Cybersecurity should be one of the biggest priorities for businesses these days.
At least Zulfikar Ramzan, the chief technology officer of RSA, a Dell Technologies business – who holds more than 50 patents – thinks so.
He spoke to The Quint on what keeps him awake at night, cybersecurity silver bullets, whether the government could mandate cybersecurity, and how business organisations could prevent security breaches.
With Regular Breaches, Ransomware, Etc, What Keeps a Security Expert Awake at Night?
Threats have become easier to develop because attackers can leverage previous work they have done. Second, the threats are much more sophisticated and more difficult to detect due to the same.
A point which isn’t spoken about much is that the potential damage from threats has increased significantly.
Take the case of the Democratic National Convention in the US. The DNC e-mails were hacked and published on Wikileaks, which led to a debate on whether the breach altered the outcome of the US presidential election.
While we can debate that endlessly, it did alter what people were talking about. Five years ago, people would not talk about the idea that a threat actor could make you lose confidence in democracy.
It was a fairly simple attack – spear phishing – but the ripple effect ensured that the implications became much more profound.
Take autonomous vehicles. Several years ago, two researchers managed to hack into a sports utility vehicle and stopped it at a remote location.
What happens when there are millions of vehicles on the road and someone can make them stop at once? Or what if they take over all vehicles simultaneously and make them drive to the same location at once?
Also Read: WannaCry Wouldn’t Scare Us If India Had a Cybersecurity Ministry
What used to be once considered isolated threats — when you combine the network effects and the implications – are today much more profound. To me, this is one of the biggest problems that keeps me awake at night — the ripple effects that can occur because of the interconnected world.
Are Data Analytics and AI Silver Bullets for Security Challenges?
This is the area where we’ve seen a lot of marketing hype.
Take it from somebody who has worked on making data analytics and artificial intelligence (AI) systems operational – they have a lot of potential and promise. While they can help security considerably, I don’t think they can help as much as some people claim they can. There are major challenges we have to overcome first.
AI was traditionally applied in areas where problems had static scenarios — there was no notion of an adversary in them. In security, we are dealing with fast-moving adversaries.
It’s like the difference between bowling and football — if I want to learn how to bowl, I have to learn how to throw the ball in the right direction. I spin it and make the pins go down. I can adjust over time and improve.
But if you look at football, the team that wins this year, if they apply the exact same strategy next year, they will lose because opponents adapt. It’s a completely different mind-set.
Can We Make AI Work in a Setting Where There Is Adversarial Behaviour?
I’ve not seen anything yet in any security company or any security start-up that’s truly looking at that aspect of the AI problem. Having said that, there’s a lot of low-hanging fruit in security you can tackle with AI.
AI is going to get better. But, I always believe there will be a last mile, because we are dealing with human ingenuity that’s very powerful. And in a cybersecurity context, if you look at the fundamental question of AI — that of consciousness and morality — we have not made that last leap.
Think about malicious activity.
Malicious activity is not about what actually happens, but why it happens. You can use an IRC client to chat or for malicious intent.
The interesting question is not that I’m using an IRC (Internet Relay Chat) client, but why am I using it, what’s my intent, and so far, computers have not been able to decipher intent.
We can look at action and analyse them all day long, but it’s very hard to understand the intent behind actions.
Say you saw a computer program in your environment that was intercepting every keystroke, sending that keystroke over a non-standard protocol to a remote server. Is that malicious or not? You might say it is malicious, and sometimes it can be, but every instant messaging programme you have does the exact same thing!
Should the Govt Step in and Mandate Cybersecurity?
We need some broad oversight. Most people left to their own devices may not make the right security decisions for their environment. For instance, I have a credit card, I make a transaction, and somebody will have a copy of my credit card information.
Tomorrow, let’s say they get breached. When that happens, my credit card number becomes public. Who has to deal with that? Me!
It’s my data that they were holding, so even though they were the ones who got breached, I have to suffer the consequences personally. So, I think where we really need government oversight is in aligning economic incentives in the right direction.
Also Read: India Should Focus on Information Sovereignty, Not Cybersecurity
If the government said you have to protect customer data, or we will impose a fine on you if you get breached, then the company has to care about my data — the economic incentives have been aligned.
It’s really difficult to come up with one broad regulatory statement that covers the nuances of every organisation out there.
Everyone’s a bit different, you can’t do it perfectly. So what inevitably happens is that you have to develop common denominators that work across multiple sectors.
When you do that, you start to distinguish between compliance and security.
I believe that it’s possible to be compliant without being secure, but I believe that if you get security right, you will get compliance as a by-product.
How Does One Deal With the Dangers of Social Media?
We see cybercriminals hide in plain sight on social media. We are aware of at least 3,00,000 plus social media accounts that belong to known cybercriminals, probably across 200 to 300 different groups, seven different regions — so obviously social media is a very active hotbed for cybercriminal activity.
One of the challenges every organisation has to face is that of employees misusing the medium or advertising information on social media. If you post something online, people have information about you — they know you are travelling or not home.
There are so many ways people can get in, social media gets one more element into the attack surface. Prevention-based strategies are going to fail. If you put all your eggs in the prevention basket, that’s a guaranteed recipe for disaster.
You have to divide your resources between prevention, detection, and response. Prevention is, can I stop some of the guys from getting in; detection is, can I find them when they do get in; response is, can I prevent them from doing something bad when they are already inside.
Ten years ago, companies would spend 90 percent of their funds on prevention. Now, it’s moving to an equitable split — we’re not there yet, more like 40:30:30, but getting there.
Security Teams Get Blamed When Organisations Fail to Patch and Bad Things Like WannaCry Happen. Is Security Alone to Blame?
You need to ask what led to this situation. Some will pin the blame and say organisations should have patched, but there are risks associated with patching.
If it’s a production system, and if something goes wrong with the patch, the system goes down. One of our customers is a medical devices company — they implant devices inside people. If they have to patch, they have to surgically remove the device and patch it.
Also Read: WannaCry Ransomware: How It Enters Your PC & How You Can Save Data
These are the real risks. The challenge we face is that if we look at the security problem in isolation without considering the business context around it, it’s very difficult to have that conversation about what you should or should not do.
The security stakeholder may say, “You should patch,” but the business stakeholder may point to other risks he/she has to worry about.
What organisations need to do is take business context in conjunction with security context and speak to other stakeholders in a language that is consistent with how they think about the world. It’s not enough if you just insist on patching.
You can show the business stakeholders the financial implication, business impact, and the actual risk associated with not patching.
And you look at risk not just as likelihood, but likelihood times impact and looking at both together.
Historically, security has never been thought of as a business problem. Not only that, we’ve often lacked the ability to pull in business context on top of the security context to turn the security conversation into a business conversation.
If you want to avoid repeating WannaCry all over again, organisations absolutely have to focus on taking the business-driven view of security.
If you don’t do that, we will have the same conversation now, in five years, and even 10 years from now.
(Breathe In, Breathe Out: Are you finding it tough to breathe polluted air? Join hands with FIT in partnership with #MyRightToBreathe to find a solution to pollution. Send in your suggestions to fit@thequint.com or WhatsApp @ +919999008335)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)