After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons: It’s not just a technical problem The rules of cyberspace are different from the physical world’s Cybersecurity law, policy, and practice are not yet fully developed The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account. Differing Rules in Cyberspace Cyberspace operates according to different rules than the physical world. I don’t mean the social “rules” but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security. First, with distances greatly reduced, threats can literally come from anywhere and from any actor. Second, the borders in cyberspace don’t follow the same lines we have imposed on the physical world; instead they are marked by routers, firewalls, and other gateways. Proximity is a matter of who’s connected along what paths, not their physical location. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. As a result, our physical-world mental models simply won’t work in cyberspace. For example, in the physical world, we assign the federal government the task of border security. But given the physics of cyberspace, everyone’s network is at the border. If everyone lives and works right on the border, how can we assign border security solely to the federal government? In the physical world, crime is local — you have to be at a location to steal an object, so police have jurisdictions based on physical boundaries. But in cyberspace you can be anywhere and carry out the action, so local police jurisdictions don’t work very well. The same principles of cyberspace that allow businesses to reach their customers directly also allow bad guys to reach businesses directly. Yet you can’t have governments get in the way of the latter without also getting in the way of the former. Sharing information among people at human speed may work in many physical contexts, but it clearly falls short in cyberspace. As long we continue to try to map physical-world models onto cyberspace, they will fall short in some fashion. Legal and Policy Frameworks Next, cyberspace is still very new from a legal and policy point of view. In the modern form, the internet and cyberspace have existed for only about 25 years and have constantly changed over that time period. Therefore, we have not developed the comprehensive frameworks we need. In fact, we don’t yet have clear answers to key questions: What is the right division of responsibility between governments and the private sector in terms of defense? What standard of care should we expect companies to exercise in handling our data? How should regulators approach cybersecurity in their industries? What actions are acceptable for governments, companies, and individuals to take and which actions are not? Who is responsible for software flaws? How do we hold individuals and organizations accountable across international boundaries? Some answers are beginning to emerge. For example, we should not expect the federal government to protect every business from all online threats all the time — it’s simply not practical, nor is it desirable, because it would significantly impact the way we’re able to do business. On the other hand, we can hardly expect most organizations to thwart the activities of sophisticated nation-state actors. So how do we resolve this dilemma? Perhaps we should borrow concepts from the disaster response world, and divide responsibility in a fluid manner that adapts over time in response to changing circumstances. In disaster response, preparedness and initial response reside at the local level; if a given incident overwhelms or threatens to overwhelm local responders, then steadily higher levels of government can step in. We could apply these principles to allocating responsibility in cyberspace — businesses and organizations remain responsible for securing their own networks, up to a point. But if it becomes clear that a nation-state is involved, or even if the federal government merely suspects that a nation-state is involved, then the federal government would start bringing its capabilities to bear. Fully answering these questions is the key cybersecurity policy task for the next five to 10 years. As long as we treat cybersecurity as a technical problem that should have easy technical solutions, we will continue to fail. If we instead develop solutions that address the reasons why cybersecurity is a hard problem, then we will make progress. The Cyber Threat Alliance (CTA) is just one example of this approach (disclosure: I’m the president of CTA). A little over two years ago, a group of cybersecurity practitioners from several organizations concluded that the industry’s operational model was not producing the desired results and decided to adopt a new one — to work together in good faith to begin sharing threat information in an automated fashion, with everyone contributing to the system, and with the context of threats being given a lot more weight. CTA’s structure is an attempt to deal with the known flaws in existing information sharing efforts. If we can continue to innovate in this manner, we can finally begin to make some progress against this seemingly intractable problem.
Вы ещё не верите в будущее и в будущую цифровую экономику? Зря. Говорят, что сегодня форум в Нью-Йорке по ETHEREUM. Крупные компании собираются вложиться. В пятницу писал про эфириум smart-lab.ru/blog/399212.php Скрин с пятницы В пятницу уже было страшно покупать и хотелось скинуть по той цене. Но за субботу и воскресение рост ещё на 30% и сегодня ещё на на 14% Уже 16 концов за квартал!!! Одна тысяча долларов превратилась в 16.000$ Это покруче опционов будет! Чую, скоро все крипты должны рухнуть ))) мой совет: покупать только на те деньги, которые не жалко потерять!!! Для меня это аналог опционов )))) я в ETORO на счету жены покупал )) есть и другие места P.S. Чую, в скором времени и на нашей бирже они появятся )))) Кто считает это казино, прошу прочитать статейку — forklog.com/microsoft-intel-i-accenture-voshli-v-sostav-enterprise-ethereum-alliance/ Спустя час после написания поста ))))))))) 9 июня, я проведу бесплатный, обучающий, 9-ти часовой мастер-класс на московской бирже, регистрация по ссылке — https://www.finam.ru/services/promo00141/
Мария Гусева, cтарший эксперт практики Управленческий консалтинг Accenture и Михаил Аммосов, директор-эксперт финансовой практики, рассказали Bankir.Ru о развитии направления робоэдвайзинга в Wealth Management и о том, как снижение себестоимости сервиса сделает частные инвестиции массовым продуктом.
