It was at the Emirates Stadium in London that I met Niloofar Razi Howe, Chief Strategy Officer at RSA on a warm afternoon this week. I have Arsenal fans in my family so am used to a more throbbing, pulsating atmosphere there, not the tarp-covered field and empty stands. However, my very interesting chat with Howe made up for the lacklustre atmosphere at 'The Home of Football'.
Teiss.co.uk: With a background in entertainment, law and investment, how did cyber security happen?
Howe: I got into cyber security after 9/11. I think a lot of people woke up the next morning and thought, what's my role going to be, moving forward? How can I make it safer for my children?
I was a venture capitalist in California, investing primarily in media tech and consumer tech and as very happy with my life. I submitted by resume to the White House website [after 9/11], I didn't get a call (didn't have the right background) but my husband did!
Four things I learnt about cybersecurity at InfoSec17
By happenstance, I met the former director of NSA who wanted to start his own venture capital fund to invest in security. His thesis was that the Government is not going to solve all our problems. Most of our critical infrastructure is in private hands and we need to have an investment community that invests in projects that will ultimately make the world safer. One of the pillars of that was cybersecurity. And so Paladin Capital group was set up; by the former directors of the NSA, CIA and the deputy director of DARPA. They understood the issues from the Government's side and it was a perfect marriage.
I led the deals team there for 10 years and at that point felt that cyber security industry was changing very fast. Everything was becoming more dynamic. The threat landscape was shifting and as an investor, I was losing my finger-feel on what was happening and so wanted to go back to the operating field. After a stint at a cyber security company, I came to RSA because I felt they had the right products for the direction the industry was going in.
Teiss.co.uk: How has the cyber security landscape changed since then?
Howe: [It has changed] in so many ways. If you look at the vendor landscape, we now have over 1500 companies in the cyber security space covering 30 segments. No other industry looks like this. It is crowded, very competitive and ruthless. The environment is very complex, crowded and dynamic to boot. An industry analyst calls it the 'Game of Clones' because every time a company introduces a new product, venture groups go in and invest in 30-40 different companies that claim to do exactly the same thing.
Cyber Security is now very important and that has not been lost to the investment community- it is getting national headlines and a lot of money is being spent in it. But it is hard to distinguish between solutions unless you have a deep technical understanding.
Cybersecurity risk communications with Board biggest hurdle to solution
The threat landscape change from 2016 to today has been very interesting because of the nature of the threats. These were curious attacks, and we could see what would happen if the adversary was serious. The Mirai bonnet DDoS attack folks weren't being serious! But they could prove that your toaster could be used to take down Twitter. Now imagine if they were serious. In the case of Yahoo, a billion accounts were breached and this was important because people use the same username and password combinations.
The hacker threat is not about dark web anymore, they are hiding in plain sight. This is because prosecution is less than 1%, so they don't feel the need to hide anymore. They are also using social media to carry out attacks.
WannaCry showed us what the new normal is- that sophisticated nation state level tools are now in the hands of unsophisticated actors.
The threat landscape evolution is also interesting and we have to be mindful of that because if you try to protect everything, you protect nothing. Mission focus has to be on what matters most.
Teiss.co.uk: In my few short months writing about cyber security, it is obvious to me that there is a huge disconnect between how advanced vendor solutions are, and how behind the Government is with everything. Why do you think this is?
Howe: This is one of the most interesting questions that surrounds the 'internet as a communication medium' idea. If you think about how the internet came into being, it helps answer the question. The development was utopian in a sense. The idea was that any device could connect with any other device in the world, it was based on universal operability and universal communication. It was also subversive- there was no nation state governance over what was exchanged. It was communal governance that was state-less, border-less.
Sea, air and land have borders, but the internet crosses all international boundaries. This is what was great about it- the fact that you had this utopian vision and it drove growth. If it was governed by countries from the start, you wouldn't have had this massive economic expansion that we witnessed. But back then our use of the internet was very limited. Today, all our lives are increasingly connected and tied to the internet. We spend more timeon mobiles than on laptops and desktops.
ISACA’s Jo Stewart Rattray talks gender imbalance, unconscious bias & cybersecurity
Our personal assistant is now online. So the issue we face today is that cyber space didn't have any national security implications to start with, which it does now. And so with cyber crime, the US & UK view of cyber crime is very different to different states and regions. If you look at the time it took from when the first nuclear bomb was dropped to the signing of the Nuclear Non-Proliferation Treaty, it took decades. And that was one issue!
[The creation of a ] Governance model needs all countries to agree on norms of behaviour. The problem is the lack of a governance model, there are currently no accepted norms of behaviour. So we have to be very purposeful in how we connect to the internet.
The analogy I used recently is: 'It is the wild wild west, the sheriff is dead. The Hatfields' and the McCoys' have teamed up and just raided the armoury and you are on your own. Good luck!
It is very easy for malicious actors to get their hands on nation state armoury and so if you are connecting to the internet, you are a frontiersman or woman. There is also no Sheriff in town. You have to figure out who you trust in this environment.
Teiss.co.uk: There are lots of accusations that nation states are now sponsoring malicious activity? That North Korea is behind WannaCry? How much of that do you think is correct?
Howe: It is absolutely correct that there is asymmetry in the cyber space. We saw with the DNC and Russia case where a nation state with unfavourable demographic trends was able to make the people of the United States lose faith in the democratic process. That could not have happened in the kinetic world. You have North Korea supposedly attacking a movie studio. This is a part of what makes it the wild west. We never faced this before. Attribution is difficult because there is no way to tie the activity to the actor. Was there code that could be tied back to North Korea? Yes, absolutely, but could someone else have co-opted that code? Sure!
So right now with WannaCry, we don't know what happened, it was either a very unsophisticated actor or an accident where they didn't mean for this version to go out in public.
Teiss.co.uk: Could this be tied to the fact that the in the wild west of the internet nobody knows where the bullets are coming from?
Howe: It goes back to the fact that there are no norms of behaviour and no set standards on how to enforce them across geographies. Technology moves incredibly fast, social norms lack technology. If we have agreed upon social norms, the technology and rules that follow can fall in line very fast. Eric Schmidt talks about this, there is just one globally accepted norm: Child pornography is bad. So every time there is an instance of paedophilic content on the internet, going after it is never a question. Apart from that, there are no rules!
After my chat with Howe, it became clear that even for those in the middle of the business of keeping everyone safe and in this age of fast cars, faster internet and almost-space tourism, access to the internet has to be predicated by three Hail Marys!
UK industry has a massive cyber skills shortage: and it's their fault