measures to detect and defeat malware. Crime deterrence is about making crime less appealing by: increasing the risk (of detection, identification, apprehension, prosecution and punishment); reducing the benefits (making it harder to profit from criminal activity); and deepening the social disdain and moral sanction that criminal activity should elicit. In terms of policy and strategy, the general idea is that combining crime prevention with crime deterrence results in crime reduction.

You might think that the reasons for seeking a reduction in cybercrime are obvious, but just to be clear: cybercrime harms companies and organizations, their customers and members, and the economy. Just ask any organization that has had to deal with a theft of personal data from its systems, or the people whose data was stolen and abused for identity theft and other crimes. There is more about the financial impact of cybercrime in Step 6 where I talk about our failure to measure the cybercrime problem.

Six steps to cybercrime deterrence

I am not under any illusions in laying out these steps. Taking them will be hard and not everyone will agree with them, particularly when moving from the general approach described here to the specifics of implementation. But I do believe now is the time to push this agenda, before the erosion of trust in networking technology undermines its effectiveness and we start to lose the benefits of its deployment. And so that we’re clear, when I say now is the time, I mean now is the time to actually do something instead of just talking about it. Let’s be honest, the right time has come and gone many times in the past without sufficient action being taken, but we can address that lack of commitment elsewhere. Here is what we need to do now:

1. Apply international pressure

Cybercrime should not be tolerated by any country. Any country that turns a blind eye to cybercrime should be sanctioned by the international community. Efforts to fight cybercrime should be encouraged with aid, but failure to cooperate with international efforts against cybercrime should be considered grounds for withholding or reducing aid in general.

Requests for aid should have cybercrime strings attached, for example, in March of 2014, two U.S. senators proposed a cybercrime amendment to the Ukrainian Aid bill. While this amendment did not pass, I think Senators Mark R. Warner (D-VA) and Mark Kirk (R-IL) were on the right track in pursuing U.S.-Ukraine bilateral talks on cybercrime cooperation and “the establishment of a standing senior-level working group” to:

1. conduct regular dialogue on cybercrime,
2. explore opportunities to build-up the capacity of countries to combat cybercrime in cooperation with law enforcement agencies, and
3. develop improved extradition procedures between them.

We should be pursuing similar relationships among more countries where they don’t currently exist. Why? Because cybercrime is notoriously location-independent. Perpetrators in Country A can victimize targets in Country B with relative impunity if Country A does not have both a strong anti-cybercrime program and a willingness to cooperate with Country B to bring perpetrators to justice.

2. Adjust national priorities

To set a good example, the United States and other countries should make the fight against cybercrime a priority, in reality and not just in public statements. More resources must be committed to identifying, apprehending, and prosecuting cyber criminals, whoever they are and wherever they are located (and just to be clear, too many of them are Americans, located in America).

Violent crime and crimes against property are at historic lows in America and the U.K. The abuse of network technology is at an all time high. Allocation of law enforcement resources should take this into account. On one end of the scale, it is simply unacceptable that the perpetrators of the 2013 Target breaches are still unidentified, unindicted, and at large. At the other end of the scale, it is just not right that law enforcement tells so many Americans that their experience of cybercrime is not damaging enough to be investigated.

At the same time that law enforcement efforts are stepped up, we need to discourage the prosecution of trivial “technical fouls” of the kind epitomized by the cases against Andrew Auernheimer and Aaron Swartz. Thankfully, the White House seems to understand this because it is talking about modernizing the Computer Fraud and Abuse Act “by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”

Additionally, there are interersting proposals to “criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers.” While it would seem obvious that such activity is illegal, the more clearly it can be spelled out in law, the easier it will be to make the case to other countries if their citizens have engaged in that activity. Other presidential proposals that represent steps in the right direction include, and essentially I’m quoting from the above linked press release:

1. expanding federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft,
2. giving courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity,
3. updating the Racketeering Influenced and Corrupt Organizations Act (RICO) so that it applies to cybercrimes,
4. clarifying the penalties for computer crimes, and
5. making sure these penalties are in line with other similar non-cyber crimes.

