Training, education and awareness are the cornerstones of cyber security, says Roger Cressey of Booz Allen Hamilton.
Roger Cressey, senior vice president, Booz Allen Hamilton is a well known counterterrorism and cyber security expert. Cressey served in senior cyber security and counterterrorism positions in President Bill Clinton and President George Bush’s administrations, including chief of staff of the President’s Critical Infrastructure Protection Board from 2001 to 2002. He also served as deputy of counterterrorism on the US National Security Council (NSC) staff, where he oversaw coordination and implementation of US counterterrorism policy. He managed the US government response to numerous terrorism incidents, including the 9/11 and USS Cole attacks. He also held various roles within the departments of Defence and State. Cressey was in Oman recently to participate in the Cyber Defence Summit. He spoke to Mayank Singh on the sidelines of the summit. Excerpts from the interview:
Why is it imperative that governments and companies are aware of cyber security and take measures to combat such threats?
Cyber security is important because a nation’s economic and physical security is dependent upon information technology. Criminals and other nation states are stealing information, IT, personal data and credit cards which necessitates better and advanced security systems for governments, companies and individuals. The interesting thing is that nobody made a decision that the internet was going to be critical for economic security and now that it has happened we need to ensure that it is secure.
Is cyber security more of a concern area for developed countries as their dependency on IT systems is more than that of developing countries?
Cyber criminals are targeting every country because the connection that globalisation has created across the world creates vulnerabilities and the very networks that we rely upon for commerce, communication and social interaction are vulnerable to such attacks. Some of these threats emanate from anonymous sources who just hack, steal information and publish it. Second, you have governments who are looking at stealing information for their economic gain. Third, there are insiders who are taking information from their own companies and selling it to interested parties, so it is a spectrum of threats that we have out there and it is affecting every country and individual.
What measures can governments and companies take to combat the threat posed by cyber criminals?
The most important thing is more and better training. We need to train people in companies and governments about why cyber security is important, whether it is by practicing better cyber hygiene by using passwords or the incription of data as data protection is the number one issue. Education and awareness comes next. Not many people understand as to why cyber security is so important.
Once you train people, you have to educate and make them aware about the priority that needs to be accorded to cyber security. The third thing would be to combine training with awareness and policy so that we develop an approach that proactively deals with a threat before an attack takes place.
The number one priority in all this is resiliency, to create resilient networks that continue to work in the face of persistent attack, because you can never eliminate cyber attacks. What you can stop is the impact of such attacks on your network. This is an economic and a national security issue for every nation.
You talked about resilience, but companies may see cyber security as a cost and a number of them may not be ready to make such an investment. How does one convince them to make that upfront investment?
You have to create a return on that investment and the proper way of doing that is by educating companies that do not follow proper cyber security about the risk and cost of losing their intellectual property by exposing themselves to such threats and that makes their services so valuable. At the end of the day it is about protecting your reputation, technology and what you sell to consumers and governments. So this is an issue of corporate survival, because if your information networks are not secure, then your ability to do your job is compromised. So it should be top notch priority and a lot of it is common sense.
To draw a parallel, when you are driving on a highway you wear a seatbelt, because the chances are that if you do not wear one then you may hurt yourself. Similarly, in cyber space you need to follow proper security so that you do not make yourself vulnerable to attack and if you are attacked then if you are wearing the cyber equivalent of a seat belt, then you are not going to suffer so much.
What are the measures that an organisation needs to take to ensure resilience?
It is a combination of training, education, policy and technology. You just cannot deploy an anti-virus, fire walls and intrusion prevention systems and expect to be safe. Once you have this layered defence technology, you need to populate it with people who can operate it intelligently. This reduces risk and is a big part of cyber security.
You have served on some of the highest committees related to cyber security in the US government. Is there a growing realisation in the corridors of power that they need specialised expertise to deal with such issues?
Yes, it has become a very large priority for the US. The government issued a report last fall (in 2011), in which they detailed the efforts being made by China and Russia to steal data from the government and corporations and this report was very important because it declassified many elements of what was going on. So that is a part of education and awareness. The report also talks about insider threat and why people within an organisation or department are as important for cyber security as outside actors. One cannot just concentrate on the threats from outside as the threat and vulnerabilities from within are equally dangerous.
