Interview with Herbert Lin (CISAC): “Cyber ​​security is an endless battle”

Herbert Lyn is a Senior Information Policy and Security Officer at the Center for International Security and Cooperation (CISAC) at Stanford University (USA). Lin is also an Information Policy and Security Specialist at the Hoover Institution, a prestigious public policy research center. In addition to his work on information policy and security, Lin is a doctor of physics at the Massachusetts Institute of Technology.

Panda Security (PS) : What is your general view on the state of enterprise information security in 2017?
')
Herbert Lin (G.L.) : Information security in enterprises is very complex. Most enterprises understand that they have to pay attention to these issues, but many of them do not fully understand how to make investments in information security. Therefore, if you are the head of information security in your company, and your director tells you "I am ready to give you a million dollars," how should you spend these funds? And I think that most people cannot give an exact answer, because they have no [clear] idea how to spend this money. This is the first problem.

The second problem is that there is often an incorrect assessment of the risks that may actually be. I think that management often does not understand what is their main asset, what is really necessary to protect. You cannot protect everything at the same level, and therefore you need to prioritize: which things are most important. And at the enterprises it is very difficult to do.

The third problem is connected with the fact that even if the enterprise correctly manages its business risks (whatever the word “correct” means), they manage them within the framework of the needs of their own enterprise. But this enterprise may have a more critical for society nature of functioning than it can be thought at the enterprise itself. And in this case, we can talk about the serious social consequences of a big problem related to the information security of this enterprise. For example, if your enterprise is an energy company, a power plant or something similar, then not only the shareholders of the enterprise will suffer if they stop working. All people who depend on the work of your enterprise will suffer. The hospital in the next street will suffer, all institutions and people who have food stored in refrigerators, etc.


Herbert Lin

PS : Do you think critical infrastructure is adequately protected?

G.L. : The question is, what does “adequately” mean? Can we do more? I would be glad to have done more, but in the US there is an undeniable fact that power outages are more often due to squirrels than due to cyber attacks. What will happen next in the future? I dont know. Probably, this is a stupid comparison, but nevertheless proteins do not do this maliciously, but criminals do it. Fears are related to the fact that if criminals do this maliciously, then they can cause much more harm than proteins.

PS : Encryption attacks are still evolving. What conclusions can we draw from the recent attacks of WannaCry and Petya?

G.L. : Encryption attacks are, in fact, a type of denial of service (DoS) attack, and therefore enterprises must be able to fight them, they must have backup procedures and much more. Backup is resource intensive, sometimes difficult, but you have to do it. You need to know how to act if you are at risk. For example, when your electronic medical records are no longer available to you on the Internet. You need to know how to act under such circumstances.

PS : Can you say that another large-scale attack by the coder is waiting for us?

G.L. A: Yes, in general, I think so. You will see this kind of things more and more, but coders are an easy way to make money.

PS : What role do you think companies will play in a potential cyber war?

G.L. : They will play both an occasional and a deliberate role. One of the problems is that enterprises may accidentally make a mistake in one of their programs and not correct it. This is a problem because they have a vulnerability that they have not fixed. So they play a certain role, because have allowed this vulnerability. They did this unconsciously, but they still allowed vulnerabilities in their software.

Enterprises have the ability to customize their systems in various ways, making them more or less secure. Sometimes companies give their users certain default profiles that are easy to configure and not completely safe. This is their choice. The reason for this choice lies in the fact that they do it for the convenience of users. They do not want their users to say “your products are difficult to use,” because it gives them bad reviews in the media. Therefore, they make their products easier to use, but often they become less secure. And here this decision is a conscious decision of the enterprise. By this decision, they inadvertently contribute to exacerbating the problem.

There are other examples where companies work with government intelligence agencies to support offensive operations. For example, the secret service may contact the company (say, an antivirus company), and say: "Here is the signature, and we want you to ignore it, and for this we will pay you $ 10 million." Why are they doing that? Because they want to attack someone, but they know that their future victims are using a certain antivirus program. I'm not saying that this is a legitimate way, but still it is the way that was used by the special services. Thus, in this example, a cooperative company is helping an offensive operation that in some way can contribute to cyber warfare.

PS : Do you think that in 10 years the world will be safer or not?

G.L. A: I think it will be worse, but the state will not be catastrophic. If I had to choose the most likely outcome, then I would say so. How much worse? I dont know. But I think it will be a little worse.

PS : Why?

G.L. : Because I see all the trends that are moving in this direction. People want the benefits of information technology, but they don’t want to pay the costs. Therefore, at the cost of security. I think that in the long run, people will still pay attention to this problem. In the meantime, it will be "slightly worse" because I do not think that we are at a turning point when the costs exceed the benefits. But sooner or later we will be there. Although I think that movement in this direction is slow. But when we reach this point, it will be a completely different matter.

But why just “a little worse,” and not disastrous? I think that, ultimately, the whole world is so interdependent that in the event of a catastrophe everyone will suffer. China will not win if it drops the worldwide network. They want to use it for their little game. If you are a freeloader, you do not want to kill your master. You just want to use it. But there is always a limit to how much you can extract for yourself.

PS : What is the most important information security tip you would give to businesses?

G.L. A: I would say that information security is an endless battle, and you will never be able to solve this problem once and for all. You should invest more than you think.

PS Some parts of this interview were slightly edited for clarity.