3. Catch more perpetrators faster

It might strike you as blindingly obvious that we need to catch more cybercrime perpetrators faster, but there is a reason I have called this out. The range of measures available to deter criminals includes increasing sentences for those convicted, increasing the probability of being convicted, and increasing the speed with which criminal acts are punished. In the academic study of crime, known as Criminology, there has been a lot of research into which of these measures are most effective in deterring criminal activity.

When interviewed, many criminals say that stiff sentences don’t enter into the equation when they think about committing a crime. Why? Because most criminals don’t think they will get caught. In part, that may due to the immaturity of many offenders, giving them that sense of invincibility that youth  inflicts (see Step 4), but regardless of the reasons, there is strong, well-researched support for the following assertion:

“…there is little evidence that increases in the severity of punishment yield strong marginal deterrent effects….By contrast there is very substantial evidence that increases in the certainty of punishment produce substantial deterrent effects” (S. N. Durlauf and D. S. Nagin, 2011).

In other words, while it might be good to make sure that cyber crimes carry sentences which reflect the great harm they inflict on people and society, stiffer sentences alone won’t do much to deter criminals unless we catch more of them faster. And that requires not only better use of current resources, but also, in my opinion, additional resources dedicated to catching cyber criminals.

(Note: criminological research on deterrence has typically addressed physical crimes like burglary and robbery; if you know of any studies comparing the relative efficacy of cybercrime deterrence measures please let me know because I have yet to find any.)

4. Teach cyber-ethics

Teaching cyber-ethics is not the same as security awareness and education. While I am a keen advocate of security awareness and education as a way to prevent crime, I see cyber-ethics as an essential part of cybercrime deterrence. We need to be teaching children, starting at a very young age, to shun all forms of cybercrime, from making illegal copies of software to stealing user names and passwords and trespassing into systems that don’t belong to you. Adding cyber-ethics to the elementary school curriculum may seem like a long shot, but I suggest there are significant immediate as well as long term benefits:

1. Teachers and parents will gain a better understanding of the implications of their own cyber activities. Right now, many children see their parents behaving unethically in cyberspace, for example, ignoring the property rights of others.
2. Children will enter their “at risk” years with a clearer understanding of right and wrong in cyberspace. Countless crime studies tell us that the teenage years are when children are at greatest risk of deviance, that is, engaging in illegal activities; but children with strong moral guidance from family and school are less likely to engage in deviance, or if they do, far more likely to abandon it relatively quickly.
3. Society as a whole will be moved closer to a zero tolerance of cybercrime. We need to leave behind the notion that criminal hacking is harmless and somehow cool. We need to stop snickering when we hear that Johnny hacked the school network to change his grades; Johnny and his parents need to be severely sanctioned, something that cannot be done fairly if nobody ever explained to them why that is so wrong.

There have been initiatives in this space before, for example, my good friend Winn Schwartau put together an excellent computer ethics teaching aid; but that was more than a dozen years ago, a call to action that went unheeded because of America’s seemingly perpetual lack of commitment to address the problem of cybercrime. Hopefully, more people can now see that the problem will just get worse unless we step up and act.

5. Improve opportunities in developing countries

The old saying that idle hands are the devil’s playthings also applies to hacking skills. If more people have them than there are jobs in which to employ them, those “skillz” are apt to be misused. That was plain to see in Peter Kruse’s research on the Moroccan Phishing cluster, presented at Virus Bulletin 2013. And in the research of Brian Krebs for Spam Nation, where the employment opportunities for Russian programmers were seen to range from malware creation to legitimate software development based on a variety of factors.

