Obama’s former CIO tells us how to improve reliability in a digital world
Gavin Allen: Tony, thanks very much for joining us. Has resilience - this ability to respond to, recover from and, ideally, avoid altogether cyber breaches - ever been more important?
Tony Scott: Well I don't think so. I think all of us in the industry are learning lessons every day around resilience and why it's so important. More and more of what runs our businesses, government, social institutions and so on, are digitized in some form or another. And to even do the things that we do on a daily basis, requires a tremendous amount of infrastructure and applications and other things. When those things fail, because of all those dependencies that we have, you know life becomes relatively difficult and we all feel the impacts and sometimes rather quickly. The existing supply chains are all driven by technology basically, making sure that things get made, get delivered at the right place at the right time. One small kink in that process, and wow, suddenly you can't get essential things that you need. And it's because in most cases there's not a lot of resilience built into the fabric of the underpinnings of the things that we depend on. So I think as a society we are learning those lessons every day and sometimes in very stark ways, unfortunately.
Gavin Allen: What do you think that companies, private and public are doing to achieve greater resilience?
Tony Scott: One is you have to be constantly examining the platforms and the infrastructure, the supplier dependencies, for whatever it is you're trying to do as an organization. You have to be constantly testing yourself to understand what you would do if one of those critical things fails. I like to ask CIOs how often they practise their disaster recovery activities or how often they practice recovering from a cyber breach. And if the answer isn't very regularly, that sets off an alarm in my head because in most cases you don't get good at these things unless you practise. None of the people that were performing at the recent Olympics were doing what they do for the first time. And cyber and resilience are the same way. I mean if you don't practice at it, it's unlikely that you're gonna perform at all well, or even be in the game, unless you have some muscle memory in particular, of what to do and how to do it.
Gavin Allen: Talking of muscle, the former heavyweight boxer Mike Tyson famously said that everyone has a plan until you're punched in the mouth. Should companies basically now assume they're going to get punched in the mouth and plan accordingly?
Tony Scott: Well I think so. And you know just to further the analogy, most of the time you don't know exactly where the punch is coming from. And it might be to the nose, or it might be to the cheek or somewhere else. But what I do know is if you practice several different scenarios, you'll be a lot more ready no matter where that punch comes from than if it hits you for the first time and it's a shock and, you've never understood how you would react.
Gavin Allen: I was quite struck by a quote at this year’s Munich Security Conference by America's Cyber Defense Agency Director Jen Easterly. She said that a cyber-attack occurs roughly every 40 seconds, that cybercrime damages are expected to cost the world $10.5 trillion by 2025, and that by then there's expected to be 3.5 million unfilled cyber security jobs globally. That all sounds as if we're on course to lose this resilience battle, doesn't it?
Tony Scott: I think her comments are really reflective of the reality of what we see going on every day around us. Whether you are talking about bank robbers in the old days or any other form, crime is always going to be there. I don't think any society has ever figured out how to eliminate it 100%. It's also historically the case that there's always been an imbalance, where the bad guys have the element of surprise. Only they know when and where they're going to attack and how they're going to do it. They're always also constantly learning. What's different in the digital world from the analog world is that there were things in the analog world you could do to deter physical crime. You could put bars on your windows, have alarm systems, increase police presence, all those kinds of things. In the digital world, some of those things don't exist, although we work hard at alarms. But when you can get rich, or get wealthy, by making almost no investment, that's going to attract a bunch of people. And right now, we're in a world where the tools that the cyber criminals use are cheap and readily available, and as a society a lot of the money we're spending on cyber security defense isn't effective against some of those tools. So we're going to have to continue to evolve. I'm sure the cyber criminals and the nation states that do this will continue to evolve. I suspect it's going to be an arms race for a relatively long period of time. I think there is some good news, which is, if we design and architect our information systems in a fairly dramatically different way than what we're doing today, then I think we stand a better chance of making that battle a little more balanced. It has to do with some of the fundamental design of information systems, starting with hardware, software and networks. It's called zero trust. And that needs to be built into the architecture of everything, every part of what makes up our information systems today. And it's not today.
Gavin Allen: President Biden, in his executive order last year, has effectively decreed that there's going to be a zero trust approach in government business - and by zero trust we're talking about that focused checking both internally and externally along the supply chain. But why has it taken so long?
Tony Scott: Let me tell you a story from my past. When I was a federal CIO, a few weeks after I assumed the role, we learned of the Office of Personnel Management breach. 21 million identities were compromised. These were people who had filled out very detailed information about their personal lives and backgrounds, so that they could be cleared for security oriented positions in the government, way beyond just your name, your birthday and some of those kinds of information that would be revealed in a normal breach.