Cyberattacks cost companies an estimated half a trillion dollars in damages every year. The main reason they can harm companies to such a staggering degree is that today’s cybersecurity systems use centralized monitoring, with little beyond their main firewalls to protect the rest of an organization. As a result, when companies are hacked, it can take days for information technology teams to isolate infected systems, remove malicious code, and restore business continuity. By the time they identify, assess, and resolve the incident, the malicious code has usually proliferated, almost without limit, across any connected or even tangentially related systems, giving hackers even more time to access sensitive data and to cause malfunctions. To stay ahead of new intrusion techniques, companies need to adopt decentralized cybersecurity architectures, armed with intelligent mechanisms that will either automatically disconnect from a breached system or default to a “safe mode” that will enable them to operate at a reduced level until the effects of cyberattacks can be contained and corrected. Like the general security systems at high-risk sites such as nuclear power plants, companies require multiple layers of redundant safety mechanisms and cybernetic control systems. The goal should be to create “air pockets,” with neither direct nor indirect internet connections, that can protect critical equipment and internet-connected devices. Every company’s cybersecurity program will have unique attributes, but there are several fundamentals to this decentralized architecture that can help companies shift the balance of power away from the attackers. Detection Even the most expertly designed cyber architecture is useless if it can’t detect and understand the threats it faces. Companies are experiencing more cyber viral outbreaks because they often can’t even detect them until it is too late. Today’s cybersecurity systems have been built to detect previously identified malicious codes and malware. But cyberattacks are morphing so fast that threat patterns are unpredictable. To identify and mitigate evolving new attack scenarios, security systems need to search for anomalies, analyze the probability that they are hostile acts, and incorporate them into a continually expanding list of possibilities. This level of detection should be carried out by components on many different levels to cover the multitude of devices and system components connected to the internet and physical environments. Together, these form several layers of cybernetic systems that can identify unknown and new forms of attacks by comparing what they understand to be their normal, uncompromised state — both on their own and in combination with other systems. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. Rather than reacting to a defined set of indicators, these systems detect and react to irregularities in data flows, involving anything from the amount, type, origination, or timing of data. For example, to determine whether someone should be locked out of an online bank account, some banks’ cybersecurity systems are starting to use artificially intelligent technology to compare how a person normally types or uses their computer mouse. Harm Reduction The next step is to make sure that decentralized, intelligent systems minimize the impact of attacks by independently starting a protocol that takes potentially compromised systems offline, disconnects them from other critical equipment, or locks them into a safe mode. Current cybersecurity systems usually trigger an alert if they have identified a specific attack. But they continue to operate and communicate with other systems until information technology teams shut them down and correct the malfunction. Secure-by-Design Finally, all companies’ products will eventually have to become secure-by-design. So far, it seems that companies pay little heed to cybersecurity during product development. That needs to change. Hackers have remotely accessed and controlled everything from network-connected electricity “smart meters” to security cameras. In 2015 Chrysler announced a recall for 1.4 million vehicles after a pair of cybersecurity researchers demonstrated that they could remotely hijack a Jeep’s digital systems over the internet. In Germany, nearly one million homes suffered brief internet outages in 2016 after criminals gained access to and remotely shut down their internet routers. The U.S. Food and Drug Administration warns that medical devices connected to hospital networks, other medical devices, and smartphones — such as implantable heart monitors — are now at risk of remote tampering that could deplete devices’ batteries or result in inappropriate pacing or shocks. Companies need to build kill switches, safe modes, and encryptions into their products during development. This will protect not only the companies’ systems but also their customers’. Apple, for example, installs layers of data encryption into its products and will permit customers to run only Apple-approved software programs on their devices. Such practices need to become standard operating procedure across all industries. Stopping cyberattacks will never be cheap or easy. Developing decentralized, intelligent cybersecurity systems will likely happen in fits and starts as devices learn through trial and error not to react to false positives or to go into safe mode more often than is necessary. Managers will have to show leadership, since most customers remain unaware of the extent that cyber risks now pose a threat to the products in their possession, and so are likely to be impatient with glitches and delays. The good news is that the technology exists to make good cybersecurity a reality. Decentralized, intelligent systems can significantly decrease the risk of cyberattacks and minimize their damage. The savings will be enormous.
One stock that investors need to hold on to right now is Broadridge Financial Solutions Inc. (BR).
When the focus of client efforts center on a platform like ServiceNow, the offerings are now able to cut across many different horizontal practice areas, bringing what were disparate organizational silos into a more customer and employee-focused, consumerized whole.
VALIC Company I Large Capital Growth Fund (VLCGX) seeks to provide current income combined with moderate growth of capital
As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology. Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone. Spending millions on security technology can certainly make an executive feel safe. But the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris. These human forms of malware can be present in any organization and are every bit as dangerous as threats delivered through malicious code. With any cyber threat, the first and last line of defense is prepared leaders and employees, whether they are inside an organization or part of an interconnected supply chain. And yet organizational leadership all too often demonstrates outright technology torpitude. An unprepared, lethargic leadership only amplifies the consequences of a security breach. The scale of the Yahoo breach disclosed in 2016, combined with the fumbling response, cost the company and its shareholders $350 million in its merger with Verizon and nearly scuttled the entire deal. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. To prepare for and prevent the cyberattacks of the future, firms need to balance technological deterrents and tripwires with agile, human-centered defenses. These vigorous, people-centric efforts must go beyond the oft-discussed “tone at the top” — it must include a proactive leadership approach with faster, sharper decision making. As cyber threats grow exponentially, comprehensive risk management is now a board-level priority. Indeed, the iconic investor Warren Buffett highlighted cyber risk as one of the gravest concerns facing humanity during Berkshire Hathaway’s annual meeting. Firms must recognize and react to three uncomfortable truths. First, cyber risk evolves according to Moore’s Law. That’s a major reason that technology solutions alone can never keep pace with dynamic cyber threats. Second, as with all threat management, defense is a much harder role to play than offense. The offensive players only need to win once to wreak incalculable havoc on an enterprise. Third, and worst yet, attackers have patience and latency on their side. Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene. The danger is in thinking that these risks can be perfectly “managed” through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens. Instead of “risk management,” we propose thinking of it as “risk agility.” The agile enterprise equips all organizational layers with decision guideposts and boundaries to set thresholds of risk tolerance. All employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity. The key attribute, particularly when it relates to cyber risk, is the concept of sense something, do something, which makes all people in an organization a part of a “neural safety network.” For example, the defense against the SWIFT banking hack, which saw some $81 million be stolen, was launched by an alert banking clerk in Germany who recognized a misspelling. When we say all employees have to be risk agile, we mean all. C-level executives, board directors, shareholders, and other senior leaders must not only invest in training for their firm’s own employees but also consider how to evaluate and inform the outsiders upon whom their businesses rely — contractors, consultants, and vendors in their supply chains. Such third parties with access to company networks have enabled high-profile breaches, including Target and Home Depot, among others. A skeptical executive could push back on this idea — won’t that cost a lot? The fact is, cybersecurity training is vastly undercapitalized, and the lack of investment in quality cyber education programs is manifest in the sheer volume of breaches that continue to be rooted in human failure. Worse, the volume of breaches is woefully underreported — even when they are identified early because firms are reluctant to amplify reputation risk. In a 2016 survey conducted by CSO magazine and the CERT Division of the Software Engineering Institute of Carnegie Mellon University, respondents reported that insiders were the source of “50% of incidents where private or sensitive information was unintentionally exposed.” Insider threats can include malicious activities but also mistakes by employees, such as falling for a phishing scam. In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete. To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver. Moreover, businesses slow to adopt stronger security measures may find themselves pushed into it by regulators. The latest regulations promulgated by the New York State Department of Financial Services, for example, requires that covered businesses “provide regular cybersecurity awareness training for all personnel.” This is just the tip of the iceberg of what is likely to come from other states and government agencies around the world, which are increasingly harmonizing their view of a “carrots and sticks” approach to cybersecurity compliance. Artificial intelligence, machine learning, and self-teaching algorithms may represent the latest trends in hot IT investments, but technology exists for and is utilized by people. Corporate leaders would be wise to understand that the future of cybersecurity lies not in a single-pronged approach or miracle tool but in solutions that recognize the importance of layering human readiness on top of technological defenses.
When it comes to AI in the workplace, the class of 2017 embraces it with open arms. Released just in time for commencement season, new survey research from Accenture indicates that two-thirds of new grads feel positively about AI and its ability to enhance their working lives.
