1IT Enterprise | Why Protected Encryption Is Very Important

  |   Allegis News, The Latest

By Robert Ackerman Jr | Founder & Managing Director of Allegis Capital


As anybody familiar with the computer industry knows, the FBI wants Apple to break security protections on an iPhone linked to the deadly San Bernardino terrorist attacks — and a U.S. district court has ordered Apple to do just that.

Apple is fighting the decision for good reason. If it obeyed the court, the security of the iPhone could be compromised, helping to set in motion a trend that would materially undermine the effectiveness of cybersecurity in every conceivable venue.

Many law enforcement officials do not agree with this view; they believe encryption already allows far too many criminals to go scot free. But why lean on Apple to crack a phone they may able to crack themselves?

Authorities might be able to accomplish this, for example, by using a very precise atomic saw that can cut through the outer structures of the A6 microprocessor inside the phone, according to a recent story in The Wall Street Journal. They could target the portion of the chip that holds the user ID (the UID key). Then they could move the iPhone’s scrambled data to another computer and unlock it by using technology to guess the passcode of San Bernardo killer Syed Rizwan Farook.

It is true that this tactic would be risky and very expensive. And if anything goes wrong during the process, the data could be lost forever. But why is this a greater risk than forcing Apple to comply with authorities and possibly provide the essence of a “golden key” to unveil encrypted communications to help catch criminals and terrorists?

The authorities always sidestep one extremely important detail — in the domain of cybersecurity and encryption, the bad guys are just as smart as the good guys. Exploiting vulnerabilities is their expertise.  If there is a back door, they will find it, exploit it and seize valuable personal data. And how can we trust government entities, which are regularly breached, to keep such a golden key safe from criminals?

Data is the target of the vast majority of breaches of every stripe. Encryption is the last resort of data defense, one used to protect data 99.999 percent of the time. If encryption is penetrated, the cornerstone of defense disappears and the stage is set for even more hacking mayhem.

Two fundamental issues are at play in the Apple-FBI brouhaha. One is the Fourth Amendment of the Constitution, which protects against unreasonable searches and seizures. Isn’t this the point of encryption? The second issue is whether a back door would, in fact, improve the effectiveness of the FBI and other law enforcement agencies. FBI Director James Comey has suggested that police would have been able to track down the shooter of an Illinois man last year but for encryption built into both of the victim’s two phones. What he failed to mention was that one of the phones – a Samsung Galaxy S6 – isn’t encrypted by default.

Let’s return to the specifics of the dispute. For most iPhones, most danger is poised by criminals. If thieves can break into these phones, victims can easily be exposed to identity theft and perhaps even extortion. This is one of the main reasons Apple designed stronger encryption, starting on the iOS 8 operating system. Any software that by-passes those protections could materially hurt iPhone users.

It’s true that the FBI’s proposed system for Apple has protections to ensure its passcode hack can’t be used by anyone else.  Apple signs any automatic firmware updates before a given iPhone will accept them, and the FBI’s proposed update would be coded to an individual phone. The software wouldn’t install unless the phone’s serial number matches the serial number in the code. The method proposed by the FBI is also specific to iPhone 5c, the one in Farook’s possession. While this doesn’t have the Secure Enclave chip that ties lock screen protections to hardware in newer iPhones, it’s highly likely that the FBI would request similar methods for cracking Enclave-equipped phones if it is successful  in its current feud with Apple.

The software proposed by the FBI can be useful to thieves even though it can’t be used to unlock other phones. If the code falls into the wrong hands, it can potentially be reverse-engineered into a generic version, removing the code that ties the attack to a specific phone.

This reverse-engineered version would still need Apple’s signature before it could be installed – something, of course, thieves are unlikely to have. The fundamental point, however, is that that signature system would be the only thing protecting a stolen iPhone and the information inside it. By itself, this is a huge problem. New vulnerabilities pop up in software all the time, and no single system is ever considered entirely impenetrable. An undisclosed vulnerability could be used in a way that Apple and the FBI can’t predict.

Law enforcement and intelligence communities do important work, and new technology has made their jobs tougher. But the answer is not lowering standards for protecting data. The right answer is to work on new approaches to identify the bad guys. Innovation – not compromised security is the solution.

Read more>>

Ackerman, Jr., Robert. “Why Protected Encryption Is Very Important.” 1ITEnterprise. 30 March 2016. Web. 



