Infosec must learn lessons in preparation from military
Security

Infosec must learn lessons in preparation from military

Robin ‘Montana’ Williams isn’t holding back. The senior manager of cybersecurity practices for the world’s largest IT professionals group ISACA says that cybercrime will account for $4 trillion this year compared to $300bn for drugs. And he’s far from convinced that we’re ready for today’s crisis and for the shocks to come.

“It’s in excess of 10 times larger than narcotics trafficking, which is the second-largest criminal enterprise in the world, but people ignore it because they don’t see the physical harm,” he laments when we speak by phone. “We live with our heads in the sand like ostriches while we’re being pillaged.” Worse yet, the mounting cyber-threat could “far exceed any war in history”.

 

Security is a dog fight

Strong words, but Williams speaks from hard-won experience. He spent 25 years in government service, most of them in the US Air Force, eventually retiring as a Lieutenant Colonel. A combat veteran with experience of flying and information operations duties in Afghanistan and Iraq, he was the lead air-campaign planner for ‘Operation Anaconda’, the 2002 plan to destroy Taliban and al-Qaeda forces. He was also Chief of Electronic Warfare in the Iraqi Theatre of Operations.

Today he’s applying that wealth of nous at ISACA, which provides 150,000 members in 190 countries with counsel, training and certification in risk, governance and security. Despite this intimacy with the infosec world, he is frankly damning of the current state of security practices.

Hardware and software security defences abound but “professionals lack the requisite skills to make use of the existing tools,” he says. “This is going to take a complete cultural mind-set change.”

Part of that change might require hardball tactics such as banks no longer giving money back to account holders affected by cybercrime if those customers have behaved recklessly.

“If you don’t wear a seatbelt you get a ticket and if you violate a traffic law there’s some form of accountability,” he says, suggesting that maybe the same penalties and principles need to be applied to information security. But effecting change would also require state intervention, he adds. “It’s only the government that can do that. You have to prove to me that you’re not going to be stupid.”

 

Going global

However, individual governments can’t rely on acting solo because the internet is a global phenomenon. “This transcends all boundaries and you need international governance on how countries behave in cyberspace. [Criminals] know the laws and they’re avoiding prosecution by launching attacks from where wire fraud is not considered a crime.”

What’s needed is a collaborative effort led by major nations to protect the “fifth domain” that is digital. “Information and money control the world and [countries] have a responsibility to make their nations safe. It’s the globe’s internet.”

If cybercrime were not bad enough then cyberwar might be worse.

“The problem is going to be monitoring the rogue nations and the war of the future is not going to be kinetic war: it’s going to be a cyberwar and it’s going to be much more damaging.”

The major threat vector will be energy and “taking out a power grid with one push of the Enter key,” Williams says.

“There are critical enablers and you can stack them up but the central one is electricity. Without that, water doesn’t work, sewage doesn’t work, healthcare does work, there’s no banking...”

 

Practical defences

So in this perilous and multi-faceted environment how should organisations go about creating effective defence strategies? Focus helps for start and prioritising threats and what needs to be protected.

“You can’t protect everything equal across the board or else it becomes a mile wide and an inch deep. If you have a safe at home you don’t put your socks and underwear in there.”

But Williams says there are schoolboy errors being made in terms of approaches to basic security thinking.

“There is a chasm,” he says. “Cybersecurity is a very perishable skill set. One of the big gaps is companies don’t ensure their professionals retain their skills or prepare them with hands-on training to prevent or react to that big event that can occur.”

Here he goes back to his military training where the USAF and the UK’s Royal Air Force would learn from each other by going “mano a mano” in air sorties.

“Day one, we got our butts handed to us but after 10 sorties we were winning so when I took to the skies over Afghanistan and Kosovo I was prepared.

None of this training is occurring in the commercial sector the way it is in the military.”

It’s a troubling world but Williams at least feels that some lessons are being learned. He says that he was “fairly close” to Bradley/Chelsea Manning and Edward Snowden cases and was involved in “some of the remediation”.

“One of the toughest things is responding to the insider threat. People will balk at invasion of privacy but throughout time we’ve always had espionage. It’s just now it’s cyber.”

For Williams, security is an omnipresent challenge whether that’s blacklisting websites on his kids’ computers or the national and international threats we all collectively face. Training in best practices can at least mitigate those threats and his motto might well be the famous advice of Benjamin Franklin: “By failing to prepare, you are preparing to fail.”

 

 

Also read:

WhiteHat CEO sees no cap on future of ethical hacking

Darktrace CEO: Spooks, security and serial links to Autonomy

Bromium: A security bromide

PREVIOUS ARTICLE

«Why Pokémon Go is inspiring one company to map the world

NEXT ARTICLE

Typical 24: Bhavin Turakhia, Directi»
author_image
Martin Veitch

Martin Veitch is Editorial Director at IDG Connect

  • twt
  • twt

Add Your Comment

Most Recent Comments

Resource Center

  • /view_company_report/775/aruba-networks
  • /view_company_report/419/splunk

Poll

Crowdfunding: Viable alternative to VC funding or glorified marketing?