On Friday, a major cyber attack hit health systems around the world. In Britain, where the attack affected hospital IT systems, doctors were unable to access patient records. Ambulances were diverted and emergency care delayed. Unfortunately, attacking hospital IT systems is just the tip of the iceberg when it comes to cyber vulnerabilities in the health care sector. Hacks of implanted or wearable medical devices are an even more sobering threat. Researchers in Belgium and the UK have demonstrated that it’s possible to transmit life-threatening (if not fatal) signals to implanted medical devices such as pacemakers, defibrillators, and insulin pumps. A catheter lab in a Virginia facility was temporarily closed when malware was discovered on the computers supporting cardiac surgery. In three other similar cases, malware capable of opening up “backdoor” access to a hospital’s IT network was found in software residing on X-ray, blood gas analyzer, and communications devices. More recently, researchers investigating cybersecurity of medical devices provided the Center for Devices and Radiological Health at the Food and Drug Administration (FDA) with a list of specific medical device vulnerabilities identified through their ongoing work, and just last year two commercial vendors revealed vulnerabilities in insulin pumps and a nursing inventory supply system that could compromise care and provide covert network access. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. Such devices are becoming more and more common in health care. Spurred by an aging population, increases in chronic disease, and technological breakthroughs, the electronic medical device market is poised to reach an estimated $398 billion in 2017. But while the market expands at an expected rate of 3% per year until at least 2022, hospital IT networks remain slow to address longstanding cybersecurity challenges that raise both privacy and potentially fatal health concerns. Surveys of health IT leaders reveal that much of their cybersecurity budgets will remain focused on securing enterprise networks through infrastructure, datacenter, and cloud security, while emerging government and industry regulatory frameworks provide only guidance without meaningful penalties, making it easy for health system IT leaders to deprioritize the risks presented by medical devices. Moreover, a major challenge is the continued presence in the marketplace of devices manufactured before 2014, when the FDA’s guidance was issued. (For example, in 2013, the average age of an MRI scanner in the U.S. was 11.4 years.) There are, however, some basic steps that hospital CIOs can take to reduce their risk and protect patients, devices, networks, and data: Assess device cybersecurity during procurement. Assess these risks on par with clinical efficacy. Talk openly with vendors about concerns and expectations if vulnerabilities are identified in the future. In 2014 the International Organization for Standardization developed guidelines for the disclosure of potential vulnerabilities in products. It’s important to get familiar and incorporate appropriate aspects into your policies and procedures, and keep your eye out for a revised standard in 2019. Require basic cyber hygiene. End user workarounds and shadow IT groups undermine even the best security architecture and policies. Proactively engage end users to avoid nonadherence to security policies. Ensure that bring-your-own-device policies, procedures, and systems have the same level of protection as networked devices. The aforementioned HIMSS survey found that only 56.3% acute and 35.5% nonacute were actively deploying significant mobile device management protocols. Finally, require the use of antivirus and antimalware software. A 2016 HIMSS survey found that only 84% acute and 90% nonacute providers are using these first-line defenses. IT managers should think like care providers: Preventing an infection is better than treating one. Proactively access risks and patch vulnerabilities. Focus in particular on legacy devices and work directly with manufacturers and suppliers to bring every device up to date ASAP. In late 2016 the FDA provided helpful but nonbinding guidance for devices already approved and in the field. It provides a reasonable framework for assessing cybersecurity risk across the product life cycle. They also give specific direction about how to address an identified cybersecurity risk across the entire health IT ecosystem without alarming patients and providers or tipping off would-be hackers and others interested in exploiting a known vulnerability. The most significant guideline is the FDA’s statement that manufacturers can reach back and fix security issues without having to resubmit a device for recertification. Prior to this explicit guidance, many manufacturers were reluctant to make changes that could be seen as fundamental alteration, which triggers the need for recertification. Stay alert and informed. In 2013, Executive Order 13961 established a series of Information Sharing and Analysis Organizations and Centers to encourage the formation of voluntary communities that can securely share information across a region or industry in response to emerging threats. Membership includes secure notifications of emerging threats and access to leaders at many major device manufacturing firms and trusted vendors whose products, manufacturing, and post-market response processes meet certain criteria. The cost of participating is minimal when compared to the financial and public relations cost of mopping up an avoidable breach. Hospital CIOs clearly recognize that networked medical and wearable devices present security soft spots. However, with limited resources and a host of new regulatory and business challenges to prioritize, reducing the threats presented by medical devices is very likely remain low on their lists. Cybersecurity remains secondary to medical purpose, even if cybersecurity could result in severe injury or death. Without actual penalties for noncompliance, it’s unclear whether device risks will rise above other competing health IT priorities. Patients deserve better.
For years major businesses have contended with hackers attempting to break into their networks and steal their data. In the recent past, that threat mostly emanated from China. Now, a new threat has emerged that companies must address: a savvy, resource-rich, risk-taking gang of hackers with ties to Russia. If the Chinese were the drunk burglars of cyberspace (to quote former FBI director James Comey), these Russians are stone-cold sober thugs. On the geopolitical stage, Russian hackers have been busy: Their targets have included Estonia (using overwhelming denial-of-service attacks), Georgia (supporting ground operations with cyber operations), Germany (achieving unauthorized access to servers in the legislature), and the United States (stealing data from the Democratic National Committee and emails from John Podesta). But with the U.S. Department of Justice’s (DOJ) indictment of four Russian hackers for breaching Yahoo, the U.S. government is now on record that Russia’s targets are not just geopolitical — businesses are very much at risk as well. How does the Russian cyber threat (regardless of the Russian government’s involvement) affect your business, and what can you do about it? Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. Motives The motivations behind Russian hackers are the most diverse of any team with government connections. In recent years, the Chinese frequently stole sensitive commercial data, such as intellectual property, to gain competitive advantages for their state-owned enterprises. The North Koreans lashed out against Sony Pictures to protest a not-quite-Oscar-worthy film that featured the dramatic death of Kim Jong-un. As noted above, the Russians have attacked in cyberspace to further their geopolitical interests, but their hacking activities also form an integral part of a more sophisticated criminal enterprise, bent on extortion and profiteering. The Russian security services have extensive ties with the criminal underworld, and whether their hackers are working for the government or the mob can at times be a meaningless distinction. As highlighted in the DOJ indictment, sometimes the Russian government will target businesses to further its intelligence activities. Other times, it will work with criminal elements for criminal purposes. As a result, businesses and governments are both targets. The upshot: Your business can become a target not because these hackers see intrinsic value in your data, but because you may be a comparatively easy target. Costs After breaches at Target and Home Depot, boards were put on notice that cybersecurity was a cost to be internalized going forward. Credit monitoring for victims was only one of a myriad of expenses for which to account. Other expenses included hiring outside cyber forensics experts to expel hackers from networks, and recruiting experienced chief information security officers to keep the business secure. But the Russian attack on Yahoo revealed how these kinds of attacks can have severe indirect costs as well: Verizon reached new terms for its acquisition of Yahoo and exacted a $350 million discount toward its purchase price because of the Russian hacks. These hackers also modified Yahoo’s search engine results to further their own criminal goals. Such a significant M&A haircut and risk to Yahoo’s core product, all because of a cyber intrusion, should motivate businesses to double down on proactive efforts to improve cybersecurity before incidents occur. Related Video Boards Neglect Cybersecurity at Their Companies’ Peril The average breach costs around $4 million. Save Share See More Videos > See More Videos > Tactics The techniques in the Russian hacker tool kit