Read More

RSA Conference | The Cybersecurity Act of 2015 is a Necessary Stake in the Ground

  |   Allegis News, The Latest
By: Robert R. Ackerman Jr. | Founder & Managing Director, Allegis Capital


The Cybersecurity Act of 2015 is approaching its three-month birthday, but you can be excused if you’re oblivious to that. After all, many people probably don’t know it even exists. Very quietly, the law—the first major piece of Congressional cybersecurity legislation, one designed to address the explosive growth of successful cyberattacks—was signed into law in mid-December 2015 by President Obama.security_pixels

The act didn’t attract much attention because it was embedded in a $1.1 trillion omnibus spending bill to fund the government. The dim spotlight aside, what is the verdict on this historic legislation—a compromise bill based on competing cybersecurity information sharing bills that passed the House and Senate earlier in 2015?

It has some strengths and some weaknesses. Overall, what can be said is that it has insufficient teeth but nonetheless is a good starting point in getting the government involved in the global cybersecurity war—and yes, it is a war. The good guys need all the help they can get against the bad guys. The cost of global cyber espionage has soared to about $500 billion annually, and when you add in the cost of stolen intellectual property, it tops $1 trillion annually. Unfortunately, the bad guys are winning.

Bear in mind that this act is a product of Washington, and so, of course, it is a patchwork of compromise. The victory is modest and lies mostly in the passage itself. The day that occurred—December 18—even President Obama conceded “I’m not wild about everything in it . . .”

As a venture capitalist, I would like to see this legislation become the first step toward a broader and more sophisticated cybersecurity sharing network. That’s because I want the startups I back to push the cybersecurity envelope—and to correctly anticipate the future course of attacks—as much as possible. An improved sharing network would help achieve that goal because a better job could be done protecting against many standard attacks, allowing young cybersecurity companies to focus more on chronically evolving state-of-the-art attacks.

The legislation calls on businesses, government agencies and other organizations to share information about cybersecurity threats with each other. The belief is that, overall, this will help them prepare themselves better to identify and defend against cyber attackers. The Department of Homeland Security is the ring leader and can share the information with other government agencies and companies. It isn’t clear how this information will be shared, however, and, with the notable exception of IBM, some technology companies have said they will not participate because they don’t think there is sufficient consumer identity protection. This is a reasonable concern given the government’s own challenges in protecting sensitive data. The provisions of the law are voluntary.

People can debate the latter point endlessly and reach no clear-cut conclusion. What is much more significant, in fact, is that this legislation is behind the times.

By itself, sharing information about new types of malware, suspicious network activity and other indicators of cyber attacks won’t thwart much cybercrime. Given that the vast majority of cyber attacks are focused on data, what is really needed is the implementation of encryption to secure that data. Also crucial eventually is diligence in patching of outdated software. These steps can go a long way in making systems less vulnerable and lay the foundation for innovation focused on hardening next-generation IT infrastructure against cyberattacks.

As things stand today, even the sponsors of the legislation admit that the new law would not have helped against the highly destructive, allegedly North Korean-orchestrated attack against Sony Pictures Entertainment in 2014. Why? That attack, like many today, was not based on previously known computer viruses or other malicious tools that companies and the government could warn each other about.

Similarly, this law would not have fended off the theft of millions of personnel records from the U.S. Office of Personnel Management. In that case, the government failed to install sufficient cybersecurity protection in the first place. Poor computer hygiene, in fact, is rampant.

Businesses are encouraged to share more information about cyberattacks because the law minimizes the threat of private lawsuits, such as suits over violations of electronic privacy protections. In addition, companies are generally required to strip personal information about customers out of the shared data so that the government cannot amass records on individual behavior. The government is also required to ensure that all personal information, such as customer records, has been scrubbed.

While the law in its current form is lacking, it isn’t altogether ineffective. Take, for example, lower-level cyber-attacks. The notion of companies and governments sharing data about the “signatures” of cybersecurity thieves is worthwhile. This is the digital trail that shows where the attackers came from and what their code looks like. Given that most cyber-attacks are lower-caliber attacks assembled from non-proprietary code or programs and from off-the-shelf components on the black market, how can this not be helpful?

We have to start somewhere to begin improving U.S. cyber defenses. Washington, despite its foibles, has managed to do that. I prefer to look at this ultimately as something good, not bad, and that a stake has been put in the ground in the nation’s capital to step up the U.S. counter-attack against cyber intruders.

Robert Ackerman Jr. is founder and managing director of Allegis Capital, a Palo Alto-based early stage venture capital firm specializing in cybersecurity. Some of Allegis Capital’s cybersecurity investments include Shape Security, vArmour, and Red Owl. 

