Why cybersecurity is partly a people problem

The cybersecurity industry continues to boom in the D.C. region, thanks in part to its proximity to the federal government, as well as the area’s deep talent pool. With its prevalence in Washington, it’s important to understand the technologies and systems behind this growing industry, as well as the intersection between public and private innovations. On this What’s Working in Washington EXTRA, we spoke with Bob Bigman, president of 2BSecure and former chief information security officer at the CIA; Bob Flores, co-founder and partner of Cognitio Corp, and formerly at the CIA; and Bob Gourley, founder and CTO at Crucial Point LLC, as well as former CTO of the Defense Intelligence Agency.

ABERMAN: You’re very much involved in cybersecurity, but a lot of people run around with their arms waving in the air. They’re worried about the end of Western civilization, or excited that it’s a big economic opportunity. Are people waving their arms for the right reasons? What do you think?

BIGMAN: Yeah, they’re doing a lot of arm waving, a lot of fist shaking, screaming. There’s a lot to be said, not a whole lot being accomplished. But there’s a lot being said, and plenty of opportunities for the right investor, the right company with the right idea.

ABERMAN: Interesting. So, Bob Bigman, that’s where you think it is? A lot of arm waving? Bob Flores, I see you shaking your head.

FLORES: Shaking my head yes! I totally agree with Bigman. There’s things that are being done in fits and starts, which is a good thing. It’s better than nothing, but people have still not grasped the big picture for this thing. And so, I think that there are going to be plenty of opportunities coming down the road for both the investor side and the user side.

Subscribe to the What’s Working in Washington podcast on iTunes.

ABERMAN: It’s fascinating to me. Bob Gourley, it strikes me in some ways, tell me if this analogy makes sense: I go to the airport, it’s security kabuki. Take off your shoes, you’re going to be a lot safer. Is a lot of what’s going on right now in cybersecurity, is it kabuki? Are we really addressing the big issues right now?

GOURLEY: Just for context let me say, yes, maybe there’s some kabuki. I notice there’s a poster on the wall here about, hey, beware of insider threats. Is that poster going to stop you from being hacked? There’s posters like that in every organization that was ever hacked. Or you could say some of compliance regimes, PCI compliance, that’s important stuff to do, or HIPAA compliance, very important to do. It doesn’t make you secure. That is some of the kabuki stuff. But let me tell you this. There’s also been a lot of serious work and great technologies produced and fantastic methods and models, that can help make things more secure.

For more context, there’s 1.2 billion computers in the world, I mean PCs and servers. And people like us have been working in the community for years to improve the security of those. We haven’t quite gotten it right. Meanwhile, 7 billion smartphones in the world, 20 billion internet of things devices coming by the year 2020, just three years away. So, we haven’t gotten the first architecture right, and this new world of mobile, internet of things is coming at us fast, and we got a lot of catching up to do.

ABERMAN: It feels like, in a lot of ways, the technology community sells us stuff like it’s toasters. But it’s not toasters.

BIGMAN: It used to be toasters were very inexpensive, and they broke after a couple of days, and eh, who cares. But these are million-dollar toasters, and, sorry, I’m going to have to disagree with Mr. Gourley here a little bit. It is kabuki, because frankly, the cybersecurity problem, even if he asked a person on the street. They’ll tell you, and they’re right: it’s getting worse. We’re not making it better. No amount of technology, and I don’t how many displays were at the RSA show this year, but where are we at? You would think at least at the airport, security has gotten better with the things we’ve done. There’s an empirical measure. You can see that security’s gotten better. In the cyber industry, it’s not getting any better, any better. And you have to ask the question: what’s going on here?

ABERMAN: Yeah, I want to ask that question, because what I hear, I mean, I go to briefings. I’ve been to briefings that you’ve participated in, and other experts in town. It curls the hair when you talk about critical infrastructure, you talk about data integrity, all these things. I was hoping you’d say it’s kabuki, what are they thinking, it’s all under control. But literally, you frighten me..

FLORES: Well I think part of the problem here is that there’s an awful lot that’s being done to combat bad guy technology, from a technical to technical aspect, but that’s all totally reactionary. So, you’re always behind when you do that. We’re not seeing enough of is this whole awareness thing. We have to start people young, in grade school, and people don’t have a security culture within themselves. And so, if you sit around with a group of people who are designing a system, they’ll say, well, we’re going to create a user interface that looks like this, somebody will say, well, that’s stupid to do that, because users won’t understand that. They have this mindset of knowing what people want, and will accept, from a user interface standpoint, but they don’t from a security standpoint. And they need to.