are diverse. But just because Russian hackers can bring their A-game to a cyber fight does not mean they always need to. Even the most sophisticated hackers will default to unsophisticated techniques if those prove the easiest and cheapest way in. In their breach of Yahoo, they employed the delicious-sounding tactic of “cookie minting”, a way to gain access to an account without being challenged for typical authentication checks, like a password, as one part of their operation. Yet the tried-and-true junior-varsity tactic of spear phishing once again seems to have positioned the attackers for success. Your business already should have been focusing on blocking junior-varsity attacks for the last several years; now it will also need to account for more creative, varsity-level attacks, which will require experience, patience, and vigilance to counter. Protecting your business from this evolving threat will not be easy, but it need not require magical defensive prowess. Consider the following approaches: Get your priorities straight. Trying to protect all your data, systems, and networks from all forms of malicious cyber activity? Forget it. The first step to any defensive approach is to determine which assets must be defended. What data is so critical to your company that unauthorized access to it would be a disaster? What data must be available 24/7/365? What data do you need to store? If your answer is “all of it,” you’re doing security wrong. Presume you will be breached. You should hold your cybersecurity team (you know who they are, right?) accountable for ensuring compliance with fundamental standards for information security. But while compliance remains crucial, it is entirely insufficient to address a threat landscape that rapidly evolves. Assume that compliance is imperfect and that an adversary is already exploiting this imperfection. Investing in your company’s resilience in the face of cyberattacks that target your top priorities will be critical. What resilience looks like depends on the type of work you do and on your priorities. For example, if there is a particular system whose availability is required 24/7/365, have you tested fallback mechanisms and backups? Have a strategic communications plan. When you confirm that your company has in fact been breached, you will need to determine what to say, to whom, and how. Plan this ahead of time. Do not wait until you are in the midst of a cyberattack to brainstorm how, what, and when to communicate with your board, your shareholders, and your clients. You need not account for every contingency, but you can begin by ordering research on how other companies have managed (or failed to manage) the strategic communications aspect of a cyberattack. Know that there is safety in numbers. You are not alone. If criminal hackers are victimizing your company, chances are good that they are after others proximate to your company as well. Information sharing has long been a talking point for cybersecurity evangelists. But most of the time the shared information is untimely and unhelpful. So look at how participation in initiatives like Facebook’s Threat Exchange service can help your company not just gain access to relevant and timely information but also act on it before it is too late. Form relationships with law enforcement. Working with law enforcement is not a short-term solution for most companies’ cybersecurity challenges. Businesses often describe their relationship with law enforcement on cybersecurity as “give-and-take” — the companies give information, and law enforcement takes it and then disappears. But we can see a change in its approach to cyber criminals: The U.S. Justice Department has worked with victims on multiple indictments, even against state-sponsored and resourced hackers. And in certain situations the FBI can tip off a company to a threat the firm may not be aware of. Never bet the farm that the government will protect your business from a cyberattack, but be open to and prepared for the day when it might give you some news you can use to protect yourself. What’s a business to do, given the threats described here? Believe it or not, the information security issues associated with cybercrime are not all that new, even though the Russian connection to it is now more overt. Don’t freak out. But do get serious. Gone are the days when the only risk was having sensitive data stolen. Progress begins with you — what data and which systems are most important to your company? Prioritize from there. You can’t build perfect walls, and there is no silver bullet in cybersecurity, so don’t let your CIO or CISO tell you otherwise. You’ll need a diversity of approaches, and those approaches will have to evolve over time. If you didn’t believe it already, believe it now: The cyber threat has arrived as a clear and present risk to businesses today, and addressing it will become a growing cost of doing business.
Broadridge Financial Solutions Inc. (BR) reported better-than-expected third-quarter fiscal 2017 results.
Passwords have become a ubiquitous requirement for consumers who want to perform any online activity in a secure environment. It’s safe to say that most of us are overwhelmed by the plethora of passwords (and associated security questions and protocols) we must keep track of just to access our online accounts. It’s become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience. Even when transactions require a two-step verification process — say, a text message delivering a code to unlock your account — there is no guarantee that the information is safe from the prying eyes (and fingers) of sophisticated thieves, hackers and other bad actors, who can easily use “digital signature” patterns to latch onto correct answers, break into people’s accounts, and steal sensitive personal information. Several recent instances of thieves hacking into IT systems at major corporations and cracking customer passwords to steal identifiable personal information underscore a vulnerability where even the most complex passwords provide very little protection. The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. What makes biometrics so special is that they are industry agnostic. No matter the technology or device — e.g., fingerprint readers, retinal eye scanners, voice recognition systems, hand geometry, facial recognition, or even a new, “selfie”-based authentication method that MasterCard and USAA have rolled out — the idea is to verify someone’s identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities. These modalities, when used in concert, can provide a significantly safer environment for the customer, and are much easier to use. Biometrics are also harder to manipulate than passwords and other two-step verification processes. While a bad actor could feasibly gain access to your thumbprint on the specific device it is stored on or to your digital voiceprint, if an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app. While this system is a much safer alternative to passwords, executives who are engineering new digital products, apps, and websites will need to find the right balance between security requirements and user experience. This is easier said than done, especially in an environment where customers expect to be able to interact with your product on multiple digital devices. In our experience and advisory work with clients, we’ve frequently observed companies using a one-size-fits-all approach to the user security experience. When businesses invest in one particular type of biometrics (e.g., thumbprint or facial recognition), there is a tendency to force all of their customers into the same “digital straitjacket.” This offers users no choice in information security. One customer might be very comfortable in using their thumbprint to open social media apps, while another might flat-out refuse. When a company offers only one option, it severely limits its reach. A much better approach is to rethink security from a user’s perspective, offering personalized options. Consider this example of an omnichannel biometric security experience. Let’s say that a customer uses their thumbprint to log in to their mobile banking app, which knows that the customer is standing only a few feet away from the ATM. Based on the user’s known preference, the app can either ask if the person would like to withdraw money at that ATM or ask them to proceed to the machine and authenticate the traditional way, with chip card and pin. The customer may also want this preference to change based on the dollar amount they would like to withdraw. For example, if under $200, they may feel comfortable with the mobile banking app withdrawing money at the machine. But they may consider a larger amount to be a riskier transaction, and in such cases may prefer the security of inserting the chip-enabled card and entering a PIN into the ATM. It’s all about delivering a seamless digital experience, aligned to the preferences of individual customers, that combines speed, accuracy, safety, and ease of use. Cyberattacks and fraudulent transactions are increasing in their sophistication and impact, making the balance between customer experience and security more complex and more challenging than ever. Ensuring the proper balance between security requirements and customer experience is key to driving the optimal digital experience and, ultimately, the right business outcomes. Our research has shown that customers are more likely to stay with a company — or switch to another company — that offers better security and transparent communications around how they approach security and remediate problems. Client-centric security experiences can create value for customers by giving users what they expect from digital security: the ease and convenience of doing business seamlessly in a safe environment.