Find more>>

Ackerman Jr., Robert. “The Cybersecurity Act of 2015 is a Necessary Stake in the Ground.” RSA Conference, 18 March 2016. Web. 



Read More

No IPOs may indicate slowing year for Silicon Valley

  |   Allegis News, The Latest

By: Marisa Kendall | San Jose Mercury News | Posted: 28 Feb 2016

San Jose software company Apigee began trading on the Nasdaq on April 24, 2015. The company raised $87 million in its initial public offering, the second IPO of last year from a Silicon Valley tech company. (Nasdaq Creative Services)

San Jose software company Apigee began trading on the Nasdaq on April 24, 2015. The company raised $87 million in its initial public offering, the second IPO of last year from a Silicon Valley tech company. (Nasdaq Creative Services)

The first quarter is halfway over and the markets have yet to see a single IPO out of Silicon Valley, news that seems to confirm gloomy predictions some analysts have made about the tech industry’s coming year.

Some companies, such as San Jose-based cloud storage company Nutanix, apparently are delaying their Wall Street debuts. Nutanix, which had filed for a $200 million IPO in December, has yet to go public and may be waiting for better market conditions, experts said.

But the IPO climate may not improve any time soon. The stock market has been a roller-coaster ride this year as the market responds to fears about everything from China’s economic slowdown, to the drop in oil prices, to the refuge crisis in Europe. Twitter and GoPro shares fell to an all-time low this month, and LinkedIn lost $10 billion in value.

“This is the weakest start of the year since 2009,” said Kathleen Smith, a principal at Renaissance Capital, which tracks public offerings.

A look at eight of last year’s biggest U.S. tech IPOs shows six of the companies were trading below their offer prices Friday afternoon — including Etsy, Box, Fitbit and Match Group, which owns Tinder. Last year industry experts wondered if 2016 would be the year tech bubble bursts, or the year the market sees more “unicorpses” than unicorns. The IPO scene this year seems to reflect that uncertainty.

The only public offerings so far have been from four biotech companies based in Illinois, Massachusetts and China, and Silver Run Acquisition Corporation, a Houston-based energy-focused acquisition company. Silver Run raised $450 million in its Tuesday IPO.

IPO 022916Last year, 24 companies had priced initial public offerings through the end of February, according to Renaissance Capital data. That includes Redwood City-based Box, which provides an online file-sharing service for businesses. The four 2016 biotech IPOs — AveXis, Proteostasis Therapeutics, BeiGene and Editas Medicine — are what Smith calls “quasi IPOs” because they relied heavily on insider buying.

Massachusetts-based Syndax Pharmaceuticals announced its plan to launch an IPO next week. Others, such as Southern California-based orthopedic health company Ellipse Technologies, are choosing acquisition. Ellipse filed for a $75 million IPO in October but reversed course last month and announced it was being acquired by NuVasive, a San Diego medical device company, for $380 million.

Another six companies postponed IPOs this year that had been pegged to raise $1.3 billion, according to Renaissance Capital data. That list includes Oakland-based construction company Shimmick Construction. The Silicon Valley IPO market hasn’t seen much action since Square went public in November. Square saw a first-day return of 45 percent, after discounting its shares by about a quarter.

Private companies aren’t the only ones getting nervous. Investors have pulled back on their spending, raising the bar for startups to get funded, said ClearPath Capital Partners managing partner Paul James Boyd.

“We have also heard that when companies are out looking for capital, a couple we’ve run in to have not been able to get the whole amount they wanted,” he said.

That means investors may be less likely to fund riskier companies going forward, said Robert Ackerman Jr., founder of Allegis Capital, and they may shy away from Silicon Valley’s most innovative new startups.

Norwest Venture Partners managing partner Jeff Crowe disagrees. There’s still plenty of seed and early-stage funding to be had, he said.

“What I do think it means, is that companies that have scaled to a large size without a prudent business model, they can have trouble,” he said.

The year’s biggest deal so far seems to be Florida-based virtual reality startup Magic Leap, which earlier this month announced a new $793.5 million round of funding led by Alibaba Group.

PricewaterhouseCoopers partner Thomas Ciccolella said “megadeals” of $100 million or more are a positive sign because they show investors still are willing to bet on innovation.

“It says there’s ripe opportunity for entrepreneurs, or for things to be changed in the current environment, especially in tech,” he said. “That helps us gauge the appetite for new and innovative technology.”