ABERMAN: It’s interesting to me, I’ve talked with millennials, or younger people, who use technology, and they’ll say oh, well, I know I have no privacy, but yet, they go absolutely berserk like everybody else if they suddenly find that their bank account has been hacked. So, who doesn’t care about this?

BIGMAN: Agreed. They’re the last people to ask about cybersecurity, trust me. I wouldn’t open up with that, though. If you look at the industry, look where we’re at, cybersecurity is very theme-based, and it’s all based on what they think customers want, what they think regulators, compliance people want, and we worked through a whole collection of themes. I don’t know what the current one is, it seems to be artificial intelligence. I go back as far back as IBM mainframes, when we had products for those, and all the way through. We just bounced around from a whole bunch of ideas.

A couple of years ago, it was threat intelligence. Well, that didn’t work. Remember, the big craze on malware protection, antivirus engines, and whitelisting, that didn’t work real well. Encryption was a big thing for a long time, that just was really, really hard. The cybersecurity industry is just very, very focused on not solving the problem of cybersecurity, but solving the issue of, what do I think that that person wants, that I can sell them, that makes the compliance people happy, the regulator happy, and really looks good? Whether it solves the problem, and you can tell it’s not solving any problem, is where we’re at.

ABERMAN: I guess what I want to turn my attention to next is: well, sounds to me like you’ve identified a large market opportunity. How are we getting after it here in the D.C. region? Bob Gourley, you see a lot of startups, what are the opportunities here in the region?

GOURLEY: Well, there’s a lot of opportunities here in the region, largely because there’s a lot of customers here in the region. Commercial customers, especially, but also government, who need their stuff protected. And there are things you can do to reduce risk. It’s not all gloom and doom, but when you listen to Bigman, sometimes it sounds that way. But I’ll tell you, when you have good, aware leadership, when you have a CEO that gets it, and realizes that, hey, I need to reduce my risk, and a CEO that then passes that onto to all members of his executive team, and doesn’t just think this is something for the IT department to handle, you can have a company that can really reduce its risk.

Because they’re going to do things like encrypt their data, and manage the keys appropriately, and use multi-factor authentication, and smartly use the cloud, and monitor everything that people are doing, and respond once you get penetrated. And you can do things that significantly reduce your risk, and you can do that in the mobile environment, too. It takes work. It takes leadership and awareness.

So, there’s great opportunities for firms that come with the ability to help people through that, and also the technology providers that can do that encryption, manage the identity of the whole thing. We say you need to know who’s who, and what’s what, and the new way to do that is through architectures like a software-defined perimeter, which is a fantastic way to make sure no one can get into your enterprise that you don’t authorize first.

ABERMAN: You know that this reminds me of that old joke about the two guys, where a bear comes up, and then the first one starts running off, and the second one says, I have to put my sneakers on. Why? Because I just have to outrun you, not to bear. Is where we are with cybersecurity now, all these technologies, that you’re not necessarily just saying, oh, I have to protect myself, you’re just saying that I want to make sure that I’m a harder target than that other guy. Is this an arms race, in effect, in the commercial sector?

BIGMAN: That is a big part of it, because again. from a hacker mentality, they’re going after things they want, mostly things they can monetize, right? It’s all about making a dollar. Yeah, there’s China with the intellectual property, we all got that. But what, mostly, the focus of the hacker community is, how do I make money today? And the targets are basically those who readily expose their accounts, and their money, to either ransomware, or just open-account attacks, stealing credentials and stealing money. And that’s where the focus is going to be.

And Bob is right, there’s a lot of things you can do to reduce risks, a lot of things can work in combination together. By the way, not a lot of them are technology-oriented, a lot of it is just focus with good management, as Bob said. However, the bad news is, I see very few organizations doing it well. That’s the problem.

ABERMAN: Bob Flores, what do you think about that?

FLORES: Well, this is a security culture thing. I talked about that earlier. And that’s what we always try to instill in a company, and it does mean starting at the top and having things propagate down to the lowest levels of the organization. My view is that everybody in an organization, no matter how big or how small, has a security role to play, and they need to be instructed on what that role is. Obviously, if you’re the chief information security officer of the CIA, you have a huge role to play. But if you’re the executive assistant for the CEO of IBM, you also have a big role to play in security. It’s very different than the CISOs.

