‘Not Going To Automate Our Way Out’: FBI’s David Wallace

Security has left cyber practitioners and officials with a sense of foreboding – as the next mega-breach creeps into view, or a malware strain cripples a large enterprise and demands Bitcoin payment.

For chief information security officers (CISO) and members of law enforcement cracking down on large-scale cyber-crime, cyberspace is the new frontier – with data as the new gold standard. The way the space ebbs and flows and draws prime media real estate is of particular concern to the C-Suite, whose ultimate mission is to protect the organization’s bottom line and, simultaneously, its reputation.

That said, the challenges cyber security practitioners face today are twofold: both technological and cultural. In mitigating threats, practitioners need to weed out misinformation, cut down on security notifications and utilize actionable intelligence.

To help us better understand those tasks, we spoke with David Wallace, Supervisory Special Agent at the Federal Bureau of Investigation (FBI).

See Related: 'Cyber Security's Not An Install Process': Q&A With Kayne McGladrey

Wallace has spent the past eight years working on cyber-crime and national security as it relates to cyberspace. His focus: large-scale criminal enterprise takedowns – including botnets. Wallace helps cleanse certain domestic systems of malware to protect consumers. Over the past few years, he’s leaned heavily toward the national security side. The supervisory special agent is tasked with identifying and thwarting cyber adversaries before they inflict damage on computer systems. Additionally, Wallace is tasked with limiting adversarial accessibility to critical infrastructure.

He caught up with the Cyber Security Hub to discuss the space’s most urgent topics.

Cyber Security Hub: What would your assessment be of the current threat landscape?
David Wallace: It’s expanding each year and will continue to do so for the foreseeable future which is a result of several factors.  First, the number of experienced hackers around the world seems to continually increase. Second, over the past couple of years we’ve seen dramatic increases from nation states using cyber intrusions as a major means of conducting operations – as we all read in the news daily.

 
CSHub: Have there been any seismic shifts with regard to cyber focus or specific attack vectors?
Wallace: Certainly in the last three to four years, we’ve seen a significant shift (in focus). Previously, (it was about) trying to convince the C-Suite of the importance of cyber security. Due to significant compromises, the C-Suite has heard loud and clear the impact of cyber security, and how it’s critical for them to employ appropriate people with the knowledge, skills and experience to mitigate these threats.

Saying whether (acceptance amongst the C-Suite) is organic or a (drastic, implemented) shift depends upon whether (executives) first and foremost identify that, “This is critical; we need to hire an experienced cyber executive who has C-Suite standing to implement these changes.” The organizations who have implemented this are having the best success, rather than the ones filling the void “after the fact” or expecting their General Counsel or a Chief Security Officer to address their cyber security needs.

Regarding specific attack vectors, the Internet of Things (IoT) and the ubiquitous nature of cyber components within our society is causing a significant shift. Just several years ago we were focused on compromises of servers and single machines but today, hackers can use vulnerabilities in many of these devices as an attack vector for intelligence collection. (This could be) cell phones, cars, refrigerators, even security systems which are designed to protect us.

CSHub: What are your thoughts on the ongoing talent crisis in the space?
Wallace: It is significant, but part of the crisis is not just simply in hiring the right cyber security people, but also accepting the understanding of continued learning of cyberspace by all elements of the organization. Everyone in the organization doesn’t require a Master’s in cyber security for the corporation to be safe, but continual awareness of how employees are using cyber tools and online-accessible media (is important). They should be mindful of the risks their actions have on the greater organization. Continually raising awareness helps everyone protect sensitive information. Just like protecting against terrorism – “If you see something, say something” – but our users need to know what is unusual so they can report it appropriately. Again, this support of cyber security programs by the C-Suite helps mitigate the current talent crisis.

CSHub: Is progress in the cyber space a technology question or a culture question?
Wallace: Yes and yes. We are not going to automate our way out of this… We can’t just buy a product and say, “I just bought this antivirus system. We’re monitoring the system. Therefore we’re good for the next 10 years.” That’s simply not realistic anymore. The reality is: Adversaries are evolving with the technology and therefore, there is no one “cure-all.” (We still) need a systemic approach across the board – by technological means as well as a culture shift. Some corporations are starting to really understand and as a result, are requiring much more effective cyber security awareness as part of employee annual training. They’re protecting their resources, their crown jewels; their intellectual property as well as their people, too. (We must) understand the impact of both nation-state as well as criminal cyber actors and how they can adversely impact organizational operations down the road. Implementing both technical and cultural systems is critical for success.

CSHub: Lastly, what advice would you give an active security practitioner?
Wallace: I would say the key is continual learning – and community interaction. To be part of information sharing groups – both formal and informal – is crucial… Many of cyber victims/potential victims are working to protect themselves from the same adversaries. (We’ll need to) get smarter on sharing information in a timely fashion, both within our own organizations but also within each of our respective industries.

Be Sure To Check Out: Beware Of 'Assumption-Based' Cyber Security: Q&A With Verodin's Brian Contos