We recently joined the National Institute of Standards and Technology to launch the National Cybersecurity Center of Excellence, a joint effort among high-tech business, federal, state and local government and local universities located in Rockville, Md. The goal of the NCCoE is simple: to identify and help deploy real-world cybersecurity tools that ordinary businesses can use to secure their own networks. Ten other high-tech companies, Johns Hopkins University, the University of Maryland and the National Security Agency have committed their own personnel to the effort.

We’re particularly proud of our participation for lots of reasons, but it’s the combination of the players – the public-private part — that made this alliance particularly compelling.

Try as they may, most parts of the country have not succeeded in replicating the success that tech hubs like Silicon Valley have achieved. Greater Washington D.C. is a success story in its own right, and we think the NCCoE is another reason the DC region will continue to make its mark in computer security.

Every place is different, of course, but five factors seem to make for success when development is the goal.

RESEARCH

Tech is ultimately about smart people doing smart things with the tools they have, and education is the foundation of all of it. The source of Silicon Valley’s brainpower is clear enough: The region hosts a multitude of universities, foremost among them Stanford and Berkeley. DC area universities have received significant funding from the federal government and in many cases enjoy a close relationship with the nearby National Security Agency itself. Schools such as George Mason and James Madison in Virginia, the University of Maryland and Johns Hopkins in Baltimore head the list.

FUNDING

Cutting edge tech is important, but banks won’t fund it until it’s well established, so the path from startup to success can be a difficult one. Angel investors and venture capitalists are necessary components to any successful tech region, and that’s a part of the business world that’s clearly growing near the nation’s capital. New Enterprise Associates just up the road in Baltimore and In-Q-Tel have funded more than their share of startups in the area.

RISK TAKING

Anyone in business knows there are risks to trying to make a profit, but not everyone sees risk the same way. The best high-tech regions recognize that failure is often the prelude to success and won’t automatically penalize those who can’t make a go of a certain venture. Smart dealmakers don’t want to know that you failed — they want to know why.

The nation’s capital isn’t famous for risk taking, but the region’s business community increasingly is. Sequestration and ongoing budget pressures have accelerated the push towards the private sector and away from the old government-contractor mentality. The end result is a slow transformation of the region into an area of authentic innovation.

MOBILITY

It’s a factor many overlook, but it’s there nonetheless: Many, many people in tech aren’t just mobile; they’re from another country altogether. The fact is huge numbers of high-tech innovators in the U.S. left their home countries because they knew the US was still the land of opportunity and remains so today. Go to Silicon Valley, come to greater DC, walk around any top computer science school and you will see the same thing: Brilliant engineers with all the drive you could ask for making amazing discoveries in a country that has claimed them not for their ethnicity, but for the excellence of their work.

GOVERNMENT THAT WON’T GET IN THE WAY

You don’t have to be libertarian to recognize one simple fact: The business climate that government sets is hugely important. Places such as Silicon Valley, Northern Virginia and Suburban Maryland are for the most part left of center politically.  I’ll leave it to other to say why tech regions tend to lean liberal, but when it comes to business issues, these same regions look a lot like their red-state neighbors. Light-touch regulation yields real results not just for the companies directly affected but for the whole, decidedly prosperous places in which they operate.

THE FUTURE

Cybersecurity is booming. We take little joy in the reasons why, but we at McAfee are honored to be part of the solution to fighting the threats we face. We hope and expect our efforts here in suburban Maryland will bring a stronger, more secure future in cyberspace.

By David Hoffman, Raj Samani and Christoph Luykx

Today, the European Commission and the EU’s External Action Service (EEAS) presented its response to the growing threats presented in cyberspace by releasing a policy document (the “Communication”), outlining the longer term required actions together with proposed legislation (the “Directive”).  These actions demonstrate the European Union’s commitment and resolve to address these threats. Together with the recent creation of the European Cybercrime Centre (EC3) in The Hague, today’s proposals further paves the way for a strong coordinated response against these 21^st century threats. Intel and McAfee welcome the EU’s resolve addressing ongoing and emerging challenges in cyberspace and the recognition that this requires global public and private cooperation.

Digital threats are very real and ever growing. McAfee labs routinely collect an immense amount of data on cyber threats, and publish statistics that highlight the threat to all citizens from nefarious actors.[1]. For 2013 it is anticipated for the volume, and complexity of threat to grow, according to McAfee’s Chief Technology Officer for EMEA, Raj Samani. At the heart of the fight against malicious actors is technological innovation. McAfee’s Global Threat Intelligence (GTI) provides a comprehensive, real-time intelligence service that enables McAfee products to protect customers across all vectors. “Whatever the regulatory response, we should ensure that such technological innovation continues to be at the forefront of efforts to out-innovate the malicious actors”, according to Mr Samani.