ABERMAN: What you’re talking about, in effect, is a culture of security, it sounds like. Now, I want to get back to this service thing, because my understanding and impression is that, this market is seen internationally as one of the three hotbeds for cybersecurity innovation. I hear Tel Aviv, I hear West Coast, and I hear D.C.; if that is true, where is the activity? Is it in the government agencies, startups? Where are you seeing this innovation?

FLORES: I think there’s a fair amount in the startup community here. Not nearly like it is on the West Coast, or even in Boston, for that matter. But what’s happened is, you’ve got things like Mach37 out of Virginia, which is quasi-government-funded by the state of Virginia—

ABERMAN: A startup business accelerator for cybersecurity companies.

FLORES: That’s right. And so, they’re rolling like this to try to accelerate these companies. And so, that encourages people to have good ideas, and they help minimize some of the risk associated with that by funding some of these things. At a low level, but still, it’s good in this area, because there, as Gourley mentioned before, you’ve got a bunch of customers in this area who are just chomping at the bit to get a solution to their problem.

ABERMAN: Federal and commercial. Bob Gourley, you’re working with a lot of startups and large business, and Bigman, you’re actually doing a company, so, it’s not just startups, right? It’s medium-size? Where’s that innovation?

GOURLEY: In this region, if you look at all the academia, and I like to think of the expanded version of the region, starting at Pittsburgh frankly. There’s just a lot of brilliant technology coming out of there, great startups—

BIGMAN: Now, Pittsburghers wouldn’t agree, Bob, but that’s fine.

GOURLEY: They’re smart people, and I want more of them to move this way, but it’s close enough, it’s a big umbrella. Of course, I think of Silicon Valley as going from San Diego to Los Angeles, to San Francisco, up to Portland and Seattle. So, the West Coast expansion here, we have so much talent, going all the way from Pittsburgh to Reston into D.C., Fulton, Maryland, Baltimore. And the talent is here. The funding is here, but the most important thing that’s here is customers. Because, if you’re a startup, you need quick access to a customer that can prove out your technology to get you going.

ABERMAN: Now, when you talk about customers, all three of you spent time in the national security establishment, at a number of the letter agencies, is that what you’re really getting at? Just the insatiable need the DIA, CIA, and others have for the best technology possible?

GOURLEY: That’s absolutely a key customer, but don’t forget the commercial. There’s a huge amount of commercial customers.

BIGMAN: Yeah, but I want to focus on what Bob said, he’s absolutely right. What I’ve seen just in the last three years is this transition, across all the companies coming to Washington, not to make and sell to the government, but to make and sell to the private industry. They like, for whatever reason, they like the idea of having a Washington, D.C. area address. That gives them something, I’m not exactly sure what it is.

ABERMAN: Which industries are you talking about? Because when I think of financial services, I think that’s New York. Who’s coming here to sell cybersecurity to the private sector?

BIGMAN: I can give you a list of three Israeli companies right now who have moved their headquarters, or joint-shared headquarters between Tel Aviv and Washington, D.C., not to sell products to the U.S. government because, frankly, some of them can’t, but to sell products to commercial industry. And they feel Washington is the place to incubate. They think the investors are here. They think some of the customers are here, and by the way, some of them are. Some of the financial industry customers have their security operation centers closely around the Ashburn area, because there’s a lot of bandwidth.

ABERMAN: You know, it’s fascinating. When I talk with people who are entrepreneurs here in town, they tell me, oh, we’re missing this, we don’t have that; and you’re telling me, that because the three of you do business internationally, outside the United States, people are saying, I need to be in this market, and the place to be in this market to reach it D.C.?

BIGMAN: Absolutely. These people who are telling you that aren’t digging deep enough. They’re just seeing the surface, but there is an undercurrent, just a growing population of companies coming to Washington D.C., to have a Washington D.C. address, to do incubation and do product development and sells, right out of this region.

ABERMAN: Is it D.C., or is it Northern Virginia, suburban Maryland? Pittsburgh, Mr. Gourley?

BIGMAN: I can’t comment on Pittsburgh too much, but I certainly see it in Northern Virginia, just outside the beltway, and Maryland.