In a move to further enhance shareholder's wealth, DST Systems, Inc.'s (DST) board of directors recently approved a new share repurchase program and increased the quarterly cash dividend rate.
Cyberattacks are unavoidable, but we’re not going to stop using computerized systems. Instead, we should be preparing for the inevitable, including a major cyberattack on power grids and other essential systems. This requires the ability to anticipate not only an unprecedented event but also the ripple effects that it could cause. Here’s an example of second-order effects (though not caused by a cyberattack, they’re a good way to think through what could happen in an attack). In February 2017, an area of Wyoming was hit by a strong wind storm that knocked down many power lines. It took about a week to restore power, due to heavy snow and frozen ground. Initially, water and sewage treatment continued with backup generators. But the pumps that moved sewage from low-lying areas to the treatment plants on higher ground were not designed to have generators, since they could hold several days’ worth of waste. After three days with no power, they started backing up. The water then had to be cut off to prevent backed-up waste water from getting into homes. The area had never lost power for so long, so no one had anticipated such a scenario. Related Video Boards Neglect Cybersecurity at Their Companies’ Peril The average breach costs around $4 million. Save Share See More Videos > See More Videos > Now think about what would happen if a cyberattack brought down the power grid in New York, for example. New Yorkers could manage for a few hours, maybe a few days, but what would happen if the outage lasted a week or more? For an example of the kind of disruption such an attack could cause, consider the 2011 Japanese tsunami. It knocked out both the power lines and the backup generators at the same time. Either event could have been managed, but both occurring at the same time was a disaster. Without power, the cooling systems in three nuclear reactors failed, resulting in massive radiation exposure and concerns about the safety of food and water. The lesson: We need to prepare not only for an unexpected event but also for the possible secondary effects. Based on conversations I’ve had with experts in the field, preparedness for a major cyberattack like this is low, regardless of whether you’re talking about the regional or city level, or the private sector. As Lawrence Susskind, a professor in MIT’s urban systems department, described it to me, “Millions…could be left with no electricity, no water, no public transportation, and no waste disposal for weeks (or even months)…. No one can protect critical urban infrastructure on their own. Nobody, though, is showing any leadership.” In our research consortium at MIT Sloan, we have been studying ways that massive physical damage can happen to power grids and other industrial control systems through a cyberattack. The potential for massive damage is alarming, to say the least. The scenario of losing power for a long time — weeks or even months — is not unthinkable. We went through this recently at MIT when the institute’s cogeneration facility had a turbine failure. It wasn’t due to a cyberattack, but rather to a mechanical failure from a defective nozzle. It took three months to source the necessary parts from Germany and fix the turbine, even though the possibility of such a failure was more likely to be expected than a first-of-its-kind cyberattack might be. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. You may be wondering why a major cyberattack of this nature hasn’t already occurred. There are three necessary conditions for it to happen: opportunity, capability, and motivation. There are plenty of opportunities to launch a cyberattack, as Iran learned when its uranium enrichment facility was attacked by Stuxnet. There is also plenty of capability out there. As I sometimes say, “The good guys are getting better, but the bad guys are getting badder faster.” The tools to accomplish attacks are increasingly available on the dark web at decreasing costs, including troves of cyber tools stolen from the NSA and CIA. Just look at the Ukraine power grid attack in 2015, where the attackers used several different techniques, such as spear phishing and denial-of-service attacks, that were all readily available on the black market of the internet. So, our saving grace at the moment is motivation. While there are some state actors who might want to shut down a major power grid in another country, the possibility of retaliation acts as a deterrent. But that equation changes when you consider actors like North Korea or ISIS, or any disgruntled group in the world that might proceed regardless of the consequences. Even criminals are an increasing risk. Here in the Boston area, we have seen ransomware attacks on local police departments. How much “protection” might the governor pay to prevent a state-wide shutdown of essential services like power generation? Questions we should all be asking include: If the power grid is breached and all the electric-start generators fail too, what do we do? What’s the backup plan for the backup plan? What happens to our food supply? Our water supply? Our sewer systems? Our financial systems? Our economy? When it comes to being prepared for a significant cyberattack, there are three essential elements. Some are actions that we can take on our own, such as having backups in place for key systems and for secondary systems. Some are actions best undertaken by government, such as guidance on the important steps to take when a major cyberattack happens. Finally, there are things that require public-private collaboration. For example, the NIST Cybersecurity Framework provides companies with guidelines on cyber protection, but companies need to determine what actions to take. Much more is needed, beyond the current NIST framework, to address the specific threats that I have described. This isn’t rocket science. But it does involve systems-level thinking about how everything is connected, and considering the layers of interdependencies. For example, hospitals might have backup generators, but what about the supply line for refueling? If the refueling stations need electricity to operate pumps, what is the plan? A few states, including Florida, have introduced regulations to address this concern, but only for outages of 72 hours. We need innovative, systems-level thinking — and a sense of urgency — to mitigate the impact of a major cyberattack. And we need it now.
Broadridge Financial Solutions Inc. (BR) is set to report third-quarter 2017 results on May 10.