When we did the investigation, we discovered it had been a compromise of credentials. No surprise. Lots of breaches start there with the compromise of credentials, but what was alarming to me was, 10 years earlier, the government had decreed that two-factor authentication was the law of the land for government systems. Ten years earlier. And when we did the survey of the whole US government 10 years later, we discovered there was around 45% adoption of two-factor. And in the case of OPM, that was guarding all of this really sensitive information, they were about the same, about 45-50% two-factor, and the credentials that had been compromised, they weren't using two-factor. While we can say go to zero trust I think the lesson learned is it can take some time. Now, the end of the story is, upon learning this, we launched a 30-day cyber security spread, and I asked all agencies to get to as close to 100% as they possibly could in 30 days in terms of two-factor. At the end of the 30 days, we got the government up to about mid 90% adoption of two-factor, so it does prove the point that never waste a good crisis for getting things done. Absence of crisis, it takes a long time sometimes.
Gavin Allen: But the very fact you got it up to 90% two-factor authentication, and yet here we are again, issuing executive orders asking for zero trust. It suggests it hasn't moved on that far, right? I remember back at that time in 2015 you said “we've sometimes failed at even the most basic preventative measures”. Do you think governments globally are still failing at that kind of level?
Tony Scott: I think everyone has significantly upped their game since that time. So on the one hand, I'm heartened by the progress. But I think the larger problem is, until we do two things, we will still always fall behind. The first thing is replacing outdated technology. This is fundamental. Technology is the foundation of everything that our government basically does in terms of the way it operates and delivers services to citizens. If that's built on a creaky crumbling foundation, it's never gonna be secure, and it's never gonna be safe. And then second, when we do replace with more modern systems, we have to build security into the very fabric of what we do using zero trust principles and other things as well. That's got to be a continuous process. It's something I practiced at Microsoft. We had a useful life of everything in our environment. Sometimes it was 3 years. Sometimes it was 5 years. Sometimes it was 10 years. It had nothing to do with the financial economics, and had everything to do with constantly upgrading so that we always made sure we had the best technology that was available to us to serve our customers and also to protect our precious assets. Now that would be a very different strategy.
Gavin Allen: But should that be left at the door of individual organizations, or is there a place here for regulation and enforcing resilience and cyber security? I was struck in the first edition of Transform, Bruce Schneier, the security expert from Harvard University was saying that one of the key problems is tech moves faster than regulation and the governments are always slow to catch up. But is there a place for regulation to drive cyber resilience?
Tony Scott: I think there is but let me explain the problem with it from my perspective. Organizations are really good at layering in new technology on top of old technology. But unless you completely replace everything with that new whatever shiny object, it's layering a new layer of paint on top of old paint. And you just build up layers of paint over a period of time which in and of itself is a security risk. Because these things often don't subscribe to the same security mechanisms and schemes, and it's hard to architect good cyber security when you have these multiple layers of paint and so on. So it's true that the technology moves fast but it's just that top layer. It's not necessarily everything that's under it. If you've ever gone swimming in a lake on a hot day, the first inch or two of the water gets very warm, but you dip your toe in and about 8 inches down, it can still be pretty cold. And that's just like the technology layers in a lot of organizations. The top layer might be pretty, but underneath often not so much.
Gavin Allen: What about ransomware? Again a comment recently from the deputy attorney general in America Lisa Monaco, saying ransomware and digital extortion only work if the bad guys get paid. Obviously enough. So should we ban paying ransoms, stop paying the bad guys because that has an impact on everyone?
Tony Scott: I think that's a hard one. It's easy to say I'm in favor of banning paying the bad guys, until it's your stuff, your crown jewels. And then there's a business judgment that will enter and you'll say is it better for me to pay, or is it more costly for me to resist? But I'm generally in favor of banning payments to the bad guys. I think we've learned that works with hostage takers and other bad activities. But I'm certainly sympathetic that individual cases may tilt one's opinion. What I would be in favor of, though is mandatory reporting. So there should be transparency in terms of you know, we were hacked we either paid or didn't pay. And I think organizations like the FBI and other law enforcement organizations should be informed when those activities are occurring. So they can understand the patterns, the methods and tools that the bad guys are using and then help catch them in the case where that information is useful. And I'm encouraged that we've seen some examples recently of ransomware guys getting caught through their use of crypto currency and so on, which I think ultimately means there is no outrunning the law forever. So I'm encouraged by that.
Gavin Allen: Talking of outrunning the law: global cyber conflict and state-sponsored cyber conflict. Should there be the equivalent of a Geneva Convention for cyber conflict, parameters set for what is and isn't acceptable?
