Hoping for the best is not a cybersecurity strategy

Terry Roberts is a global cyber intelligence expert, with a career spanning 30 years in the US intelligence community, In this interview Russell Yardley talks to Terry about the current state of Australian cyber security, whether it still makes sense to worry about perimeter protection and getting started with the basics…

Terry Roberts is a global cyber intelligence expert, with a career spanning 30 years in the US intelligence community,

In this interview Russell Yardley talks to Terry about:

  • The current state of Australian cyber security
  • Whether it still makes sense to worry about perimeter protection
  • Getting started with the basics
  • The connection between culture and cybersecurity

Get an unfair advantage, subscribe to the free monthly update

The best of The Resolution, delivered to your inbox every month

The transcript:

Russell Yardley: I’m Russell Yardley, a professional Non-Executive Director and Chairman of Tesserent a cyber security company.

Terry Roberts: Hi I’m Terry Roberts, and I’m the CEO and President of WhiteHawk, formally a Vice President for cyber engineering and analytics at TASC, and previously the Executive Director of Carnegie Mellon Software Engineering Institute. But I really have a cyber intelligence background through a 30 year career in the intelligence community, with my last position as the Deputy Director of Naval Intelligence.

Russell Yardley: Terry this is a very unfair question because you’ve only just arrived here in Australia but how do you see the comparison between Australia and the United States?

Terry Roberts: I actually think cyber security, cyber-crime and fraud is the great equaliser, so even if you’re a very sophisticated country like Australia and the US we’re in equally poor positions today. Because the majority of our directors and CEO’s are 45 to 75 and they don’t get this, it hurts their heads, and so they tend to just say I’m going to do the minimal I need to. If I’m regulated I’m going to check a few compliance boxes, and god willing I’m going to get to retirement without a major event. That is unacceptable.

Russell Yardley: Yes

Terry Roberts: You’re putting our global economy, our national economies at risk because it hurts your head, so I actually believe that we’re in similar places.

I know we’re in similar places when it comes to talent and having the education programs that we need to have in place, the digital literacy programs that we need in our schools, and I mean grade school, middle school, high school okay, the one year program and certifications that we have to have in place.

I’m on several university boards to help them to create those curriculums so we can have talent throughput. The nice thing is there’s jobs available, we believe in the US we’re one million short, I’m sure you have a nice large number here in Australia that you’re short.

Russell Yardley: Yes.

Terry Roberts: So the beauty is I think we actually share a lot of the same challenges and issues, and I know the government is a partner on this, I think the industries need to partner on this too.

Russell Yardley: Look at Tesserent, we could double the size of our team if we could get the talent.

Terry Roberts: Exactly, exactly.

Russell Yardley: So I think Australia from what I can see is very much like the curate’s egg, where we’ve got the wonder of being a sophisticated but smaller economy so we can see through to the end a little quicker.

And so there are companies that are really right at the leading edge, but when you look beyond those special companies like the Atlassian’s of the world, there’s a real paucity of talent. I think that Australia has to concentrate on making sure that our average game is much better.

Terry Roberts: Right. And remember the other issue in this space is that geography is meaningless.

Russell Yardley: Mm-hmm.

Terry Roberts: So the Chinese, the Russians, all the known major bad actors, the mafia has moved totally to this space, they don’t care where you are, they just care if you have money and if you’re defences are down, so again I think this is the great equaliser across all our countries.

I’m normally not an alarmist in this space because I’m a problem solver, but I think the worst possible future could be where we lose trust online, trust to conduct business transactions, trust to communicate, trust to do government missions, that trust is critical.

So I am to the point where I know that we have to decide what are the kinds of financial transactions, data transactions, communications, that have to be protected, and I’ve already started thinking about what are some of those critical technologies or mechanisms or approaches where we get away from the perimeter defence that doesn’t work.

I am looking at end-to-end biometric capabilities and technologies, so that if you’re my banker and I’m at the other end that we can truly do that handshake online, and I know that I’m communicating with you and you with I. Opt in programs for identity chips, ability to do Bitcoin transactions in a safe regulated manner, I think we need to be exploring all those next generation technologies and approaches before we lose trust.

Russell Yardley: When you think about the way we exchange emails I am frightened by what people put into attachments in an email.

Terry Roberts: exactly.

Russell Yardley: But why do we do that, because 99.9% of the time it works.

Terry Roberts: Right.

Russell Yardley: Security is not breached, and you’re right if that trust is broken then the very essence of our economy will be broken.

Eric Beinhocker did a beautiful book called The Origin of Wealth, and in that he mapped the pure index of trust against GDP (Gross Domestic Product) per capita, and you could see those economies that had low trust had low GDP per capita and those that had high trust had high GDP per capita.

Terry Roberts: Right.

Russell Yardley: And so I think that we really need to be very conscious that the last decade we’ve taken a lot of friction out of our economy, there are things that you can do in seconds that used to take weeks.

Terry Roberts: Right. So that’s how I often advise mid-sized and small businesses that don’t have a lot of resources to think. If email and document transfer is foundational to their company, they need a high level of trust, just put in place the technology that does that, right?

I don’t want people to feel that ‘I’m overwhelmed by all of this and I can’t do everything so I’m going to do nothing’. That’s why focusing on those critical transactions and putting in place encrypted technologies today is important.

Russell Yardley: And so they need to think like the banks did 20 years ago, if it’s cheaper to pay for that breach then to protect it then that’s what they should do.

Terry Roberts: Right.

