Clear and present danger

As Chief Information Security Officer of the Central Intelligence Agency for 30 years, Robert Bigman was entrusted with protecting the United States' most sensitive secrets. The President of consultancy firm 2BSecure took time out to talk to CNME about why outdated IT architectures leave worldwide security hanging by a thread.

How has the threat landscape changed since you began working at the CIA? 

In my opinion it hasn't at all. The same threats and risks that exist now existed in the seventies; there is the same inherent risk in technology and computers. You could say that these risks have been amplified by consumerisation, but, historically, we have never addressed the critical issues. In this age, the capabilities of the Internet of Things is creating more problems.

Tell me about the paranoia you faced while working there.

I was always paranoid! As a CISO you have to be. It's not necessarily a negative thing, if your job is to protect something. And as the saying goes, "just because you're paranoid doesn't mean they're not out to get you."

2BSecure says it believes in 'Thoughtful information technology architecture.' Can you give your definition of what this is?

For many years, industries, governments and consumers have been sold the idea of 'you can have it all without any security risk.' Well they are fast learning that that isn't true. Nothing is ever free in life, and that is especially apt in the case of the Internet. So many security companies try and tell you "use my product and you will be OK." This is far from true. Security issues are tied to the Internet; it is the main target of those who are out to exploit flaws. All the right technology will still be breached; if you are a target, hackers will get you. Thoughtful architecture means having solid foundations at the base, whereas what we have now are old, weak, decrepit foundations, on top of which are built layers of software, and the whole thing is due a collapse.

You've previously mentioned how Unix and Microsoft architectures have remained the same from when they were developed in the 1970s, leaving huge vulnerabilities. What needs to be done to solve this underlying problem? 

These architectures are 25-30 years old, and were built in the days of smaller computing needs. When you consider that these same architectures are now being employed on mobile computers, which are so widely bought, it seems like madness. You're left thinking 'how on earth did these end up on the mass market?' Windows 7 and even Windows 8 is based on 20-year-old architecture, and it has issues. The internet was initially based on private network exchanges between remote nodes, and we didn't know what it would turn into. TCP/IP protocol at least allows you to modify for performance and scale, which is what we implemented at the CIA.

What was the biggest challenge you faced in your career at the CIA?

Simply enough, to keep the agency's systems from being penetrated. It is one thing to keep your systems secure, and another to keep them hidden. Both were a challenge, and when you have really bad technologies as your defence, you really are in trouble. Another main challenge was explaining abstract technical concepts like the movement of electrons to senior personnel within the CIA. These are people who can't understand how the technical aspects of a phone call work. I became highly proficient in explaining concepts with video -- and moving puppets.

Having said that, the acceptance of risk there was zero, unlike in industry, where companies don't have the same prudence. There, unless there is a gun to their head, they don't do much. When there is a serious possibility of losing information, they do everything to stop it, but until then, not enough.

In the grand scheme of things, when did cybersecurity first become a major issue?

It still hasn't. Every week there is a conference about what you can do to improve your security, but a fundamental rethink of the product architectures that are used to move data - and new R&D - is needed. At the same time, it is not viable to upset the economy and suddenly switch horses in terms of security strategy, it has to be a gradual transition. Waiting for a new product to come along won't solve the problem; encryption certainly hasn't stopped cybercriminals.

It's a morbid analogy, but I view the reality of security weakness as the same as a reaction to a family member's death. At the moment we are in the stage of realisation, where we are beginning to understand what is happening but haven't fully grasped the gravity of the situation; we haven't got a rational answer of how to respond. We need to move from the emotional response to form a rational plan of action. It has dawned on the US government that this is a really big problem; but the likes of Cisco aren't helping with the IoT, where everything is connected: your car, your clothes, your cat. It's out of control.

I'm guessing you're not optimistic for the future then?

Even in June 2014 we are being repeatedly told of new security issues we face, and that simply downloading a product will make all our problems go away. There is empirical evidence that security products do not work. I recently had a meeting with the CEO and CIO of a large corporation, and they told me their goal was to eliminate the need for cybersecurity. I told them that I'd love to make that happen, but there is no mathematical formula that can achieve that. We need to go back and fix the fundamentals, and come up with new security solutions. If we were to start work right now on rebuilding the foundations, it would take a minimum of 5-10 years before they were complete.

Any words of comfort for the region's IT leaders?

They need to go back to basics. It's no use just taking advice off of salesman and hoping security issues will be resolved. They need to take responsibility for their own organisations, spend resources where possible, do their best to rework their architecture and bring in people with the right skills to help them move forward. Throwing money at the problem is not enough, IT leaders must do the necessary due diligence when implementing security strategies.

Given the skills gap in the region, where can the Middle East source these new recruits?

They're in China! I think a good start is to fund security courses and degrees, like they're starting to do in the US. We need to start growing our knowledge in the Internet-based economy.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CiscoMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Dartnell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts