Expert on cyber espionage, types of cybercrime and preventionDate: May 11, 2010
In this video, Robert Rodriguez, chairman and founder of the Security Innovation Network (SINET), discusses the state of cybercrime and cyberespionage, and what enterprises need to do to secure themselves.
He also gives his take on the appointment of Howard Schmidt as cybersecurity coordinator.
Read the full transcript from this video below:
Cyberespionage and cybercrime response
Michael Mimoso: Hi, I'm Michael Mimoso. Today, I'm with Robert Rodriguez, and we're going to talk about cybercrime. Thanks for joining me today, Robert.
Robert Rodriguez: Good morning, Mike. Thank you.
Michael Mimoso: So, my first question, tell me a little bit about the Security Innovation Network and some of the work that you're doing there.
Robert Rodriguez: Absolutely. Security Innovation Network is focused on giving the entrepreneurs a voice in cyber security, bridging the gaps between the Silicon Valley and the Beltway which are really metaphors for innovation centers across America for Silicon Valley. The Beltway being the industrial military complex that President Eisenhower warned us about when he was President of the United States.
Michael Mimoso: So, with your background in the Secret Service and working for the government, you're pretty connected to cybercrimes and some of the cyber espionage issues that are going on out there. Can you clear up some of the misconceptions and confusion around advanced persistent threats?
Robert Rodriguez: I do believe moving forward with cyber warfare that attribution and all the things that come with electronic warfare will be more paramount and be used a lot more than it ever has been considered. So, nations setting up each other and understanding the vulnerabilities and risks and threats to the critical infrastructures of each nation or command and control systems, gathering that intelligence is critical to winning whatever that war may be. However, I still think that cyber has a huge challenge in terms of optics. It's kind of like if you see a robbery or homicide, you see a dead body, you see broken glass. You go to bed at night the computer looks the same when you wake up in the morning. So, unless you're a real pain to that consumer or business, it's reactive.
Michael Mimoso: What are some of the stages of APT attacks? Can you talk a little bit about the reconnaissance involved?
Robert Rodriguez: So, I think social engineering is part of this. The fact that we lose $40 to $50 billion a year to China alone just for intellectual property laws and industrial espionage. It's a combination of both electronic espionage and social engineering. The mere fact that our nation is outsourced over the last 30 years or so for economic purposes has actually created a huge problem with supply chain management and ensuring cradle-to-grave technology software, firmware, hardware that when we put it into the Department of Defense or the FBI, that it is trusted. And we have some action on some ongoing investigations by the FBI of their own purchases of counterfeit hardware and also DoD, U.S. Air Force specifically.
Michael Mimoso: How bad is the cyber espionage problem compared to cyber terrorism or cyber warfare? Too often, I think these terms are transposed.
Robert Rodriguez: Well, I think cyber espionage is more of a preparation. It's more on the front end of gathering intelligence to actually conduct that cyber warfare and be successful at it. Quite frankly, I think the adversaries are out innovating us and that we're struggling to stay one step ahead. Part of the problem is that we have in terms of the government in this system integration model; it's a billable service model. The antiquated procurement acquisition language that has been designed over the years for purchase of tanks, hammers, toilets, what have you, does not bode well with the purchases of defensive product to protect our command and control systems.
For example, if it takes two years or three years or whatever it is, 18 months at the short end to identify a solution and fully integrate, by then the threat and risk is completely evolved. I do believe that we need to take some risks with some of the existing legacy systems, a balance of those trusted platforms to advance innovation and to protect those systems.
Michael Mimoso: So it comes down to awareness in the government?
Robert Rodriguez: Absolutely. It's awareness. It's evangelism. It's creating collaborative models that advance innovation. It's asymmetrical cells just like the adversaries have between trusted C cells in Silicon Valley or Chicago or New York where they actually are sharing information on attacks and what they're doing to prevent them, what kind of technologies they're using.
Michael Mimoso: Are you seeing any light at the end of the tunnel in terms of international cooperation in chasing down cybercrime?
Robert Rodriguez: Yes, I do. I believe that some of the things, for example, the CISO at eBay, Dave Cullinane, has invested over a million dollars in training prosecutors and law enforcement personnel in Romania. And as a result, he has had a return on his investment. It's small. It's leadership. It's a international policy challenge. When you think about comparing the laws of sea in 1609, which were created by the Dutch, who owned the sea then? Safe harbors, 50 mile zones. The Internet is not much different. In fact, it's probably more challenging and we're in the beginning. Forty years old, I think the Internet is.
Michael Mimoso: You've done a lot of work in terms of fostering cooperation between the public and private sector around information sharing. What specifically do you do to overcome some of that hesitancy about sharing sensitive information between companies?
Robert Rodriguez: It all comes down to one word: trust. Enabling trust-based mutually beneficial relationships that are win-win. And it has to be top down and bottom up. But you also have to identify those change agents that are willing to go after new models. If they're not willing to take some risk and open their world to a few other people, I'm not saying a lot, I think they're going to lose.
Michael Mimoso: Is information sharing better on a peer to peer level as opposed to sharing information with a third party and having them disseminate it?
Robert Rodriguez: I think peer to peer can be a couple of things. Peer to peer obviously within an organization that happens, then it's easy. Peer to peer CISO from, let's say, a bank to an e-commerce to an energy company, it's a little bit more challenging. But the mere fact that they go to RSA or they go to CSO Magazine Conference, they develop these relationships. They develop trust is how really it is. It's a grass roots approach, I believe.
Michael Mimoso: What's your take on the appointment of Howard Schmidt as Cyber-Security Coordinator?
Robert Rodriguez: I thought that it was an excellent appointment. Howard is very knowledgeable. He's very well spoken, has great experience. He has great relationships, and I believe that in that position, I'm not sure how empowered he is, but I do know that Howard has the personality and the ability to empower others and use the human resources that he has across the nation and actually globally.
I was disappointed that it took, I don't know, was it eight months or so, to name that position. May 29th, the President made the announcement in the East Room. I was in D.C. in my hotel room, and I was very excited about that day. But every month that went by it marginalized that position, I believe, in terms of importance. But you know that's Washington, D.C., a very political environment. You had healthcare. It's just taken over everything and energy, and then cyber kind of got pushed down a little bit.
Michael Mimoso: Great. Thanks again for joining me today.
Robert Rodriguez: Thank you, Mike. Pleasure being on the show.
Michael Mimoso: And thank you for watching. For more information, go to SearchSecurity.com.