Ackerman described the market slowdown not as a tech bubble bursting, but as “a lot of air being let out of the balloon.” The market is correcting itself after years of overexcitement and runaway valuations, he said. But the slowdown may open up opportunities for some savvy investors.

“You can argue when nobody’s investing in anything is a phenomenal time to make an investment,” Ackerman said. “But that requires you to look past your fear.

Kendall, Marisa. “No IPOs may indicate slowing year for Silicon Valley.”  Mercury News. Feb 28, 2016. Web. Feb 29, 2016.

Read More

The Fiscal Times | Cyber security startups face funding drought

  |   Allegis News, The Latest

Cyber security startups face funding drought

By Heather Somerville & Jim Finkle, Reuters
February 23, 2016


matrixThe U.S. cyber security industry, once one of the hottest targets for venture capitalists, is now grappling with a funding slump that has forced some startups to sell themselves or cut spending.

Amid widespread concerns about cyber attacks and data breaches, hundreds of security startups have sprung up in recent years, promising “next-generation” technologies to fight cyber criminals, government spies and hacker activists.

But many of the new ventures have struggled to gain traction, finding it difficult to stand out from the crowd and provide customers with sophisticated enough security solutions to match the increasingly advanced cyber attacks they face.

“Investors are looking at balance sheets and saying, ‘You raised $100 million and you have nothing to show for it?'” said Promod Haque, senior managing partner at Norwest Venture Partners, which manages about $6 billion in capital.

Private investors pumped a record $3.3 billion into 229 cyber security deals last year, according to data from CB Insights. Venture capitalists, dealmakers and entrepreneurs said funding is drying up for all but the most mature cyber startups with substantial sales.

“Almost every other company I knew who was on the road raising money at the same time had to pull their rounds back and were not able to close,” said Michael DeCesare, chief executive of ForeScout Technologies Inc, a network security firm.

ForeScout reported more than $125 million in 2015 revenue and finalized a $76 million financing round last month. Other deals this year include $96 million in funding for risk analytics firm Skybox Security Inc, and Fidelity Investments’ $50 million investment in anti-virus software maker Malwarebytes.

It now takes six to eight months to close deals, up from about three to four months a couple years ago, said Sean Cunningham, managing director at Trident Capital Cybersecurity.

The founder of a cyber startup that raised money two years ago said he sought additional financing for several months but then gave up. The firm, which did not want to be identified, cut spending and plans to seek financing again in about six months.

Other startups are looking for buyers. A dealmaker at a large security company, who declined to be identified, said the number of incoming inquiries from businesses looking to sell themselves is up 40 percent this year, compared to the same time in 2015.

Last month, iSight Partners – which has uncovered major cyber campaigns from Iran, Russia and other nations – sold itself to FireEye Inc for $200 million in cash plus another $75 million in cash and stock if it meets certain sales targets. Last August, iSight Chief Executive John Watters told Reuters he planned to take the company public in 2016 at a valuation of at least $1 billion.

After the FireEye deal was announced, Watters said his plan changed because market conditions shifted, making it more difficult to raise capital to remain independent. FireEye CEO Dave DeWalt said the tough funding environment would spawn more deals. FireEye also bought tiny security software maker Invotas for $30 million last month.

The value of cyber M&A activity more than doubled last year to $26.8 billion from $10.3 billion in 2014, according to data from consulting firm EY. The number of deals increased 46 percent to 287.


Cyber stocks had rallied in 2013 and 2014 on expectations the industry would benefit from a seemingly endless streak of headline-grabbing cyber attacks. Private investors, seeing the opportunity, piled onto startups. “You had a lot of indiscriminate capital that came into the space,” said Bob Ackerman, founder of Allegis Capital and a longtime security expert. The boom in cyber investing showed signs of faltering last year as earnings of publicly traded cyber companies missed expectations.

Too many startups copied technology already on the market, or products that hackers had figured out how to circumvent. Some highly touted products sold by private companies were found to be “obsolete from the moment they were launched,” said David Cowan, a partner at Bessemer Venture Partners.

Cyber stocks have since underperformed the broader market. FireEye, which this month warned that growth in cyber spending could slow this year, has fallen 35 percent over the past three months, compared to a 12 percent decline in the Nasdaq Composite Index. Qualys Inc tumbled 38 percent over the same period, while Palo Alto Networks Inc dropped 26 percent and the Pure Funds ISE CyberSecurity ETF fell 21 percent.

Robert Thomas, CEO of cloud security firm CloudPassage, which raised $36 million last July, said he expects the funding crunch for startups to last. “I feel fortunate that we got in under the wire and were able to raise (money) for the next two years to carry us through,” he said.