Tony Scott: I agree. I think there should be. And you know, it's very clear today that if a nation state blows up some building or some part of a city, or attacks beyond the borders of another, that constitutes an act of war. But we don't have the equivalent of that in the cyber world. I think the reality going forward is war will be a combination of kinetic and cyber. And often, what I think we'll see is the cyber will be a precursor to the kinetic war. Taking out the other guy's infrastructure, telecommunications systems, will be the first thing that happens, it will be the first indication that something else is going to happen, including kinetic warfare. So, you know, welcome to our new world, but I do agree there needs to be much more clarity and global agreement on the rules around that.
Gavin Allen: And now as CEO of INTRUSION you're using AI to provide companies with intelligence about cyber threats, including zero-day vulnerabilities. Is it good news or bad news for us if your business is thriving?
Tony Scott: We have the world's biggest historical database of IP addresses and domain names and data that's attached to that. So our entree into the cyber security business is historical reputation. When we see traffic in the network that's going to or coming from reputationally bad places, we block it. That's different than signature-based or other methods that are used to determine good or bad in terms of network traffic. If we see, for example, your thermostat talking to your bank or a bank anywhere, we know that's probably not a good thing and you shouldn't do that. That's the AI part. If we see your refrigerator talking to some place in Iran or North Korea or whatever, we know that's not a good thing and we block it. That's the world we're in. We don't claim to be the all-singing all-dancing cyber security solution. Our claim is that our technology combined with several other things that you are probably using will give you a better chance at avoiding zero-day attacks than without it. The game I think that we're all in is getting a little bit better all the time. The bad guys will go find somebody who's a little less difficult to attack.
Gavin Allen: And as a leader, how do you foster a resilience culture and relentlessly drive what's being called "cyber hygiene"? How do you keep people constantly battening down the hatches and looking out for those threats?
Tony Scott: Every role in the organization plays a part in your organization's cyber security. A good friend of mine used to quiz CIOs and he asked them how many potential holes they had in their cyber security architecture. Everybody would look at him and be like, "why are you asking that question?" And he would say, "Well, at a minimum, you have as many holes as you have employees in your cyber security architecture because every employee could be a potential entry point.
So let's start there and then add on top of that all the other things that are known entry points." And that often made people sit up. You know, they were shocked. But I think he was right. So as a leader, I think you realize it is important to keep your team engaged and informed as a part of your defense. But I think you can also make it fun. And it doesn’t have to be this dreary “oh I have to watch another video, and check the box that I did my cyber security training”, and so on. And then I think the third thing that we have to do is make whatever cyber security we put in place easy to use. One of the best CISOs I ever had working for me said if really good cyber security is really hard to use, nobody is gonna use it, and you have everybody in the organization finding workarounds that will completely negate the benefits of whatever it is you try to put in. So he said my job is to make good cyber security the easiest thing to do, the most pleasurable, the fastest, the most rewarding way to behave. If I do that, we’ll have good cyber security. And I love that approach.
Gavin Allen: I can understand looking out for the thermostat talking to the bank manager, or the fridge talking to Iran. But how do you make something that’s so inherently serious and precise and complex an enjoyable experience?
Tony Scott: You can reward people. You can celebrate success. You can do gaming kind of things. When I do town halls, sometimes we have a fun cyber security quiz. We give out prizes to people who score the best. I think it’s all about making it right here for people instead of something that’s a distant thought pattern in the past or whatever.
Gavin Allen: You’ve served one president, and have met three others, and you’ve worked alongside the likes of Bill Gates, and met Warren Buffett and Steve Jobs, etc. Who is the most personally resilient public figure you have worked with or know of?
Tony Scott: I would say President Obama to me is probably as good at that as anybody I’ve ever seen, or had the opportunity to work with. There are just not many roles that are as tough personally as being president of the United States. And I think we’ve seen how fast those guys age while in office. And so I always found his attitude and resilience probably the most inspirational, even in the middle of some of the hardest problems we had. He was always personally engaged. He would ask really good questions. He never got mad at people. It’s easy to be dismissive, and sort of lose yourself in the moment. And I always admired his presidency’s awareness of the importance of the situation, and the sort of reflective nature of how he would look at decisions, and make decisions. I thought that was always probably the best example I’ve seen. And if you watched him play basketball, you knew he was as good a trash talker as he was a basketball player.
Gavin Allen: All part of the charm.
Tony Scott: Exactly.
Gavin Allen: Tony, thanks very much for joining.
Tony Scott: My pleasure.
Contact us! firstname.lastname@example.org