What many policymakers have a hard time understanding is that there can be a shortage of qualified candidates for cybersecurity jobs in America (L. Ablon, M. Libicki, and A. Golay, 2014) at the same time that there is a surplus of people with hacking skills in developing countries. The main reason for this is that the Internet is a uniquely self-documenting phenomenon. A teenager with a cellphone in any country can learn basic Internet hacking skills from the Internet but is unlikely to be able to find a job where cyber skills can be put to positive use.

6. Measure the problem

As I have written elsewhere, one measure of commitment to solve a problem is the efforts made to measure the problem. Consistent efforts to objectively measure the problem of cybercrime are notable by their absence or inadequacy in the English-speaking world. I would argue that this seriously hampers policy-making and budget-setting. Making the case for more resources to fight cybercrime requires solid evidence of the scale and scope of the problem. Unfortunately, while the U.S. Department of Justice catalogs physical crimes in great detail, it has only produced one study of cybercrime in the last 10 years: Cybercrime against Businesses, 2005. That study was described as “the first report to provide data on monetary loss and system downtime resulting from cyber incidents.” Sadly, it was also the last.

In 2014, in response to my inquiries, the National Criminal Justice Reference Service stated: “At this time, we do not have any information about any additional reports on this topic becoming available in the future”. When asked for more recent data, the agency refers people to the following report: US Cybercrime: Rising Risks, Reduced Readiness Key Findings from the 2014 US State of Cybercrime Survey. That report was produced by PricewaterhouseCoopers LLP, a Delaware limited liability partnership, and while a for-profit company may be able to conduct an objective study of cybercrime despite being engaged in the marketing of cybersecurity services, relying on such studies to make public policy is fraught with problems. For example, arguments in favor of increased funding for cybercrime deterrence may be attacked if they are based on data supplied by parties who are vulnerable to accusations of inflating data to drum up business.

Several quasi-governmental cybercrime reports have appeared in the past, notably the CSI/FBI report, but its 15 year run ended in 2011. One report that has appeared annually since 2001 is the Internet Crime Report from IC3, the Internet Crime Complaint Center, which works with the FBI. Cataloging complaints reported by victims, the IC3 report has documented the rapid rise of fraud that has an online component (with reported losses totaling $782 million in 2013). Useful as this report is, its geographic boundaries are not entirely consistent, and it is certainly not a full accounting of cybercrime in the U.S. or the wider world. My best guess is that the global cost of cybercrime lies somewhere between the $225 billion estimated in 2010, with major caveats, by A. Anderson  et al. in “Measuring the cost of cybercrime”, and the $400 billion cited in 2013 by the good folks at McAfee’s Center for Strategic and International Studies as their high end estimate of the economic impact of cybercrime and cyber-espionage.

What’s next?

Hopefully, there will now be a flurry of activity in D.C. and other world capitals as politicians and policymakers act on these suggested steps to reducing cybercrime. As we wait for the word to spread, the President’s State of the Union address this evening may offer more details about his plans for cybercrime deterrence. If so, we will post commentary here on We Live Security. After that, there will be the small matter of passing legislation, increasing budgets, and setting aside inter-agency rivalries so that we can all pull together to stamp out cybercrime. (I am aware that there are alternative scenarios, but frankly I don’t have the stomach to consider them right now.)

(Note: Stephen Cobb is a security researcher with ESET and this article first appeared on We Live Security.)

References:

Ablon, L., Libicki, M., and Golay, A. (2014) Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar, RAND Corporation, Santa Monica, California. Available: http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf

The Cyber Boot Camp format combines classroom presentations and discussions with hands-on work in the custom-built computer lab, seen here:

This year’s lab consists of 20 workstations running Linux and/or Windows, a big Cisco switch, various servers, and a variety of wireless access points, all of which become potential targets and a test of cyber defense skills. While the servers and networking infrastructure were put together by ESET researchers using gear supplied by the company as part of its sponsorship of the event, the workstations were loaned by Computers 2 San Diego Kids, to which they will be returned after the boot camp. (Every city should have an organization like C2SDK, a wonderful non-profit organization that recycles computers into the community.)