FLORES: It is the whole area. I mean. you’ve got really good programs at places like Virginia Tech, UVA, University of Maryland, obviously Carnegie Mellon in Pittsburgh. These places are putting out some very, very smart people, that have been studying security now for years. Obviously in an academic way, but nonetheless. You need people like that get inculcated into these companies, so the region is a great place to find that.

BIGMAN: I think what happened is, all the cyber people, all the IT technologists who were hired in the government, back in the 90s and 80s, who have grown up now and decided, well, my government career is over, are interested in, now, taking their cyber credentials, and their ideas, and not moving far from home. So, where are they at? They’re in Washington. And that’s where they’re establishing their businesses. The Bobs here, we probably know among us three, we probably know hundreds of these small companies. We forget more than most even know.

GOURLEY: There’s also a lot of reason for companies to move out of the California area, and we’re seeing that kind of migration, too, just because of the economics, the taxes. There are VCs moving out this way. There’s the Data Tribe outfit in Fulton, Maryland, which is a very unique mix of VC, plus a company, plus an incubator. A lot of activity.

ABERMAN: I tell you what, I am so jazzed up with this conversation, but I want to talk for a few moments about what technologies you’re seeing that maybe will get us ahead in this arms race.
There’s some really promising technologies.

FLORES: Gourley actually mentioned this earlier on in the segment, and that was software-defined perimeters, which I think— none of these new things coming down are a panacea or a silver bullet, but a software-defined perimeter changes a game a bit on how people interact with network. I think it has a great potential to be an enabler, if you will, of much better security within enterprises. The interesting thing is, it’s essentially open-source technology, so there’s a few vendors out there that have taken this and cobbled things together, put their own secret sauce in it, and are doing fairly well with it.

ABERMAN: What else?

BIGMAN: I get a little deeper in the stack. I, frankly, think that if you really want to scare the hacking community to their shoes, I think we basically need to look down into the firmware. We’ve been playing around with this whole trusted processing module, a whole TPM technology chip, for such a long time, but we’ve never really explored it well. And there’s other security technologies in the chipsets that can be exploited, and some companies have done this, but by and large, it’s an open opportunity for people to do well, that gives you a level of security that you can actually attest to, and trust at a much higher level than software.

The problem with most commercial security software is the last word, software. It’s just software, like all the other software running on your computer. The hackers know this, it’s just a matter of getting below the application that’s running, the security product, and just disabling it, or just bunking with it to the point where it’s irrelevant. And if we keep playing with technologies, like blockchain, which is just another application on top of an unsecured operating system. It’s the unsecured operating system that’s a problem, not the application.

ABERMAN: So it’s almost like the three little pigs. If you build a house made of bricks, it’ll hold up better.

BIGMAN: Exactly right.

GOURLEY: I think, first of all, everything they said is just fantastic, especially what Bob said about software-defined perimeters. But if you really believe what Flores talks about when he says everybody has responsibility for security, which I do, that means you also need to consider training of every person. And there’s fantastic new developments in software that uses gamification to train and teach people, and really make them understand what they need to protect, and do it in fun ways. Now, this is very non-technical, you have to have all the technical stuff too, but companies like Elevate Security are making tremendous progress in helping everybody understand their role in cybersecurity. So, I would push for that as the number one technology we all need.

ABERMAN: It sounds to me, when we cut through it all, there are two issues here: the first one is it’s a technological arms race. If you’re serious about it, you’re always going to make sure you’re at the edge, because smart people solve the problem. Second thing is, you’re only as safe as your people. Sounds to me like computer and technology literacy is essential if you want to have cyber security.

BIGMAN: That’s right. I mean, I’m big on the people aspect, but practically, hackers don’t hack people. They hack computers. And that’s not me saying it, that’s what the hackers say.

ABERMAN: So, at the end of the day, you’re optimistic about the future, or is it time for us to give up?

GOURLEY: On a scale from we’re doomed to life is wonderful, I’m much closer to the life is wonderful side, and I would just remind everybody that, before there were ships, there were no shipwrecks.

ABERMAN: With that, I want to thank my three experts. Bob Bigman, the president of 2BSecure, Bob Flores, partner of the Cognitio Group, and Bob Gourley, founder and CTO of Crucial Point, LLC. I hope you all take the opportunity to follow these three great guys online, and get involved with what they’re up to. You’re a real resource for the region, and gentlemen, I really appreciate you for taking the time to join us today.