Cyber Security In ‘State Of Flux’: Q&A With FBI’s Nick Savage

Add bookmark

Dan Gunderman
11/27/2017

Cyber security as a whole is a rapidly evolving and complex system that requires a heavy hand. Practitioners must be observant and proactive in a world of content saturation and attacks from all fronts – DDoS, malware, mobile application coding, etc.

The enterprise security professional must remain informed of the latest goings-on, lead continual training sessions for his or her staff and monitor the networks and devices within their purview. Sure, it’s a tall order. But what makes the task exceedingly more difficult is the chaotic nature of the industry.

That’s why it is crucial, every so often, to get a feel for the lay of the land. Where law enforcement and policy intersect with enterprise security is a dynamic crossroads poised to test even the bravest IT professional.

To straighten things out, we spoke with Supervisory Special Agent to the FBI, Nickolas Savage, about cyber security’s immediate trajectory, along with possible pain points and just what it means to businesses. Below is a Q&A Savage conducted with CSHub.com Associate Editor, Dan Gunderman, earlier this month:

Cyber Security Hub: In such a dynamic, fast-moving landscape, what appears to be cyber security’s most pressing issue at the moment? Is it in data protection? Threat defense?

Savage: I think there is an awareness these days and that’s a good thing. I think for so long we tried to get people’s attention, to bring them into an awareness when it comes to these sorts of things. With respect now to breaches, and large-scale losses, it’s almost, well, the pendulum has swung in the opposite direction. There is so much press, that much gets lost now. You might just say, ‘Oh, it’s just another breach, just another 100 million records exposed.’ It’s almost like people are numb to it now. It’s so commonplace, it’s weird… From a company perspective, the biggest points driving things are regulatory issues, compliance issues, liability and potential for being sued… Companies want to be more compliant, but that’s not necessarily ‘security.’ There is a huge gulf between the two. The big thing now is, yes, the need to be compliant and protect yourself legally, but that doesn’t guarantee (security).

CSHub: As it relates to law enforcement, just how crucial is cyber security and how does it impact your day-to-day responsibilities?

Savage: It’s really about trying to get people to think differently, more preventatively. What resonates with me is, it’s not that companies are doing something that’s so much better than everyone else…with tech, tools, (etc.). It’s the fundamentals. Or, it’s like watching someone play golf, for instance. Doing the fundamentals correctly (can make you) so much better than everyone else. I see cyber security in a similar vein. But in doing those handful of things, (you can be) light years ahead of everyone else. It’s about defense and depth, and making it harder to access than somewhere else. If there’s an intruder ‘banging’ on your network, and they find it to be more difficult than cracking the neighbor’s, (they’ll) go somewhere else… (You must) think differently and embrace those core fundamentals. What we’re doing a lot is trying to get people to learn to speak a business language. The notion of going in and dazzling folks with ‘1s’ and ‘0s’ is a bad thing; in learning to speak a business language, you can tie it to the IT world. Bridging that gap between executive management and the board (is crucial).

Knowing your networks is easier said than done – especially in this global economy with mergers and acquisitions… In dealing with all other issues, it’s about knowing how you can eventually tie that in and make it more uniform, make it look a certain way. Often when companies are breached, we’ll talk with them, isolate certain things, and it’s interesting to see the dynamic in the room – the confusion, or anger. This is much more difficult than ever before… In preventing victimization, you have to address it (very) quickly. (In reality, we might) listen to many people (in the room) argue about their setup, what it looks like, policies, procedures. Everything might look great on paper, but (it could get very complicated).

CSHub: Have there been any seismic shifts in the field in recent months? Is considerable time dedicated to mitigating threats?

Savage: The biggest shift that we’ve seen is probably the emergence of the boardroom into these decisions. And that’s both good and bad. Certainly there’s a lack of understanding and knowledge when it comes to what questions they should be asking. We’re seeing a lot of that. We’re seeing more general counsel getting involved, too – more of the legal side of things. The complication comes from bridging all these different gaps, on the security side of things. Nobody speaks the same language; a lawyer speaks one, the IT security folks speak one, senior executives speak a different one as well. But at least we are finally having these conversations – and getting the right people in the room. We haven’t gotten good at getting to the heart of the issue. The emergence of risk is a big thing, I love that. Risk drives everything now…

CSHub: How would you classify the growing sophistication of cyber criminals? How persistent have you found them to be?

Savage: I think it’s just become more prevalent. Sophistication is always there. We always need to (be vigilant) – nation-state actors are certainly persistent. With the right tools in place and time (exerted), if they want in the network, they’re going to get in. I think the level of sophistication is commensurate with technology itself. You’re always going to have folks trying to avoid built-in tripwires. But it’s easier than ever, and it doesn’t take a certain level of sophistication. A lot of these tools are readily available. How-to videos aren’t difficult to find, either. There are more actors in the field – whether you have folks who are hacktivists, who are sophisticated, motivated financially or just nation-state actors looking to do other tings. It’s always (a game of) cat and mouse. It’s always been here. I don’t think that will ever change. I don’t think it’s been ‘scarier’ than it’s ever been… It’s certainly good to be in the field because it’s not going away.

CSHub: How have political issues – EU and GDPR and others – impacted the state of cyber security here in the U.S.?

Savage: It’s a state of flux. I love what we’re trying to do, and I understand that… Laws and legislation are not keeping up with technology, and that’s a huge struggle. So, how do you ensure certain protections in general? You can’t balance security and privacy because they’re both fundamental rights; they sit on the same side of the equation. But it’s more about tolerance; we need to do a better job of explaining why we’re doing things (so the public understands). If so, they’d tolerate certain things… On the government side, the way it used to work is it wouldn’t say anything, or say, ‘That information is classified’ or ‘a matter of national security.’ People would then assume, ‘Oh, that’s what government does.’ But because our lives are exposed digitally, so much of it is (visible)… Really, it’s private industry doing it (holding data). It has far more information than the government does. So, who’s entitled to see it and what can be done with it? It’s beyond the government.

Tags: FBI Special Agent Cyber Security Network Security Information Security IT Law Enforcement Q&A