The lectures include security experts from around the San Diego area, including several members of the FBI’s cyber task force. We can’t show their pictures for security reasons, but here is Andrew Lee, CEO of ESET North America, discussing careers in cyber security with students.

The event would not be possible without the support of volunteers from the community. This year we got some great help from UCSD graduate students, all experienced “Capture the Flag” participants who clearly found that lending a hand at the boot camp was a very rewarding experience.

One of the great joys of this year’s boot camp was seeing students from different high schools working together to solve security problems, with these grad students offering suggestions and guidance as needed, acting as a form of learning accelerant. For next year’s boot camp we will be looking for more students from area colleges and universities to assist with the program.

The boot camp is such an intense experience that documenting it in real time is a real challenge. However, we did make sure that plenty of photos were taken and more will be posted here as time permits. The event was also documented by local and national media. For those who speak the language of Marketing and PR here is a number you might find interesting: combined national reach of the boot camp coverage is currently nearly 195 million unique monthly site visitors. Here are just some of the reports:

• Times of San Diego: “High School Students Attend Boot Camp to Fight Cyber Crime,” by Chris Jennewein on June 18, 2014
  http://timesofsandiego.com/tech/2014/06/18/high-school-students-attend-boot-camp-fight-cyber-crime/
• KPBS: “San Diego Teens Learn How To Be ‘Cyber Defenders’” by Dwane Brown, Emily Burns on June 19, 2014 http://www.kpbs.org/news/2014/jun/18/san-diego-teens-learn-how-be-cyber-defenders/
• San Diego Technology Examiner: “ESET Cyber Boot Camp for tomorrow’s defense,” by Victoria Wagner Ross, June 20, 2014 http://www.examiner.com/article/eset-cyber-boot-camp-for-tomorrow-s-defense
• San Diego Technology Examiner: “Bitcoin used for extortion demands,” by Victoria Wagner Ross, June 20, 2014 http://www.examiner.com/article/bitcoin-used-for-extortion-demands
• Yahoo News: “‘Good Guy’ Hackers Are Cracking Codes for Change, and Profit,” by Joseph Williams, June 18, 2014 http://news.yahoo.com/good-guy-hackers-cracking-codes-change-profit-194830102.html

The classes will be led by ESET security researchers Cameron Camp and Lysa Myers, supported by other members of the ESET research team including Stephen Cobb and Aryeh Goretsy. In addition to the lab sessions, the students will meet experts from ESET and other organizations in the local community, such as Bridgepoint Education, San Diego Gas & Electric, San Diego Police Department, Verizon, C.A.T.C.H., the FBI and more.

New for Cyber Boot camp this year is a field trip to Federal Court to hear from a judge and former cybercrime prosecutor. These experiences enable students to consider the skills they are developing and where they want to apply them in the future. And it seems to work. One boot camp alumni, Vineel Adusumilli, a Westview High graduate now studying at MIT, was recently quoted in the UT San Diego as saying “Cyber Boot Camp was a terrific learning experience, combining lab work using the latest tools with insights from experienced security professionals.”

The goal of the boot camp, attendance of which was offered to the top three teams in the fifth annual Mayors’ Cyber Cup, is to provide the right learning environment to interest more students in cyber security as a career. As ESET security researcher Lysa Myers has pointed out: America needs to do a lot more to promote STEM education in general. At Securing Our eCity we think that cyber security is one of the coolest ways to apply Science, Technology, Engineering, and Mathematics in the real world.

As we reported previously, the 2014 winners were, in first place, Canyon Crest Academy. In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.

Cyber Boot Camp lead instructor Cameron Camp, a security researcher with ESET, describes the week ahead to students before they head to the lab.