Russell Yardley: But when the cost of those breaches escalate or the importance of the breaches escalate, they then need to take an alternative course.

Terry Roberts: So we have a recent statistic in the United States that 60% of all small businesses that have a major breach are out of business within a few months.

Russell Yardley: So Terry with those 60% of companies that received a major threat that threatened their survival, what type of things would cause you not to do something and what are the sorts of things that you can do?

Terry Roberts: So easy, I have a whole series of things that we use with my company that I call the basics.

One of them is email protection, and there’s so many cloud based software as a service capabilities today that can protect your email, because think about it if you lose two months of your email what do you do.

The other thing is just backup, a lot of companies I talk to don’t do basic backups onto their hard drives, for instance on my laptop I just have $100 back up hard drive, and guess what when I’m not using it it’s disconnected, it’s in my desk, so if anything happens to my platform I have a complete backup.

Russell Yardley: Right.

Terry Roberts: So basic things can make a huge amount of difference, website protection, so many great companies out there today that provide website protection, so that they actually have lightweight sensors on your website and then if they detect anything abnormal they let you know right away and you can take action. If your website’s down for 48 hours sometimes that could be a killer to certain kinds of companies, so again, focusing and putting those very finite technologies and services in place.

This really isn’t that complex, it’s get an assessment of your risk baseline today, because that will help you prioritise what’s most critical to you and the impact by the online environment.

After that you should have a sense of how much you could lose if you were to have a major breach, and then that can help you figure out your return on investment of how much you can put into cyber security and cyber intelligence, and you can explain to your board “hey these were my risks and therefore I think this is a fair level of investment”.

And then go to professionals, see where your price point is and what you can afford, and then put that protection as a service in place for your company.

Russell Yardley: Yeah Terry I’d connect that to the strategic planning process.

Terry Roberts: Absolutely.

Russell Yardley: As you look at in your strategic plan we have a number of clear directions we want to follow, with each option there will be trade-offs, and we’re used to saying ‘well okay this is a wonderful strategy but can we afford it?’

That question has to go to cyber security so that you’re using the assessment, the appetite for innovation, the appetite for risk, and then we’re actually framing that strategic plan in terms of how is this risk going to permeate in our business, and I think that that’s the critical lens you’ve got to look at, how does this risk relate to the way in which we’re executing our strategy.

Terry Roberts: Absolutely, it’s all about your business.

Russell Yardley: Yeah.

Terry Roberts: It’s not about doing cyber security, it’s about protecting you against crime and fraud.

Russell Yardley: Yeah, yeah. Because I think that when you look at the way the banks have responded, you know 15 years ago it was much cheaper for the banks to write a cheque when someone successfully defrauded their customers, much cheaper, it’s not any longer.

Today, should we be worried about building strong borders, or should we recognise they’re going to be penetrated and build strong internal defences?

Terry Roberts: So as a national security professional I always assume the bad guys are in. I have had a lot of experience over the past 20 years both in government and industry and academia, and have found that they are inside your networks, or they have access to your networks.

So this issue of I’m going to build a wall is absurd in this day and age not to mention the insider risk, you know criminals can also be within your workforce or have access to someone in your workforce, so that’s why that whole approach is really dead.

Resilience is all about baking assurance into your business processes, duplication, backups, trust in your key transactions, encryption regarding your key transactions, therefore if they’re in they won’t get everything. One of the things we learned from the Sony breach was once they got into the network, they could actually get access to their unreleased movies.

I always tell customers “what are the jewels of your business?” and for Sony it was their unreleased movies. Yet once they were in they were in they could access everything, just basic email security wasn’t in place. So that is the way you need to think about it, as you buy infrastructure ask about its assurance, as you put in software programs ask about resilience and assurance.

Russell Yardley: So when you were talking about operating inside the network and being able to deal and compromise people inside the company, are we really talking about a cultural issue as well as a technology one?

Terry Roberts: I honestly believe that through the ages we’ve seen –if an individual who has a crisis in their life and needs money — they don’t even have to be a bad person. Leveraging someone within the organisation is the easiest way to gain access.

So one thing that a lot of businesses in the States do is you don’t allow everyone to have the same kinds of accesses, and again there’s some great technologies today that allow you to put that in place. So that we call it attribute based access, where you actually profile what is the work you do and then they are given access to only certain things within the company, certain datasets.

Russell Yardley: Some of my fellow company directors govern sport and you raise the issue of corruption in sport, particularly sports betting, and the way that these bad people get control of key sportsman, is that they do something that is just slightly on the edge.

Terry Roberts: Yes, right.

Russell Yardley: And they get away with it.

Terry Roberts: They’re blackmailing them, right.

Russell Yardley: And you know do that two or three times, and suddenly they then ask them to do something and they say “I’m not going to do that that’s outrageous, and they say well we’ll tell everybody about what you’ve already done.”

Terry Roberts: Right.

Russell Yardley: And that pattern goes to culture.

Terry Roberts: Yes. And there are actually some very easy policy kinds of protocols that you can put in place to mitigate insider risk and insider access as well.

But I think the bottom line is, if you want to be able to operate through a hack or through a ransom event you need your business revenue and reputation not to be brought to its knees as a result of that event, and that means resilience at all levels.

And I think a final thought that I would have is someone needs to be responsible within the company for physical personnel and cyber security and resilience for your business.

Russell Yardley: Terry that was lovely, thank you very much.

Terry Roberts: Russell anytime, next time come to DC and we’ll have a chat there.

Russell Yardley: You’re on.