The EU’s proposals highlight the responsibility of private actors in the overall securing of our Global Digital Infrastructure. We agree that private organizations bear responsibility in ensuring that the products and services they bring to the market have been designed with security in mind and industry standards of care have been met. Like many responsible companies, we have a strong Security Development Lifecycle in place to ensure our products are being evaluated against possible threats. We should however avoid specific regulatory mandates for specific solutions or processes that would slow innovative technological solutions and hamper industry and government’s ability to respond to the dynamic threat environment. According to David Hoffman, Intel’s Director of Security Policy and Global Privacy officer, global standards should remain to be the guiding light for an effective global policy environment. “When looking at issues of product assurance, secure development and evaluation, these should be addressed through existing methods such as the global evaluation methodology like the Common Criteria and the Common Criteria Recognition Arrangement or industry-led codes” said Mr Hoffman.

One part of the proposal that will draw significant attention is the introduction of a security breach notification system to further incentivize both public and private organizations. “Such systems can play a role in increasing awareness and responsibility”, says Mr Hoffman, “but they need to be well thought through to avoid unintended consequences such as over-notifications”. Forced notifications of vulnerabilities should be avoided. “The system as proposed will need to be further fine-tuned to ensure it will be a workable system”, says Mr Samani.

Intel and McAfee strongly welcome the focus of the proposals to not only increase public private cooperation but also to further strengthen the baseline requirements amongst public authorities. Promoting harmonized baseline capabilities across all Computer Emergency Response Teams (CERTs) in the EU is a crucial goal. The proposals should seek to build and furhter strong coordination, including the sharing of threat information, via a strong joint public and private cooperation.

Finally, we strongly welcome the highlighting of the role of awareness raising campaigns. Educating and informing people of the threats, ways to protect their systems and their responsibilities contribute to the overall security of the GDI and should be a cornerstone of any effective cybersecurity strategy. We look forward to further build on existing awareness raising activities such as cybersecurity awareness day and McAfee’s ongoing initiatives.

Intel and McAfee are committed to continue to lead the discussion on how to address the ever changing threat landscape. We are looking forward to working with all stakeholders during the legislative process to ensure a strong outcome.

David Hoffman is Intel’s Director of Security Policy and Global Privacy Officer

Raj Samani is McAfee’s EMEA Chief Technology Officer

Christoph Luykx is Intel’s European policy lead on Privacy and Security

Protecting Your Small Business.  I spoke with the Committee about the issues small businesses face in combating cyber security threats. Based on McAfee’s perspective and insights, I provided recommendations that small businesses can take to protect themselves from cyberattacks and offered policy recommendations to support the small business community and improve public/private sector information sharing.

Small businesses can face the same cyber security risk as larger entities, yet they often cannot afford dedicated security staff, training, or comprehensive solutions.  Government can play a great role in protecting small businesses that comprise the majority of our corporate community, by subsidizing security products and services based on solid risk assessments, and incentivizing (e,g, through tax incentives or insurance) solid cyber investment.

Small businesses are the backbone of our economy. Having generated 65 percent of new jobs over the past 17 years, small businesses play a critical role in the nation’s economy.  According to the SmallBusiness Administration (SBA), small businesses represent 99.7 percent of all employer firms and also hire 43 percent of all high tech workers and produce 16.5 times more patents per employee than large patenting firms.

Public-Private partnerships are crucial for small businesses to engage with government and private sector entities with larger resources to exchange intelligence and best practices.

Further, because small businesses comprise the majority of our corporate population, larger entities benefit as well from the collective cybersecurity intelligence across small businesses.

Small businesses have a great wealth of information and it’s critical that the data remains secure. However, small businesses lack the funds to employ a dedicated security team or purchase enterprise security solutions, and thus, protecting these establishments is an ever growing important issue.

It is critical that small businesses take the necessary steps to protect themselves from cyber attacks. Here are a few recommendations:

*         Early adoption of three new security and industry trends-Software-as-a-Service (SaaS), managed security services, and dedicated security appliances

*         Minimize the amount of sensitive information retained in the organization

*         Practice risk management first

*         Buy the appropriate level of security

As Congress and the public/private sector continue to build upon the strides already made in addressing the cybersecurity challenges, we can successfully evolve ongoing efforts to protect our nation’s critical infrastructure from sophisticated cyber attacks.

We are only as strong as our weakest link, and we need incentives and subsidies for good cyber security for small business!

McAfee International Limited is registered in England and Wales with its registered address at 100 New Bridge Street, London, Company No. 02825890