When Politics And Cyber Security Collide
Uncovering the value of cyber intelligence both in business and in politics
“You have to remain current,” says Former Naval Officer, Silicon Valley Executive and Entrepreneur, and current Vice President of Cyber Security of the Institute of World Politics, Dean Lane. “If you’re a cyber security executive, and you’re working on the things you know to protect your company — and you’re not pursuing additional information or education — you’re essentially standing still.”
That was the consensus as Lane joined Monday night’s episode #68 of Task Force 7 Radio, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, to talk about the intersection of politics and cyber security.
Lane kicked off the show by explaining what the Institute of World Politics (IWP) is, what its mission is, and what kind of cyber security certificates are offered now for people both currently working in cyber security or looking to enter the profession.
The IWP is now 28 years old and started out because of a need for people to go into either Government service, or businesses and understand different facets of statecraft, of diplomacy, and how to be a good citizen. “We’re neither left nor right, we believe in the Constitution, and we want to present world affairs in a realistic manner,” explained Lane.
IWP offers five master degrees, one doctoral degree and 19 certification programs, which includes a professional certification in cyber intelligence. Within cyber intelligence, there are eight courses being offered covering the span of AI, insider threat, cyber international relations, cyber terrorism, and developing a cyber strategy. It’s not a large school with about 150 students at any given time.
Lane explained that the mission of IWP (and more specifically around the work he does) is to enlighten people who are going into Government service. About 2 to 3 years ago, IWP started the cyber intelligence initiative. According to Lane, a lot of people say they do or offer cyber intelligence, but that’s not so. He said that they’re stuck in the cyber security area. Cyber intelligence takes it to another level. He used counter-espionage as an example: “What is the role of the counter intelligence person? If you can understand their motivation, what they’re looking for, what they’re capabilities are, then you have a real chance of … blocking their efforts.”
Lane said, “Cyber security is a large part of it [intelligence], but we go to another realm and bring in other tools people can use.”
“It’s imperative for people … to continue to learn and gather information,” said Lane, who also noted that “you can find 90% of classified material out on the internet.”
From Practitioner To Professional
The second segment brought us through Lane’s storied career as both a practitioner and a consultant, a naval officer and an entrepreneur, and now as a cyber security executive who is helping to train future cyber security professionals in an industry that is experiencing a huge talent crisis.
Lane started out at UCLA for his undergrad and upon graduating went down to Coronado Island with the special warfare crew. Near the time he was getting out of the Navy, he was on fishing trip with a [now] Honeywell executive (Allied Signal at the time). There was a lot of bantering back and forth, but Lane had developed good rapport with the executive.
As they were driving back to the airport and the executive said, “If you ever need a job come see me.” And Lane responded, “You don’t have enough work to keep me busy.”
Lane eventually moved back and forth between manufacturing and information technology, but he attributes this as a “period of learning for me.”
At that time the problem statement was different. There really wasn’t Internet yet — there were text graphics and you’d have to know the exact URL needed to get to anything.
Lane added, “Security at that time was internal,” meaning security was just on software that they were developing in-house. There was nothing ‘out of the box’ yet except ADP.
Next, Lane found himself at the Control Data Institute, Ernst & Young and Morton Thiokol – where they built solid rocket motor boosters. From there, he ended up at Silicon Valley marching Plantronics through the Y2K project.
“It was not necessarily security, but felt like it because everything had to be checked so there were no holes in anything,” said Lane. He stayed there about five years where he then ended up at Gartner – a research firm totally dedicated to technology.
Lane discovered that “The more I learn, the less I know. There’s just so much to learn.” He ran their Silicon Valley technology consulting service, later leaving to go to Symantec.
Lane offered this advice, “So, if you really want an education in security – go work for McAfee, and go work for Symantec … go work for any of these firms. These engineers think in terms of seconds. They can’t afford to get a virus; they can’t afford to be hacked because if they do — they’re done.” That philosophy permeates throughout the whole organization.
Lane discovered that if he went out on his own, he’d be able to be in more places (companies) at once, and since he was in Silicon Valley, there was a whole host of companies that he could chose from. “I got a real education there because I was seeing many different problems and able to solve many different problems,” said Lane.
For example, Lane was consulting at a small chip manufacturer for Samsung telephones. He was brought in to ramp up security and started by taking inventory of devices on the network and software inventory, working with them to eliminate software that shouldn’t be on network. One day, a steganography program showed up, which allows you to take a picture and load data into it. The data is not visible to anyone, and the picture looks the same, but if you take that graphic and send it to someone, and they have that program, they can download all the data that you have downloaded into that picture or graphic.
Lane explained, “It’s really a contentious tool (you don’t really need it unless you’re trying to hiding something). It turned out to be the #2 engineer in the company. Those are things you have to look for especially when you start thinking about internals.”
He further wanted to clarify on insider threats – insider threats are not necessarily people who are there to spy. “But it can be employees who are not familiar with security, who may email something, that unconsciously sends something, that shouldn’t be sent — and once they do, it’s out there.”
Rettas pivoted by asking about Lane’s background: “Was it better in consultancy to be a practitioner in your former life? How helpful was that?”