(Reporting by Heather Somerville in San Francisco and Jim Finkle in Boston; Editing by Jonathan Weber and Tiffany Wu)

Cyber security startups face funding drought” The Fiscal Times. Web. 23 Feb 2016.

Read More

WSJ | Increased Spending in Cybersecurity Drives Surge in Funding

  |   Allegis News, The Latest


As funding from venture capitalists tapered off in the fourth quarter of 2015, investment in the cybersecurity sector continued to boom.

Venture capitalists invested $675.43 million in the fourth quarter of 2015, up from $522.41 million in the same quarter a year before, according to data from Dow Jones VentureSource. Total annual venture capital funding in cybersecurity increased 76 %, to $3.34 billion, in 2015.

In the wake of high-profile hacks and increased activity from state actors, companies are increasing their spending on security. Gartner predicts the world-wide cybersecurity market will increase to $170 billion by 2020, up from $75.4 billion in 2015. Investors see that boom as an opportunity, despite public security stocks struggling since the start of the year.

Experienced venture capitalist investors in security predict investment in the sector won’t rise as rapidly in 2016 as market conditions cool. They view security as a viable sector largely insulated from the recent market turmoil, but say the sky-high funding rounds that became common in 2015 will be more rare. Investors predict a similar number of cybersecurity investments will occur in 2016, but the total dollars in the sector may not be as high because fewer large institutions will drive up funding rounds.

For many, a sign that valuations in the cybersecurity sector may have gone too far was FireEye Inc.’s acquisition of iSight Partners Inc . for as much as $275 million, based on certain milestones. The company’s sale, which security executives said was far below a sought-after higher valuation multiple, showed that even strong companies may not live up to the lofty valuations set in 2015.

Bob Ackerman, the managing director of Allegis Capital, said when everything is on the rise, investors tend to pile on. He expects firms that don’t have a history of investing in security to pull back from the sector.

“In a market like this people talk about a flight to quality, but generally there’s also a flight to comfort,” said Mr. Ackerman. “Investors go back to the thing that they know best.”

But funds are increasingly specializing in the sector. Mr. Ackerman’s fund focuses on cybersecurity startups, as does TenEleven Ventures and Trident Capital Cybersecurity. Menlo Ventures plans to dedicate 25% of its latest fund to security companies.

Trident Capital’s newest partner, Sean Cunningham , said he isn’t worried about the increasing number of funds specializing in cybersecurity. Mr. Cunningham said that because there was so little investment in the sector for many years, venture capitalists are now playing catch up from when cybersecurity investment dropped between 2004 and 2010.

“The sector has actually been underfunded in some regards,” Mr. Cunningham said. “You could argue that we’re going to make up for some of that.”

Mr. Cunningham said Trident passed on a number of deals in 2015 when term sheets came back with valuations the company felt were inflated. He said there will likely be a similar number of cybersecurity deals in 2016, but the total capital deployed in those deals may be lower.

In 2016, investors expect an increase in mergers and acquisitions within the sector. Mr. Cunningham expects traditional public security companies will likely be actively acquiring startups.

Investors predict that given current public market conditions, most companies that are ready to go public will wait it out. Public security companies’ stocks took a beating in early 2016, with FireEye and Imperva Inc . down more than 40% since the start of the year.

Venky Ganesan, a partner at Menlo Ventures , said because so much capital flocked to cybersecurity in recent years, many “clones” were funded. He said time will tell which companies truly own their valuations.

“When the tide goes out, you can see who’s wearing shorts and who is really naked,” Mr. Ganesan said.

Read more>>

“The Daily Startup: Increased Spending in Cybersecurity Drives Funding Surge” Wall Street Journal, 17 Feb, 2016. Web.

Read More

eWeek | Allegis Capital Ramps Up Investment in Cyber-Security Firms

  |   Allegis News, The Latest
Bob Ackerman, managing director and founder of Allegis Capital, continues to see profit potential in security. He offers his take on the marketplace.

StepUpSecurityThere seems to be no shortage of money flowing into cyber-security firms these days. However, just because cyber-security is hot doesn’t mean that every technology will be successful or that every investment will pay off, said Bob Ackerman, managing director and founder of Allegis Capital.

Ackerman believes in taking a strategic, measured approach to investing in security vendors that are creating platforms that solve real problems for organizations, including security legacy architectures and building security for the future.

For the last 20 years, Allegis Capital has been largely focused on early and seed round investing, and for much the last five years, the firm has almost exclusively been looking at cyber-security ventures. Allegis Capital is in the process of closing its latest fund called the Allegis VI Cyber Innovation fund.