In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible. According to Bostrom’s orthogonality thesis, an AI system can potentially have any combination of intelligence and goals. Such goals can be introduced either through the initial design or through hacking, or introduced later, in case of an off-the-shelf software — “just add your own goals.” Consequently, depending on whose bidding the system is doing (governments, corporations, sociopaths, dictators, military industrial complexes, terrorists, etc.), it may attempt to inflict damage that’s unprecedented in the history of humankind — or that’s perhaps inspired by previous events. Even today, AI can be used to defend and to attack cyber infrastructure, as well as to increase the attack surface that hackers can target, that is, the number of ways for hackers to get into a system. In the future, as AIs increase in capability, I anticipate that they will first reach and then overtake humans in all domains of performance, as we have already seen with games like chess and Go and are now seeing with important human tasks such as investing and driving. It’s important for business leaders to understand how that future situation will differ from our current concerns and what to do about it. If one of today’s cybersecurity systems fails, the damage can be unpleasant, but is tolerable in most cases: Someone loses money or privacy. But for human-level AI (or above), the consequences could be catastrophic. A single failure of a superintelligent AI (SAI) system could cause an existential risk event — an event that has the potential to damage human well-being on a global scale. The risks are real, as evidenced by the fact that some of the world’s greatest minds in technology and physics, including Stephen Hawking, Bill Gates, and Elon Musk, have expressed concerns about the potential for AI to evolve to a point where humans could no longer control it. When one of today’s cybersecurity systems fails, you typically get another chance to get it right, or at least to do better next time. But with an SAI safety system, failure or success is a binary situation: Either you have a safe, controlled SAI or you don’t. The goal of cybersecurity in general is to reduce the number of successful attacks on a system; the goal of SAI safety, in contrast, is to make sure no attacks succeed in bypassing the safety mechanisms in place. The rise of brain-computer interfaces, in particular, will create a dream target for human and AI-enabled hackers. And brain-computer interfaces are not so futuristic — they’re already being used in medical devices and gaming, for example. If successful, attacks on brain-computer interfaces would compromise not only critical information such as social security numbers or bank account numbers but also our deepest dreams, preferences, and secrets. There is the potential to create unprecedented new dangers for personal privacy, free speech, equal opportunity, and any number of human rights. Business leaders are advised to familiarize themselves with the cutting edge of AI safety and security research, which at the moment is sadly similar to the state of cybersecurity in the 1990s, and our current situation with the lack of security for the internet of things. Armed with more knowledge, leaders can rationally consider how the addition of AI to their product or service will enhance user experiences, while weighing the costs of potentially subjecting users to additional data breaches and possible dangers. Hiring a dedicated AI safety expert may be an important next step, as most cybersecurity experts are not trained in anticipating or preventing attacks against intelligent systems. I am hopeful that ongoing research will bring additional solutions for safely incorporating AI into the marketplace.
Cognizant Technology Solutions Corp.'s (CTSH) first-quarter 2017 adjusted earnings of 79 cents per share that beat the Zacks Consensus Estimate of 75 cents.
It’s a refrain I’ve been hearing for the past 18 months from clients all over the world: “We need more skilled people for our security team.” The need is real and well-documented. A report from Frost & Sullivan found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. But the security industry is a fast-growing market, with IDC pegging it as becoming a $101 billion opportunity by 2020. So what’s causing the talent shortage? One of the big reasons is that security businesses tend to look for people with traditional technology credentials — college degrees in tech fields, for example. But security is truly everyone’s problem; virtually every aspect of personal and professional data is at risk. So why are we limiting security positions to people with four-year degrees in computer science, when we desperately need varied skills across so many different industries? Businesses should open themselves up to applicants whose nontraditional backgrounds mean they could bring new ideas to the position and the challenge of improving cybersecurity. Insight Center Getting Cybersecurity Right Sponsored by Accenture Safeguarding your company in a complex world. Other burgeoning industries have been in similar positions throughout history. In 1951 the U.S. accounting industry was poised for growth but was predominantly male, with only 500 female certified public accountants in the country. After recognizing the problem, leaders across the accounting field teamed with industry associations and academic institutions to solve the issue through awareness campaigns and hiring initiatives. Today there are over 800,000 female CPAs in the U.S. Security businesses need to follow this example, taking a hard look at themselves to see what’s holding them back. There are no signs that the bad guys are limiting their talent pool — and cybercrime is now a $445 billion business. The average company handles a bombardment of 200,000 security events per day. Cybercriminals are becoming increasingly more organized and aggressive, while the teams defending against these attacks are struggling to fill their ranks. One way IBM is addressing the talent shortage is by creating “new collar” jobs, particularly in cybersecurity. These roles prioritize skills, knowledge, and willingness to learn over degrees and the career fields that gave people their initial work experience. Some characteristics of a successful cybersecurity professional simply can’t be taught in a classroom: unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks. People with these traits can quickly pick up the technical skills through on-the-job training, industry certifications, community college courses, and modern vocational and skills education programs. We began using this approach about two years ago, and its success has been clear: 20% of our U.S. hiring in cybersecurity since 2015 has consisted of new collar professionals. Other organizations can use a similar approach by establishing apprenticeship opportunities, emphasizing certification programs, exploring new education models, supporting programs at community colleges or polytechnic schools, and looking for talent in new places. Some of our recent additions to the security team came from unexpected career fields such as retail, education, entertainment, and law. The two things they all had in common? They were curious about security and motivated to learn the skills. Building a pool of talent to fill these new collar jobs is also an important part of the equation. A great example of this is the P-TECH educational model (Pathways in Technology Early College High School), which provides a training avenue for students to jumpstart their careers in cybersecurity. Public high school and college students in grades 9-14 get hands-on experience with the most sought-after technical skills. By combining specific elements of high school curricula, community college courses, hands-on skills training, and professional mentoring, these students are primed for successful entry into highly technical career fields. The P-TECH model has expanded to over 50 U.S. schools and 300 industry partners, with the goal of expanding to 80+ schools in 2017. Of course, cutting-edge technology is going to be at the center of these new collar jobs. Artificial intelligence, for example, is being used in the workplace in a wide range of ways, and in cybersecurity it is already creating opportunities for new collar positions. AI not only provides a way to help overcome the skills shortage, but is also an important step forward in the way employees will work and companies will defend themselves. We’ve found that by using AI to gather and correlate the insights from the 60,000 security-related blog posts each month, security professionals can digest the relevant information much more efficiently, allowing organizations to upskill their employee base. Companies are already using Watson for Cyber Security to connect obscure data points humans can’t possibly identify on their own, enabling employees to find security threats 60x faster than manual investigations. Companies that are interested in using a new collar approach to fill security positions should consider the following: Re-examine your workforce strategy: Do you know what skills you need today and tomorrow to run a successful security program? Realize that skills and experience can come from a variety of places, and adjust your hiring efforts accordingly. Improve your engagement and outreach: Don’t limit yourself to the same old career fairs and recruiting programs of yesteryear. Get involved in community colleges, P-TECH schools, and other educational programs to start building your recruiting base. Build a local cybersecurity ecosystem: Connect with government organizations, educational institutions, and other groups. Sponsor Capture the Flag security events, and work with local middle and high schools to generate interest in the field. These groups are always looking for willing experts and mentors. Have a robust support program for new hires: Mentorships, rotational assignments, shadowing, and other opportunities help new cybersecurity hires gain experience and learn. Remember, not everyone knows what they want to do right away. Keep new hires engaged by giving them the creative freedom to work on different projects and explore new technologies and services. Focus on continuous learning and upskilling: To retain your new talent, keep employees current on the latest skill sets through classes, certifications, and conferences. Cybersecurity is a highly dynamic field, requiring ongoing education and exploration. And be open to employees from other areas of your business who express interest in cybersecurity career paths. Remember that AI provides employees with more intelligence and contextual recommendations at a speed and scale previously unimagined, so upskilling your workforce is a completely different ballgame these days. Cybersecurity is a complex career field with extraordinarily challenging problems, but with a diverse pool of experiences and ideas, we stand a much greater chance of successfully defending our assets.
