take more proactive risk management approaches. There needs to be more attention paid to critical infrastructures, particularly energy, finance, and telecommunications, and how the government secures those infrastructures. They also noted that it’s a priority to deal with industrial espionage and the personal information theft that’s ongoing—hindering criminal syndicates and cyber money laundering. And there was a recommendation to raise this issue all the way up to the Executive Office of the President, to take the leadership out of the Department of Homeland Security and create a National Office for Cyberspace that would oversee all processes across the government. Cybersecurity right now is spread across five major agencies engaged in constant turf wars. Melissa Hathaway is pretty much the person who will lead that. After she completes her 60-day review, I’m pretty sure she will be anointed [as the president’s assistant for cyberspace and head of the National Office for Cyberspace].
X: It sounds like she would still have to exercise authority across a lot of competing agencies. That didn’t work too well with the Department of Homeland Security.
TK: It didn’t work well because it wasn’t real. Putting someone in at the assistant secretary level within DHS and telling them they should oversee the National Security Agency and the Department of Defense doesn’t make sense. They won’t listen to a civilian agency. Which is why the position had to be moved out of DHS. Greg Garcia [the Department of Homeland Security’s assistant secretary for cybersecurity and communications from 2006 to 2009] was more of a figurehead and less of a real strategic planner, in my own view.
And another initiative recommended in the commission report relates to supply chain management. Thirty-nine percent of breaches in the last year were due to third parties—companies’ strategic partners being breached and hackers transiting through these third-party systems into central systems. So penetration testing needs to be expanded to deal with third parties. And in the Federal Information Security Management Act (FISMA) reform bill, there is a movement to expand service level agreements with third parties, to give Company A the right to test Company X using automated penetration-testing technologies like Core Impact, to allow you to ascertain where they are vulnerable and at the same time remediate that.
One of the things that Melissa Hathaway has said which certainly aligns with our mantra, our mission statement here, is that in order to understand defense, you have to understand offense. The only way to really train in cybersecurity is to conduct red-team exercises. The beauty of what Core does is that we don’t provide a security product, we provide you with game-day film identifying how your defensive line is going to stand up against a blitz.
X: I get everything you’re saying about the need for penetration testing, but given human ingenuity and the huge number of possible ways to breach most programs and networks, how can you stay ahead? How can you know that the vulnerabilities you’re discovering through penetration testing today are the same ones that a hacker is going to try to exploit tomorrow?
TK: We only focus on developing exploit code that allows you to have remote root execution capability. And we focus on the vulnerabilities that we know are out there, through various relationships we have with the communities of interest and through our own lab, which is one of the best in the world. (Remote root access means you can remotely access a service and take over system administrator privileges.) We also have very important partnerships with groups like Team Cymru [an Illinois-based security research firm that tracks malicious activity on the Internet]; I can’t speak more as to who else they provide their services to, but you can imagine. They see things in the wild through their darknets, and they send us stuff that we analyze in the lab. Last but not least, I spend my days going around to the various communities of interest on the intel and law enforcement side, and because of the trust relationships and interpersonal dynamics, we learn things. If my friends who run security for the Secret Service or the CIA see a trend or an application that is troubling, we task the people in our lab to develop code to exploit that.
X: So you’re saying that by focusing just on simulating attacks that could result in root access, and by bringing in information from your contacts in the security world, you’re able to stay ahead of the hackers?
TK: “Ahead of the hackers”—there is no such thing. The elite hacker communities in Europe and Asia are always a little bit ahead. But we try to keep even with them, to the point that our customers can scrimmage and test their defense in a timely fashion against some of the more robust vectors and attacks that are going to be used against them.
And the reality is that unless you are a major critical government department, targeted by elements of the defense communities in other countries, if you harden and test yourself in a proactive fashion, the hacker community will turn their guns on the softer targets. So you can eliminate 95 percent of the noise by proactively testing and hardening.
X: You’re talking about protecting software that is assumed to have vulnerabilities, and hardening those vulnerabilities before the hackers exploit them. But did the commission talk at all about the front end of the process—the need to start out by writing software that is inherently more secure?
TK: Scott Charney [corporate vice president for trustworthy computing at Microsoft] had his name on the report, but not Microsoft’s name. He was one of the civilian co-chairs. And we addressed this issue very holistically, and that is why Microsoft refused to allow him to put their name on the report. It’s part of the supply chain issue. Joe Jarzombek [the director for software assurance in DHS’s National Cyber Security Division] has done some amazing work, and they have led the community on what is the best practice for developing secure software. But in the rush to bring applications to market, holes are inevitably going to be there.
X: Melissa Hathaway was an integral part of the Bush Administration’s cybersecurity team. Is she someone you can respect and work with?
TK: Yes, I can respect her, I can work with her. She has three things that are unique, for people inside the Beltway. A lot of this comes from her experience at Booz Allen. First and foremost, she is very well-read, which is rare inside the Beltway, and she acknowledges and researches what she doesn’t know, which is also very rare. And she surrounds herself with one of the best support staffs I’ve ever seen. They are all multi-disciplinary—not just technicians but lawyers and economists but some of the very best people around. And last but not least she really does have