the people who have had access to the controls for critical infrastructure—and I say this as the chair of the working group on threats for the CSIS commission—just want to remain clandestine. The day we go to war with China over Taiwan is the day they will turn on those boxes. The main terrorist community is too busy financing physical acts of terror and conducting command, control, and communications through the cyber infrastructure, so it is not in their best interest to draw attention to themselves through a critical infrastructure attack.
The real problem, the nightmare scenario for the U.S. government, is a “pax mafiosa” between former Soviet bloc mercenaries and Al Qaeda to launch a two-pronged attack. The first prong is to play with the integrity of the information on which first responders rely. I don’t mean turning it off, I mean playing with time, switching GPS coordinates, things like that. And then coupling that with a physical attack. There are so many ways you can kill a lot of Americans through cyber attacks on the infrastructure, it is unbelievable. And I don’t just mean poisoning the water or turning off the electrical grid. Just look at the pharmaceutical industry.
What it’s really about right now is that non-state actors, whether they be classified as terrorists or organized criminal syndicates, are financing their activities through cybercrime, using American money and stolen credit lines to finance physical activities that are against the interests of Americans. And not only are they infiltrating networks so that they can have command and control in an active war of aggression against the United States, but they are conducting industrial espionage to give comparative advantage to their countries. Then, if you look at the international financial system and how easily you can conduct insider trading by hacking major systems, just think about the moves you could make, either shorting a stock or going long if you knew where a major institution was going to put its money that day. Or why not just play with time on Wall Street, since everything is time-tagged and there are no more paper records? The possibilities are endless. “24” actually puts a landscape out there that makes us look safer than we are.
X: And you’re saying penetration testing is one of the solutions to all of this?
TK: Yes, because these systems are all reliant on IP [Internet Protocol]-based networks. Modern day computing has created this amorphous, aquatic realm in which it’s easy to hack. You’ll never know what you’re up against until you identify the holes. It’s the same reason we go through annual physicals, colonoscopies, CT scans, and MRI scans—to identify future problems.
X: Well, if you’re going to use the medical analogy, aren’t those high-tech tests also one of the reasons the U.S. has the most fabulously expensive and inefficient healthcare system in the world? Not to mention all the false positives that start turning up if you give everyone a full-body MRI.
TK: Our product doesn’t turn up false positives, the way vulnerability scanners do. Every one of the holes we find is a functional vector that has been exploited. And if you want to talk economics, we can do that. A major consulting firm like Pricewaterhouse Coopers will charge hundreds of thousands of dollars to conduct an operating system and Web application security test. That’s a one-shot deal, a snapshot that’s outdated by the time it’s printed. We charge roughly $30,000 a year for the ability to test all the time, anytime. That’s at least 75 percent less. There’s a reason the major consulting firms use our product and just mark up the price.
X: Okay, last question. Will there ever be a time when you guys can relax—when the threat of terrorism recedes, or when law enforcement has gotten enough of a handle on organized crime, or when software engineers get better at writing secure code, and there’s not as much need for proactive penetration testing?
TK: No. I say that not because I’m with Core Security, but because there are just too many hacker havens out there. The international control of cyberspace is very weak. It’s almost like the lawless seas of the 13th century. And when it comes to secure operating systems and a functionally secure Internet—hopefully, the National Cyber Range, a research and development project out of DARPA to rebuild the Internet, could achieve that, but it’s 10 years out, and even if they did achieve it, they wouldn’t throw every corporation and network on that range, only the most sensitive ones. And even those could still be compromised on the client side. Even if you have a secure network and operating system and code, your user community can be spearfished.
X: It’s unclear whether digital communities and economies could even exist on a platform as secure as the one you’re talking about. Isn’t there a fundamental tradeoff between openness and security?
TK: There is a tradeoff. But the irony of the e-commerce, e-finance, e-governance revolution was the idea that “If we build it, they will come, and they will all be righteous.” That was fundamentally myopic thinking. And you have to remember, the original purpose of the Internet had nothing to do with commerce. It was never intended to be a secure network for finance, government, and military operations. So whoever the thought leaders were who said “Let’s use this giant aquatic environment and put everything important on it,” kudos to them—because they’re paying my salary right now.