The report highlights the threat that nations face from countries that are perceived to be friendly or cooperative. Given this scenario how does a country or company protect itself without damaging its existing economic relations with such parties?
This is espionage and there are a number of nations that are trying to steal information and some of them are your friends. The US Department of Defence (DoD) has said publicly that there are 100 foreign intelligence services trying to access the DoD network. So we have friends trying to steal information as much as potential adversaries. This is not just about adversaries. If you train your people and secure your networks, then you will protect yourself against everybody, who might want to steal information.
You have served on various committees of the US administration. How was your experience?
They were very rewarding, it was an opportunity to work on these important issues at the highest levels of the government. Terrorism was an issue that not many people knew or understood before 9/11. That changed from the morning of 9/11. I worked on security issues both before and after 9/11. Critical infrastructure protection and cyber security was a new area, and like terrorism not many people understood its importance before September 11. What we tried to do is to make cyber security a priority without having to live through an electronic 9/11 or a massive attack. We have made progress but there is still a long way to go.
Given the nature of the internet, there is a need for inter-government cooperation to deal with such a threat. Are governments cooperating and assisting each other to track cyber criminals or is it still a distant vision?
Cooperation is getting better but the biggest problem is attribution – are you able to attribute an attack to an individual or country that did it. Right now it is very easy in cyber space to hide your tracks. So if an attack is not attributable to an individual or a country, then you cannot hold them responsible nor make them accountable. So attribution is a very important area that governments need to work together on. The other thing that governments need to do is to develop a basic set of rules of the world for conduct in cyber space.
This is not a treaty or an enforceable mechanism, but a code of conduct that will serve as a foundation for cyber security and then it can be built upon. The UN has an important role, but so do regional groupings like the GCC. The GCC is doing a wonderful job in the area of cyber security. In the region we have the GCC CERT and countries like Oman, UAE and Qatar have provided great leadership in developing CERT.
Are there a set of international laws in place to combat the threats in cyber space?
There are no laws but there are conventions like the Budapest convention and then there are a spate of statements from the European Union, the UN and all of them are trying to create accountability so that individuals who are engaged in cyber attacks can be brought to justice in the country where the attack took place. We have seen individuals in Eastern Europe being extradited to the US to stand trial for penetrating US companies and we will do the same if we have extradition treaties with other governments which are similarly threatened or exposed.
There are cyber hacks who insist that they are breaking into the security systems of companies to expose the risks that customers are exposed to. How would you react to such claims?
I have a problem with self appointed vigilantes, who are working in the greater good and have taken that decision upon themselves. The only service that these anonymous players do is to make companies focus on security more, to that extent it is not a bad thing. But they have no right to steal information and then to publicise it as nobody has appointed them as a judge or jury.
In your presentation you have spoken about smart power. How would you explain this concept?
Smart power is the use of government capabilities to try and affect positive change. In the US most people consider us a military power, that’s the wrong way to think about power, because it is our economic, diplomatic power and the strength of our corporations that count. We look at smart power as a way to solve difficult problems. So if it is Haiti, starvation in Africa or Tsunami in Asia, we want to bring smart power to solve those problems. The military should be viewed as a choice of last resort and smart power ensures that that is the case.
Your presentation also states that the global cyber landscape should be transparent, accessible, dynamic and secure. Can you elaborate on this?
We need to make cyber space accessible to everyone. New technologies make cyber space dynamic but it needs to be secure, because if there is no security then people are not going to trust cyberspace or conduct business in cyberspace the way one expects. Every nation around the world has some dependency on cyberspace; the US has a much larger dependency, but Oman and the GCC countries are equally dependant. So we have a shared interest in cyber security.
What are the main challenges that companies and governments face in realising fool-proof cyber security?
Cyber security is a journey and not a destination; you are never going to be done with it. Training, education and awareness is the foundation of proper cyber security. If you are not training your people then I do not care what technology you buy; its doomed to fail.