Of course, the Cyber Boot Camp would not be possible without the support of the community, so a big hat tip to the sponsors who made this year’s event possible, including ESET, SDG&E, California Coast Credit Union, Higgs Fletcher & Mack LLP, Hughes Marino and Mendez Strategy Group. A special thanks is due to Computers 2 San Diego Kids or C2SDK, who provided those racks of machines for the week, and do a great job supplying schools and families in San Diego with recycled computer gear.

That’s right, the fifth annual running of the San Diego Mayor’s Cyber Cup was covered on television by Channel 10 ABC News who really seem to get how important this event is as a motivator for young people to consider a career in cyber security, one of the hottest job markets today and into the foreseeable future.

For those not yet familiar with the San Diego Mayor’s Cyber Cup, this annual competition, established in 2010, seeks to find and encourage the best cyber security talent in California’s high schools. The competition starts with a practice round, which this year took place in late January. There were over 50 teams participating from more than a dozen schools! The practice round was quickly followed by qualification rounds in February, all conducted over the Internet. Then the top seven qualifying teams came together on March 15 in San Diego for live, head-to-head competition.

And the winners of the 2014 San Diego Mayor’s Cyber Cup are: Canyon Crest Academy!

Well Done Canyon Crest!

The top team received a check for $2,500, presented by former Interim Mayor and City Council Member Todd Gloria, accompanied by fellow City Council Member, Sherri Lightner. Canyon Crest Academy is part of the San Dieguito Union High School District.

And well done to the runners up! In second place was the team from Westview High School, the school that won last year. In third place was Mira Mesa High School. The other teams that made it to the final round were La Jolla Country Day School, Patrick Henry High School, Ramona High School, and 2012 cup winners, Troy High School.

Winners ALL!

The winning team not only won the title and a year of hosting the very impressive cup that goes with that title, there was also a check. And there were checks for second and third place as well ($1,500 and $1,000 respectively).

But wait, there’s more….The top three teams this year will also be treated to a week of Cyber Boot Camp! Hosted in San Diego by the Internet security company ESET, the Cyber Boot Camp is a lively mix of practical, instructor-led cyber security exercises, plus classroom presentations by experts in a wide range of related fields, from law enforcement to computer forensics, malware research, and career advice. The event will take place during summer recess. Here’s a peek at a past session of Cyber Boot Camp:

Beyond winning great prizes in the Mayor’s Cup, there is a sense in which we all win from this competition. Right now, our country faces a critical shortage of cyber security expertise. One of the main goals of the project is to address that problem. Through the event and the publicity surrounding it we hope to encourage students of all ages, from all schools, to learn more about information assurance and computer security. Hopefully this will lead many more students to consider these and related STEM fields as possible career paths or courses of study in higher education.

Thanks to All!

This year’s competition would not have been possible without the volunteer work and financial support of many organizations. We will mention some here, but this list is by no means exhaustive. Thanks to Leidos for the use of CyberNEXS, the competition engine used in the event. The Mayor’s Cup is sponsored by the National Defense Industrial Association (NDIA), in cooperation with the University of California, San Diego (UCSD). With additional support from National University, SDG&E, DTI, TSG Solutions, Blue Pyramid, Minuteman Press, ISSA, TechFlow, DCS Corp, La Jolla Logic, Major Motion Pixels, Bridgepoint Education. Additional sponsors and supporters include Securing Our eCity Foundation, Computers 2 San Diego Kids, ESET, and The Ranger Group. With further assistance from Mr. & Mrs. Kurt Worden and Mr. & Mrs. Dwayne Junker.

We leave you with a photo of the very happy, and decidely cool, third place finishers, Mira Mesa High School:

Using digital technology to process votes might sound like a good idea, but it raises a lot of security questions. These were addressed in several sessions over the two-day conference, starting with the “Fireside (Firewall) Chat” with SOeC board member Howard Schmid who was White House Chief Advisor on Cyber Security to Presidents George H.W. Bush and Barack Obama. Mr. Schmidt is now a principal of Ridge Schmidt Cyber, LLC. Although on a tight schedule with a plane to catch, he graciously found time for a quick snapshot with myself and SOeC executive director, Liz Fraumann.