“Capital [that is] under management needs to line up with our investment strategy,” Ackerman told eWEEK. “You can’t be an early-stage investor and manage a whole lot of money, so we tend to like pools of capital that are around $150 million.”

Among the companies that Allegis invested in last year are E8 Security, which raised $9.8 million in a Series A round in March; RedOwl Analytics, which raised a $17 million Series B round in July; and fraud protection vendor Signifyd, which raised a $7 million Series A round, also in July.

In addition, Allegis invested in search vendor Lucidworks as part of a $21 million Series D round, announced in November. Lucidworks provides commercial support and tools for the Apache Lucene search technology.

What brought Allegis Capital to Lucidworks is the fact that a lot of the applicability and use-cases for the vendor’s technology is related to security, Ackerman said.

With so many companies now in the market trying to solve the cyber-security challenge, Ackerman is confident that’s it’s still a growing market for him to invest in. “This problem set will be with us for the foreseeable future; there is certainly a tremendous amount of activity in cyber-security, but a lot of the activity is not necessarily unique,” Ackerman said.

When Ackerman looks at the cyber-security market, he focuses on two key issues. One is the challenge of securing decades-old legacy architectures that were not built with modern cyber-security in mind. The other is figuring out how to build inherently more secure architectures in the future. In looking to secure new architecture, the move to virtualization and the cloud is a key opportunity, according to Ackerman.

Allegis has invested in Bracket Computing, which provides data center virtualization security technology, and vArmour, which emerged from stealth in September 2014 with its data center security platform. “Both of those companies are looking at where technology is going and ensuring that security is an integral part of the path to that destination,” Ackerman said.

Ackerman points out that the modern world is enabled by a digital substrate. As such, even though some people might think of cyber-security as a vertical niche, Ackerman emphasizes that it’s not.

Rather, cyber-security is a broadly horizontal domain that covers the entire digital substrate on which the modern global economy is built.

“With the almost daily reports of breaches that pop up in the news media, both entrepreneurs and investors have latched onto cyber-security and concluded that it’s a hot area,” Ackerman said.

For Ackerman, knowledge and understanding, as well as experience are the keys to potential success in cyber-security. “The challenge is that a lot of things get funded that perhaps shouldn’t be funded, and that creates a level of noise in the market that we have to be aware of,” Ackerman said.Among Allegis Capital’s investments is security vendor Synack, founded by former National Security Agency (NSA) analyst Jay Kaplan. Synack’s business model is focused on helping organizations to find security flaws by enabling a community of researchers. Ackerman noted that Kaplan is the type of entrepreneur that Allegis likes to back because he has been on the forefront of dealing with real-world threats and has a deep hands-on understanding of what security is all about.”As an investor, the challenge isn’t just in finding a needle in the haystack, it’s in finding a particular piece of hay in the haystack,” Ackerman said. “Domain expertise matters in a significant way.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter@TechJournalist.

Allegis Capital Ramps Up Investment in Cyber-Security Firms.” eWeek. 25 Jan 2016. Web. 26 Jan 2016.


Read More

Politico | “Chinese in D.C. for cyber talks”

  |   Allegis News, The Latest


“The technology is agnostic,” he said in a telephone interview. “It’s how do people use it.” – Robert Ackerman Jr.

Posted from Politico.com – 12/01/2015


U.S.-CHINA TALKS — U.S. and Chinese officials are scheduled to hold their first meeting on implementing their agreement to refrain from computer hacking for commercial gain. Though the meeting is not a deadline for determining whether China is complying with the accord, U.S. officials hope the talks “on fighting cybercrime and related issues” will help ease tensions.

Homeland Security Secretary Jeh Johnson will lead the U.S. negotiators. China’s Public Security Minister Guo Shengkun will be the senior Chinese representative, according to Chinese state media reports via Reuters.

MEANWHILE IN PARIS — While Johnson and Guo confab in Washington, President Barack Obama and Chinese President Xi Jinping are attending talks on climate change in the French capital. Obama stressed the need for “full adherence” to the pair’s September no-commercial hacking agreement during a summit sidebar, the White House said. Before the meeting, Obama noted that he and Xi “have developed a candid way of discussing” cyber and maritime disputes.