It’s hard to overstate the significance — and complexity — of the H-1B visa system in the U.S. It is the country’s largest guest worker visa program, and an important channel for high-skilled immigration. It allows companies to hire foreign workers for specialized jobs that can be challenging to fill. It has benefited the tech industry enormously, and other sectors, including health care, science, and finance, have also used it to fill gaps in their workforces. But in April, just after U.S. Citizen and Immigration Services (USCIS) conducted its annual lottery for selecting H-1B visas (it received 199,000 petitions for the available 85,000 visas), President Trump signed an executive order that will put H-1B and similar programs under new scrutiny. Titled “Buy American and Hire American,” it directs federal agencies to review whether existing policies adequately prioritize American products and protect American workers. The order is the latest development in a long-running debate over how companies use the H-1B program and how it affects American workers. Much of the dispute surrounds whether companies take advantage of the program to hire foreign workers for lower pay, displacing Americans from those jobs. But it’s important to understand the underlying elements of this debate: one level rests on the heavy use of H-1B visas by outsourcing firms; another rests on the disagreement over whether the program increases companies’ access to scarce skills, or merely helps them minimize costs. The H-1B Visa ProcessThe H-1B visa was established, as part of the Immigration Act of 1990, to let companies recruit trained foreign workers (with at least a bachelor’s degree or the equivalent) to work in “specialty occupations” for which there are few qualified local candidates. The visa allows guest workers to stay at their sponsoring company for up to six years, and it has become an important pathway to gaining permanent resident status in the U.S.; workers who hold the “dual intent” visa can apply for a green card. Spouses and immediate family members of H-1B visa holders can come to the U.S. upon obtaining an H-4 visa. The number of new H-1B visas that can be issued each year is capped at 65,000, with an additional 20,000 available to workers with a master’s degree or higher. Jobs at universities, nonprofit research institutions, and government research facilities are exempted, as are workers from certain countries and any current H-1B holders applying for renewal. Because demand for H-1Bs has exceeded the cap in recent years, visas have been allocated through a random lottery. There were approximately 180,000 new H-1B visas issued in 2016, according to State Department data. Who gets H-1Bs? H-1B visas are granted through an employer-driven system, meaning employers petition the government for visas tied to specific roles. These must qualify as “specialty occupations,” which typically require a bachelor’s degree (or the equivalent) and are found in fields such as science, engineering, information technology, medicine, and business. Companies have to attest that they could not find a qualified American worker for the position and will not pay the H-1B worker less than they would an American — but it’s often said that this hardly functions as a rule and is not strictly (if at all) enforced. There is also criticism that it opens up various loopholes that firms can exploit. For example, as a Kellogg Insight research summary explains: The standards for determining prevailing wages are shaky, and companies can take advantage of loopholes, such as hiring the person through a third-party service. In addition, increasing the supply of workers might drive down everyone’s pay over time because employers have more potential employees to choose from and thus do not have to offer high salaries or raises to attract and retain staff. The program is most often associated with the tech industry, where H-1B workers hold about 12%–13% of jobs, according to a Goldman Sachs report. (For comparison, they hold around 0.6%–0.7% of U.S. jobs overall.) Being able to recruit globally is supposed to help tech powerhouses like Facebook and Amazon find the talent they need. The companies that bring in the most H-1B workers, however, are not Silicon Valley tech firms but IT services firms, many based in India, that specialize in consulting or outsourcing. These companies, which include Tata Consultancy Services, Cognizant, Infosys, Wipro, Accenture, IBM India, and Deloitte, are contracted by other companies to do IT work. According to an analysis by Ronil Hira, a professor of public policy at Howard University, in 2014 nearly one-third of new H-1B visas went to 13 of these so-called “outsourcers.” (Tata received the most visas, with 5,650, while Amazon, the tech company with the highest number, got 877.) Compared with Silicon Valley firms, IT services companies tend to hire H-1B workers for lower-paying entry-level work. For example, Axios reported that 72.4% of Tata’s H-1B visa filings were for jobs paying between $60,000–$70,000 a year. Companies like Amazon, Apple, Facebook, Google, and Microsoft mostly filed for jobs that paid well above $100,000. This difference in pay gets at one of the main criticisms of the H-1B program: Rather than bringing the world’s “best and brightest” talent into the country to work alongside Americans, the system appears to be bringing in cheaper foreign labor that can hurt American workers’ employment and income prospects. It’s a compelling argument: Numerous American IT workers have been laid off (and then asked to train their H-1B replacements) after their employers chose to outsource IT department work instead of keeping it in-house. These decisions by companies have resulted in a few high-profile lawsuits, such as those brought by workers against Disney and Southern California Edison. And a number of studies have found that H-1B workers can have negative effects on American workers, in terms of displacement and lower earnings. On the other side of the debate, H-1B supporters argue that the program brings needed skills into the labor market, which helps firms remain innovative, productive, and competitive. A wealth of academic literature has documented how high-skilled immigrants, particularly in STEM, and including those who would enter the U.S. on H-1B visas, boost the economy by increasing innovation, productivity, and sometimes even employment. It is not exactly easy for many companies to obtain H-1B visas, and members of the tech industry have lobbied Congress to raise the cap on H-1B visas to help meet demand. In 2008 Bill Gates testified before Congress to advocate for more H-1B visas to help compensate for “a deficit of Americans with computer science degrees.” (A bill was introduced in 2015 to raise the cap and liberalize other rules around H-1Bs, but died in Congress.) Companies like Tata, Infosys, and Wipro have also lobbied against restrictions on the program, arguing that their services help corporations become more competitive. More broadly, many tech leaders have emphasized the contributions of high-skilled immigrants to the economy — and have spoken out against anti-immigrant actions like President Trump’s travel bans. Is There a Shortage of Technical Skills in the U.S.? There is mixed evidence about the existence and the extent of a STEM skills shortage. Companies say they struggle to find qualified workers for specialized positions, suggesting there is a shortage of necessary skills. Some experts say that there are plenty of American workers who could fill these jobs, and that if employers were truly desperate for skills, wages for skilled positions would surge (but they haven’t). An analysis led by Hal Salzman, a professor at Rutgers University, found that the U.S. graduates more STEM workers than the tech industry needs and that STEM wages have stayed depressingly flat. They write: For every two students that U.S. colleges graduate with STEM degrees, only one is hired into a STEM job. In computer and information science and in engineering, U.S. colleges graduate 50 percent more students than are hired into those fields each year; of the computer science graduates not entering the IT workforce, 32 percent say it is because IT jobs are unavailable, and 53 percent say they found better job opportunities outside of IT occupations. A literature review by Yi Xue and Richard C. Larson of MIT found that there is