Mr. Schmidt set the scene for later discussions by reviewing the current cyber security threatscape in conversation with Jeremy Epstein, Senior Computer Scientist, SRI International, and a member of the EVN Coordinating Committee.

Later in the day, I was privileged to participate in a panel titled “Cyber Security Crossover: Leveraging Cyber Security Best Practices in the Realm of Elections”. Fellow panelists included David Dill, Professor of Computer Science at Stanford University, and Gary Hayslip, the CISO of the City of San Diego. The moderator was Pamela Smith, President of Verified Voting Foundation.

Two points became clear to me during these two days of great content and conversation. First, America is very lucky to have EVN keeping an eye on electronic voting. Second, as one expert put it, when it comes to Internet voting, “there is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology.” Not now and not in the foreseeable future.

Recent discovery of longstanding flaws in Internet encryption protocols like SSL and TLS are a stark reminder of the practical impossibility of ensuring secure Internet interactions of the type required for a secret ballot, not to mention the widespread distribution of state-sponsored malware.

In 2008, Verified Voting founder and co-panelist, David Dill, organized the creation of a document that spells out the unique nature of secure voting: the Computer Technologists’ Statement on Internet Voting. The document warns against “pilot” Internet voting projects, which already exist in some states in the form of email ballot submissions, and describes “the severe challenges that must be met if an Internet voting system is to justify public confidence.”

I was very grateful to have the chance to participate in this tenth anniversary meeting of EVN, and proud that my employer, ESET, was a sponsor. It’s not every day that you get to hang out with esteemed experts such as David Jefferson, the author of the one paper on Internet voting that everyone should read: If I Can Shop and Bank Online, Why Can’t I Vote Online? David is a Computer Scientist at Lawrence Livermore National Laboratory, a member of the Verified Voting Foundation Board, and serves on the board of the California Voter Foundation.

If you are still wondering “what could possibly go wrong?” when it comes to Internet voting, consider the following slide. It comes from the very interesting presentation on Internet voting experiences outside the U.S. by former Technical University of Denmark professor Joseph Kiniry, now Principal Investigator at Galois. He highlighted actual code from an Internet voting program that was used in national elections in one European country.

If you are familiar with computer programming, this slide speaks for itself, and apparently it speaks volumes. When I tweeted the above photo it was re-tweeted almost 200 times, reaching over 220,000 Twitter accounts!

In this year of mid-term elections in the U.S. there will be renewed interest in electronic voting and Internet voting in particular. Hopefully the warnings from technology and cyber security experts will be heeded.

One example of the enthusiasm behind this initiative is the terrific call to action from San Diego Security.

Getting San Diego nationally recognized as a center for cyber security presents some terrific opportunities for investment and job opportunities because right now, and well into the foreseeable future, cyber security is a major concern for most Americans. Says who? Says the average American, as recently polled by the highly respected Pew Research Center, which found “cyber attacks from other countries” were second only to”Islamic extremist groups like al Qaeda” in a table of answers to “what do you think is the greatest threat to the U.S.?”

Maybe this is not surprising after 2013, the year that saw Snowden’s revelations about NSA cyber-surveillance and an unprecedented breach of payment card data from one of the country’s largest and best known retailers. Cyber security has gone from an esoteric subject, studied and discussed mainly by computer geeks, to a serious concern for 70% of Americans.

At Securing Our eCity, we are proud of the work we have done so far to raise public awareness of cyber security threats and to help people deal with them. We are adding our voice to the calls for national recognition of San Diego’s unique role in tackling cyber threats, and look forward to helping even more people enjoy and employ cyber technology more safely than ever in 2014.