IS THE PLA BEHAVING? — The Chinese People’s Liberation Army, a major perpetrator of commercial hacking, has vastly curtailed its activities since a grand jury in the U.S. indicted five Chinese military officers in 2014, The Washington Post said Monday. Reports of the demise of PLA’s hacking units, however, may be exaggerated. Since the indictments, numerous private-sector reports from firms such as ThreatConnect have been released tying hacking operations to the PLA. And China’s civilian spy agency, the Ministry of State Security, still conducts its own commercial hacking, the Post story notes.

UKRAINE SHOWS RUSSIAN RESTRAINT (SERIOUSLY) — Russia has been accused of many things in Ukraine over the past year, but restraint isn’t among them. Yet, the conflict there has not witnessed the sort of massive cyberattack Russia launched in earlier showdowns with Estonia and Georgia. Why? Ukraine simply lacks “very lucrative targets for destructive cyberattacks and physical attacks,” according to a book out today from NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia. Russian espionage and disinformation campaigns trumped cyber priorities and both sides were interested in controlling the conflict’s escalation, writes center director Sven Sakkov. Russia was able to achieve many of its goals through physical rather than virtual means. “If a cable can be cut physically, there is no need to use sophisticated cyberattacks,” the report says. So maybe the Russians don’t deserve much credit for restraint after all. 

AT&T’S STEPHENSON WEIGHS IN ON ENCRYPTION — AT&T CEO Randall Stephenson wrote to employees last week, citing the renewed debate over encryption in the wake of the attacks in Paris in calling on the president and Congress to find a balance between privacy and security. “We are firmly committed to the obligation we have to guard the personal privacy of the people we serve,” Stephenson wrote, according to a copy of the letter obtained by POLITICO. But “all companies must help law enforcement keep Americans safe by complying with valid court orders and legal warrants.” He called for a balance between competing interests but said it is up to policymakers, “not individual companies, to determine that balance.”

CAN’T BE DONE — Count venture capitalist Robert Ackerman among those who doubt anything will come of official Washington’s renewed interest in encrypted communications. The post-Paris calls for such systems to include a “backdoor” for the authorities – which have come from FBI Director James Comey and senior lawmakers in both parties — are doomed, says the founder of Palo Alto-based Allegis Capital. “Can you have a secure backdoor? The answer is emphatically ‘no,’” said Ackerman. “The bad guys are just as smart as the good guys. If there is a vulnerability, they will find it and exploit it.”

Ackerman has a window into the state of technology through his investments in companies such as Area 1 Security and Synack. The veteran investor, who shifted his portfolio about five years ago to a 100 percent focus on cybersecurity and related areas, says the encryption fuss is misplaced. “The technology is agnostic,” he said in a telephone interview. “It’s how do people use it.”

Ackerman also worries that the federal government lacks the needed know-how to work out the encryption puzzle. “This is an area of policy where you really need to understand the technology and the implications of what you’re doing,” he said. “And the expertise around that – there’s not an overabundance of that in the political environs in Washington, D.C.”

RECENTLY ON PRO CYBERSECURITY Sen. Susan Collins and other sponsors of a Cybersecurity Information Sharing Act provision requiring a plan to cope with cyberattacks against critical digital infrastructure are rebutting financial industry critics who call the provision a backdoor to new mandates:http://politico.pro/1NEhYUj. The FTC is appealing an administrative judge’s dismissal of its cybersecurity case against LabMD, a lab-testing company: http://politico.pro/1XCQu0R. The United States and European Union should agree by Dec. 17 on how to transfer data across the Atlantic, replacing a “safe harbor” pact struck down by a European court last month, a European commissioner said: http://politico.pro/1QQcJRL.

GOODLATTE PROMISES HEARING ON LEGAL ACCESS TO DATA ABROAD — House Judiciary Chairman Bob Goodlatte plans to call for a hearing on U.S. requests for data stored abroad at a hearing today on reforming the Electronic Communications Privacy Act. The question of whether ECPA allows U.S. law enforcement to issue warrants for customer emails that U.S. companies are storing abroad is at the center of a legal battle between Microsoft and the Justice Department, which awaits a ruling from the U.S. Court of Appeals for the Second Circuit. In the House, Judiciary Committee members Tom Marino and Suzan DelBene have introduced a bill that would limit the ability of U.S. agencies to access data about non-U.S. persons that’s housed overseas. Similar legislation has been introduced in the Senate.

HOUSE PASSES CYBERCRIME BILL — The House on Monday passed on a voice vote legislation requiring the Secret Service to provide education and training to state and local investigators responsible for investigating cybercrimes. The Strengthening State and Local Cyber Crime Fighting Act also gives the service authority to provide law enforcement, prosecutors and judges with tools to aid such investigations. House Judiciary Chairman Bob Goodlatte praised the passage in a statement and urged the Senate to take up the bill.

