As Chief Information Security Officer of the Central Intelligence Agency for 30 years, Robert Bigman was entrusted with protecting the United States' most sensitive secrets. The President of consultancy firm 2BSecure took time out to talk to CNME about why outdated IT architectures leave worldwide security hanging by a thread.
How has the threat landscape changed since you began working at the CIA?
In my opinion it hasn't at all. The same threats and risks that exist now existed in the seventies; there is the same inherent risk in technology and computers. You could say that these risks have been amplified by consumerisation, but, historically, we have never addressed the critical issues. In this age, the capabilities of the Internet of Things is creating more problems.
Tell me about the paranoia you faced while working there.
I was always paranoid! As a CISO you have to be. It's not necessarily a negative thing, if your job is to protect something. And as the saying goes, "just because you're paranoid doesn't mean they're not out to get you."
2BSecure says it believes in 'Thoughtful information technology architecture.' Can you give your definition of what this is?
For many years, industries, governments and consumers have been sold the idea of 'you can have it all without any security risk.' Well they are fast learning that that isn't true. Nothing is ever free in life, and that is especially apt in the case of the Internet. So many security companies try and tell you "use my product and you will be OK." This is far from true. Security issues are tied to the Internet; it is the main target of those who are out to exploit flaws. All the right technology will still be breached; if you are a target, hackers will get you. Thoughtful architecture means having solid foundations at the base, whereas what we have now are old, weak, decrepit foundations, on top of which are built layers of software, and the whole thing is due a collapse.
You've previously mentioned how Unix and Microsoft architectures have remained the same from when they were developed in the 1970s, leaving huge vulnerabilities. What needs to be done to solve this underlying problem?
These architectures are 25-30 years old, and were built in the days of smaller computing needs. When you consider that these same architectures are now being employed on mobile computers, which are so widely bought, it seems like madness. You're left thinking 'how on earth did these end up on the mass market?' Windows 7 and even Windows 8 is based on 20-year-old architecture, and it has issues. The internet was initially based on private network exchanges between remote nodes, and we didn't know what it would turn into. TCP/IP protocol at least allows you to modify for performance and scale, which is what we implemented at the CIA.
What was the biggest challenge you faced in your career at the CIA?
Simply enough, to keep the agency's systems from being penetrated. It is one thing to keep your systems secure, and another to keep them hidden. Both were a challenge, and when you have really bad technologies as your defence, you really are in trouble. Another main challenge was explaining abstract technical concepts like the movement of electrons to senior personnel within the CIA. These are people who can't understand how the technical aspects of a phone call work. I became highly proficient in explaining concepts with video -- and moving puppets.
Having said that, the acceptance of risk there was zero, unlike in industry, where companies don't have the same prudence. There, unless there is a gun to their head, they don't do much. When there is a serious possibility of losing information, they do everything to stop it, but until then, not enough.
In the grand scheme of things, when did cybersecurity first become a major issue?
It still hasn't. Every week there is a conference about what you can do to improve your security, but a fundamental rethink of the product architectures that are used to move data - and new R&D - is needed. At the same time, it is not viable to upset the economy and suddenly switch horses in terms of security strategy, it has to be a gradual transition. Waiting for a new product to come along won't solve the problem; encryption certainly hasn't stopped cybercriminals.
It's a morbid analogy, but I view the reality of security weakness as the same as a reaction to a family member's death. At the moment we are in the stage of realisation, where we are beginning to understand what is happening but haven't fully grasped the gravity of the situation; we haven't got a rational answer of how to respond. We need to move from the emotional response to form a rational plan of action. It has dawned on the US government that this is a really big problem; but the likes of Cisco aren't helping with the IoT, where everything is connected: your car, your clothes, your cat. It's out of control.
I'm guessing you're not optimistic for the future then?
Even in June 2014 we are being repeatedly told of new security issues we face, and that simply downloading a product will make all our problems go away. There is empirical evidence that security products do not work. I recently had a meeting with the CEO and CIO of a large corporation, and they told me their goal was to eliminate the need for cybersecurity. I told them that I'd love to make that happen, but there is no mathematical formula that can achieve that. We need to go back and fix the fundamentals, and come up with new security solutions. If we were to start work right now on rebuilding the foundations, it would take a minimum of 5-10 years before they were complete.
Any words of comfort for the region's IT leaders?
They need to go back to basics. It's no use just taking advice off of salesman and hoping security issues will be resolved. They need to take responsibility for their own organisations, spend resources where possible, do their best to rework their architecture and bring in people with the right skills to help them move forward. Throwing money at the problem is not enough, IT leaders must do the necessary due diligence when implementing security strategies.
Given the skills gap in the region, where can the Middle East source these new recruits?
They're in China! I think a good start is to fund security courses and degrees, like they're starting to do in the US. We need to start growing our knowledge in the Internet-based economy.