Lane believes that if you haven’t been a practitioner, it’s hard to be an independent consultant. “You may go to work for an E&Y, or a Deloitte or anybody like that, but you have no credibility with practitioners. They want people that have been in the seat and felt the pain.”
Being in the seat, Lane says that you know the pressures that come with that job. “It’s not, ‘hey we’ve been hacked go fix it.’ It’s the sense of urgency that gets drilled into you in the middle of a problem that you’re trying to solve.” It gives you credibility to help solve problems.
“It’s like reading a book about swimming in the ocean. They may know something about swimming in the ocean, but that’s totally different than going down to the beach and diving in the ocean … I can’t say enough about having practitioner experience,” reinforced Lane.
Rettas asked for tips for the “folks out there, trying to make a living and build a successful business.
Lane offered two recommendations:
- Start by building a small community. “I wasn’t trying to become a Sans or anybody like that, but I got local people to come together and meet once a month and we had a roundtable.” By brainstorming recommendations of real situations, it’s a great way to gather information about what’s happening out there. It puts you on the leading edge of what the issues are and what works, then you become a valuable consultant and build a reputation.
- If somebody doesn’t trust you, they’re not going to hire you. “Be trustworthy and credible to the client.”
Lane noted that his military background was helpful in his career but not necessarily for the reasons you’d think. “I was a special forces guy and there was a lot of attention to detail and a lot of discipline. I don’t mean where they’re always yelling at you, but always working out every day, being careful about what you eat — learning a discipline.”
Lane believes that today’s military is a perfect entry point to cyber security. Cyber security is the #1 field today in any organization. “There are more jobs than anything else. You can go into the military and they will train you from the ground up. When you come out, you’re already credible. You’ve been in the job, you have experience. You have things you can talk about that you’ve done.”
Rettas wanted to circle back to time and speed. “Do you talk about timing (emphasize the importance of timing) when you’re teaching these classes?”
Lane used a penetration test as an example. A company may hire an organization to come in and do a penetration test: they come in a do it and see two vulnerabilities. Employees go to work and fix those and the penetration test people go away. The CEO is happy, but in terms of timing — a company can be hacked the day after a test is complete. “Timing is very important from the standpoint of you must be monitoring continuously.”
Last year, the average number of days that someone resided on your network who was unwanted was 101 days (in the US). If you think that’s bad and you want to move to EU, don’t do it – they’re worse than we are.
Lane said you have to ask yourself: “What can that program do, that’s on your network, in a 101 days, before you discover it?”
After being in Silicon Valley for 20 years, Lane moved to Virginia and retired. A friend came and said he needed help. “Next thing I know, I’m working on this because I really believe it’s needed, and I believe in the [IPW] mission. It’s an important thing to keep the country secure — that means every company.”
Land offered this analogy: “If you’re Coca-Cola and you have this valuable recipe for making Coca-Cola, and I am the Ford Motor Co., do you see me as threat? Probably not, but if I’m Schweppes, or PepsiCo, I’m seen more as a threat. You can marshal your resources to point them correctly. That doesn’t mean you can ignore people at Ford, but you can definitely prevent things by knowing who your adversaries or enemies are, what their motivation is, what information they’re trying to steal, and how to prevent it. It’s not ‘is this firewall better than that firewall?’ Or, ‘how do I set up a perimeter?’”
The Value Of Intelligence
To wrap up the third segment Lane explained what his view of intelligence is and how he views the value of intelligence both in business and in politics.
Rettas asked for the “cyber intelligence definition at IWP.”
Lane said that people try to use cyber intelligence and cyber security interchangeably. Part of the confusion is that cyber intelligence includes cyber security, but there are some other elements he offered:
- The first facet of cyber intelligence is what we call a product. You have to create an assessment of your adversaries’ capabilities, their intentions, their activities that result from collecting these things, from processing. The evaluation and the analysis are critical and you want to try and assess what their capabilities are in terms of equipment and what capabilities they have to secure a digital property. That’s the first step in defining cyber intelligence.
- The second one is what we call process. And that’s the collecting and processing of intentions, capabilities, the opportunities that a foreign country or foreign agent, which is needed by a government for its foreign policy or its national security, through the medium of the internet and computers: IT, virtual reality, almost like thinking of it as a game or gaming. When you get online and you’re playing a game against somebody, what are their capabilities, how do they process the data, where can they gather it (from their own country), and do they have people located in my camp so to speak? How do they process the data that they’re looking at? Lane noted the 2016 election and the Hilary emails, “I think there was probably somebody on the inside with a hard disk drive, because the sheer amount of data to stream that out – we’re not talking days, we’re talking weeks and for that to go undetected, seemed a little unreal to me (but that’s a whole other deal).”
- The third element is the threat. That is that knowledge that you have that is based on evidence that you find, including what the context of that information is, what mechanisms were used, what the indicators are, and what are the implications of what you’re seeing about an existing or an emerging menace?
However, Lane said that this shouldn’t be surprising to anyone. When you find a virus on your network, you basically go through this process: What’s the hazard to our assets and how do we respond to it? How do we then eradicate it?
“You can’t look at any of these things alone and say that you’re executing cyber intelligence – you have to take all three things into account,” asserted Lane.
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.