and isn’t a STEM skills shortage — it depends on where you look. In the academic job market, for example, they conclude there is no noticeable shortage; in fact, there is an oversupply of PhDs competing for tenure-track faculty positions in many fields (e.g., biomedical sciences, physical sciences). But the government sector and private industry have shortages in specific areas. In the private sector, for instance, software developers, petroleum engineers, and data scientists were found to be in high demand. There is other evidence of a strong demand for workers with tech skills. The Economist has reported that the number of unfilled U.S. jobs in computing and information technology could top one million by 2020: “The number of young Americans graduating with qualifications in IT subjects is rising, but nowhere near fast enough to satisfy the burgeoning demand for their skills. Last year, American campuses produced fewer than 56,000 graduates with the sort of qualifications sought by information technology (IT) firms.” When it comes to how much immigrant and native-born U.S. tech workers earn, research by Gordon Hanson of UC San Diego and Matthew Slaughter of Dartmouth’s Tuck School of Business has found that while immigrants usually earn less than native-born workers across most occupations (controlling for factors like age, education, and gender), this difference tends to be smaller in STEM fields. They also found that wages for immigrants in STEM have actually increased: In 1990 native-born STEM workers earned more than immigrants; by 2012, this reversed. “The workers coming in on H-1Bs are a diverse crowd,” Hanson says. “You have superstar computer scientists at Facebook and Amazon and folks doing back-office IT work. But, on average, the earnings of those [foreign] workers, after just a little time in U.S., exceed [Americans’] in comparable jobs.” Hanson cautions, however, that their results do not discount the possibility that the arrival of foreign-born engineers is driving down earnings for U.S.-born engineers. “Standard economic models would say that’s happening,” he says. “But more engineers is a good thing. There may be some lower earnings opportunities for U.S.-born engineers, but there’s more innovation for the country as a whole.” Similarly, an analysis of 2010 H-1B petitions by Jonathan Rothwell and Neil Ruiz, both formerly of Brookings, found that H-1B workers earned more on average ($76,356) than American workers with a bachelor’s degree ($67,301), within the same age group and occupation. (It’s worth noting that the process of petitioning for an H-1B visa costs companies thousands of dollars, which suggests that they pay a premium for foreign workers’ skills.) Hanson and Slaughter’s paper also noted that although H-1B visas disproportionately go to STEM workers, this is not an inherent feature of the H-1B program. “That most H-1B visas are captured by STEM workers may simply be the consequences of strong relative labor demand for STEM labor by U.S. companies,” they write. Contrarily, Hira, who has been outspoken about abuses of the H-1B visa system, rebuffs the skills shortage theory. “If there was this terrible shortage, I’d think you’d see different behavior and practices,” he says. “If there was really a skills shortage, you’d see more diversity in the tech industry — they’d hire underrepresented minorities and women, they’d be training people and investing, they’d be retaining incumbent workers, not laying them off by the thousands, and you wouldn’t see rampant age discrimination.” According to Hira, the skills shortage argument is a red herring that has clouded the conversation about how H-1Bs are used. “The top occupation of H-1B workers is computer systems analyst. These are back-end IT workers. I don’t see how anybody could argue there’s a shortage of those folks,” he says. “Hiring an H-1B should, but doesn’t, require an employer to demonstrate any shortage, so the shortage argument is moot. If there is a severe shortage, then it would be easy for employers to show one. Yet they’ve opposed any such requirement.” How Much of the Debate Is About Outsourcing? One of the most consequential criticisms of the H-1B program is its heavy use by IT outsourcing firms such as Infosys, Tata Consultancy Services, and Wipro. Outsourcing has been a trend in information management for years, as companies have increasingly hired contractors (at lower cost) to do tasks such as software programming and data entry, processing, and storage. Here’s a simplified way to explain how this plays out: Say you’re a big company with your own IT department. To reduce overhead, or to cut costs, or to increase efficiency, you decide to contract out (outsource) some or all of your IT work. So you hire an IT services firm to do that work on a temporary, as-needed basis. That firm sends workers, many of whom are on H-1B visas, to do those tasks. Sometimes, these contract workers supplement your IT staff; other times, you lay off your IT staff and the contractors effectively replace them. Because these IT firms receive so many H-1B visas, there are fewer for other companies. “No matter what your view on outsourcing is, this was not the original intent of the program,” says William Kerr, an economist at Harvard Business School who has studied the effects of high-skilled immigration in the U.S. “One of the implications of this is it reduces the number of visas available for their original purposes.” “The outsourcing companies bring lower-level workers than the American tech companies,” Kerr says. “That work has $60,000 salaries, which is not minimum wage by any means, but it’s lower paid than a typical computer scientist at a large U.S. tech employer.” IT companies in India and the U.S. have lobbied against making the H-1B program more restrictive, arguing that they help American companies become more competitive by handling their IT operations. They’ve also said that the visa programs allow them to keep jobs in the U.S., so reducing the number of visas they’re allowed may result in them shifting work back to India. (However, Bloomberg recently reported that Infosys plans to create thousands of new jobs for Americans over the next two years.) What Could Change? Any big changes to the H-1B program would have to be passed by Congress. At least four proposals to reform it have recently surfaced, and USCIS has suspended expedited processing of H-1B applications. Wider reforms would change the way many companies, especially tech and IT firms, recruit and hire highly skilled talent. Further restricting the number of visas could cost the U.S. a competitive edge in the global war for tech talent. “This might sound self-serving, coming from someone who works in academia, but one thing that has helped maintain our technological leadership is innovation and technical research, and immigration has helped us do that,” Hanson says. “Immigration is an important part of why the U.S. is able to maintain its elite status.” Trump’s “Buy American and Hire American” order aims to address some of the concerns surrounding the H-1B visa system. The larger effects on high-skilled immigration — and on the economy — remain to be seen.
Даже если цена черного золота упадет до $57 за баррель, добыча сланцевой Нефти будет рентабельна. Сообщает российское издание «Вести» со ссылкой на аналитический отчет компании IHS, передает информационный ресурс OnPress.info. Еще год назад американским компания нужна была цена в $70, чтобы добыча сланцевой нефти была рентабельна, но с прогрессивным ростом технологий уже на сегодняшний день даже цена в $57 является приемлемой. В свою очередь в США заявили, что падение цен на нефть не пугают нефтяные компании страны, которые только за этот год просверлили 18 тысяч скважин. Как заявил генеральный директор компании Halliburton на данном этапе их цель — снижение цены за баррель нефти. Но это еще не все, согласно просчетов американской компании Accenture, запас повышения эффективности добычи нефти который существует на данный момент может привести к понижению стоимости добычи на 40%. Напомним, что главная смета Российской Федерации на 2015 год рассчитана исходя из цены на баррель нефти на отметке в $96. А один из нефтедобывающих гигантов РФ компания Лукойл в свой бюджет заложила стоимость черного золота на отметке в $80-85 за баррель. http://onpress.info/v-ssha-zayavili-chto-ix-ustraivaet-cena-v-57-za-barrel-nefti0015866?_utl_t=fb