the Sun Tzu perspective on this, which is really what’s necessitated here. She respects the adversary. The way she grasps this problem, she sees it as a long-term game of chess. I’m confident that if, after her 60-day review, they give her the position of cyber czar, she will make huge inroads into stemming the tide that we’re dealing with.
X: What does she need to do first?
TK: She’ll have to set up an office of cyberspace in the Executive Office of the President. She’ll have to widen the purview of that office to encompass the three most critical infrastructures, and to do that she will have to increase the capabilities and the authority of government as it relates to red-teaming and testing the security infrastructure and enacting real security plans. You can’t have industry sitting around any more in roundtable groups, saying, “What are we willing to do to protect what we have,” when they have not actually conducted red team exercises to see how they can be compromised. It’s shifting away from the idea of the Maginot Line and dealing with paratroopers and the reality of modern-day warfare.
X: If Hathaway does all the things you’re talking about, what will be the benefit to Core Security?
TK: The overall benefit to Core Security comes from awareness. I don’t think you need to convince people to buy a sword on the battlefield, if you can convince them that the battlefield is real. The fact that I have a seat at these tables—that there is a small company like ours represented in these forums—means that we can develop partnerships with major integrators more fluidly, and our message about improving testing regulations and standards can be received by the powers that be more easily. Then there is the obvious: the number one procurer of cyber security in the world is the United States government. Security tools and technologies are purchased based on trust, and you need to have someone maintaining those trust relationships. If you are not at the table, in the end they will just turn to the bigger juggernauts.
…We are at a tipping point. We have an administration that is proactively grappling with this—that on their first day in office stated that part of their national security strategy would encompass the security of information networks. Now, with Hathaway conducting the 60-day review, and the major restructuring effort that is currently ongoing, it’s symbolic of the metamorphosis.
I’ve been losing sleep [over the cybersecurity crisis] for years. But in the last couple of months, since December, I have become more hopeful and less disillusioned. The past administration and their belief that the market would solve this problem was irritating, because the only market functioning right now is the underground economy. Only recently, with the Comprehensive National Cybersecurity Initiative and what Melissa Hathaway has championed, do you see a fundamental paradigm shift.
X: Are you saying that when it comes to cybersecurity, the government needs to step in and set the terms under which the free market operates?
TK: To be honest, yes. No one wants to hear that. But we need more stringent regulations on how we deal with third-party relationships, how we deal with incident response, and what constitutes a proper security audit and security exercise as it relates to protecting data privacy. For too long the regulations that exist have been overly focused on encryption. That’s fine, but that’s not enough. If I can own your operating system, I can compromise it through an attack, I can steal the private keys from beneath it and compromise the encrypted tunnel.
X: In fact, here in Massachusetts, there are new rules from the Office of Consumer Affairs and Business Regulation that will require all businesses in the state to encrypt the personal information they store about customers by January 1, 2010. Would you say, then, that that regulation is inadequate?
TK: Yes. The major encryption vendors have been running the table when it comes to education and awareness among policymakers here in the state, so it doesn’t go far enough. It should also require regular penetration testing against all enterprises and third parties, and have remediation timetables associated with that. And organizations should be required to have incident response plans in place, including a forensic capability. And we should all be moving away from password-based technologies.
X: Understandably, you keep coming back to penetration testing, but I want to challenge you on that a little bit. When you’re a hammer, everything looks like a nail. Is penetration testing really the key to better cybersecurity?
TK: Yes, and here’s why. How do you even begin to think about building a functional castle in cyberspace, if you don’t even ascertain how the moats and the walls and the archers can be breached? The only way to build a better castle is to really understand how a good castle can be destroyed. The common problem in the cybersecurity sector is that we are going out and waiting for the attack to happen. We don’t scrimmage enough, we don’t even know how our policies and procedures will hold up in battle, because we don’t test them with a battle-like mindset. The enemy is leveraging staged attacks. And by the time they get inside, as any law-enforcement person will attest, you are never getting them out unless you rebuild those systems, because they will have rootkitted you. [A rootkit is a hidden file, usually harboring malicious software, that cannot be detected by a computer’s normal operating system.–Eds.] Virus scanners are only picking up 30 percent of what is out there.
X: Do you think that general public awareness of cybersecurity issues is growing?
TK: This is why I’m sitting with you. The media really needs to wrap their heads around this in a holistic fashion. I don’t think the public is there yet. In the last three months, there has been a dramatic awakening, but it’s slow, and they’re still half groggy.
I do think that shows like “24” have really improved the awareness of the problem. The problem is that “24” is full of shit, because there is not a giant firewall around our critical infrastructure. It’s actually easier to hack than “24” portrays it to be.
X: I’m glad you brought up “24,” which spares me the embarrassment of asking about it. The plot of the early episodes this season revolved around the theft of a “Critical Infrastructure Protection” device that was supposedly the key to maintaining this giant firewall around the air traffic control system, chemical plants, the whole infrastructure. But that premise strikes me as crazy—if you centralized all of these systems, wouldn’t you just be inviting some hacker to compromise all of them at once?
TK: The fact is that you can hack the entire infrastructure now, just by leveraging a certain strategy of attack. I actually wish there were a giant firewall to protect everything. But the situation is actually worse than “24” would suggest. The main reason it’s never happened is that