COMPUTER FRAUD ACT — Legal scholar Orin Kerr has a new theory about ways to improve application of the Computer Fraud and Abuse Act. The main anti-hacking law is a security researcher’s nightmare, used to prosecute actions that don’t always correspond to the common understanding of computer hacking. A key problem: Although the law criminalizes unauthorized access to a computer, it doesn’t define “authorization.”

Kerr, a law professor at George Washington University and one of the nation’s foremost scholars of the anti-hacking law, suggests applying societal norms from the physical world to cyberspace. Whether a physical trespass occurs in the real world depends on “social understandings about access rights drawn from different signals within the relevant space,” he writes in a new paper. So too in cyberspace.

Kerr writes that if a computer resource such as a website is made publicly available to any user without an obstacle such as a password-controlled logon, the website owner has effectively granted authorization. Terms of service have no bearing on authorization, since “access regulated by written terms is not authenticated access.”

But computer users who repeatedly are prevented from accessing a Wi-Fi network and then create a new account to circumvent the ban risk crossing into unauthorized use. If the ban is meant as a signal to cease a particular behavior, the user could avoid trespass by conforming to the network owner’s expectations through a new account. But “when the ban would be reasonably interpreted as ‘go away and never come back,’ creating another account is unauthorized,” Kerr writes.

Computer luminary Aaron Swartz, for example, crossed into trespass in 2011 by repeatedly logging onto the Massachusetts Institute of Technology’s Wi-Fi network with the intent of continuing the prohibited behavior that got him knocked off, Kerr says. 


Read more:

By: Joseph Marks

With help from David J. Lynch, David Perera and Tim Starks

“Chinese in D.C. for cyber talks.” Politico, 1 Dec 2015. Web. 8 Jan 2016.




Read More

A $150 Million Dollar Cybersecurity Rocket Launcher

  |   Allegis News

Allegis Capital says investing in cybersecurity isn’t for newcomers.
And Allegis is no newbie to security.


by Steve Morgan, Founder & CEO Cybersecurity Ventures, Sandhill.com – Sept 14, 2015 – If you haven’t heard of Allegis, then hear this: they recently closed on $100 million for a fund that is investing into cybersecurity startups. The Wall Street Journal reported that the fund’s target is about $150 million. That’s some serious rocket fuel about to be poured into young cybersecurity companies.

Based in Palo Alto, Calif., Allegis Capital is a VC firm that invests in early-stage, large-market opportunity cyber businesses.

One of Allegis’ target markets is IoT security. The Internet of Things security market is expected to grow from $6.89 billion in 2015 to $28.90 billion by 2020, according to a report from Markets and Markets. Research and advisory firm Technavio’s analysts forecast the global IoT security market to grow at a CAGR of nearly 55 percent over the period 2014 to 2019.

Another target market for the firm is security analytics, a market expected to be worth $3.22 billion globally by 2018, according to Markets and Markets. There’s a lot of headroom for growth in the big data and analytics market, which will reach $125 billion worldwide in 2015, according to research firm IDC. Big data analytics tools have emerged as the first line of defense for protecting corporate networks.

> Read Article

Read More

Experience Matters for Security Startups – Venture Capital Series Part 3

  |   Allegis News

Vic Wheatman Speaks with Robert Ackerman of Allegis Capital

The level of venture capital financing has hit new heights with increasing investments in information security. Some venture capitalists (VCs) specialize in finding and funding startups in security, which is a unique segment within technology. What does this mean for security startups? And how does an investor’s perspective impact Chief Information Security Officers?

In part one of a three-part series, Security Current’s Vic Wheatman speaks with Robert Ackerman, founder and managing director of Allegis Capital about the current state of VC funding and the burgeoning security field.

> Listen to Podcast

Read More

Experience Matters for Security Startups – Venture Capital Series Part 2

  |   Allegis News

Vic Wheatman Speaks with Robert Ackerman of Allegis Capital

The level of venture capital financing has hit new heights with increasing investments in information security. Some venture capitalists (VCs) specialize in finding and funding startups in security, which is a unique segment within technology. What does this mean for security startups? And how does an investor’s perspective impact Chief Information Security Officers?

In part one of a three-part series, Security Current’s Vic Wheatman speaks with Robert Ackerman, founder and managing director of Allegis Capital about the current state of VC funding and the burgeoning security field.

> Listen to Podcast

Read More