Cyber Expert On Beating Cybercrime.
Max Kelly was the chief security officer at Facebook and previously worked at the National Security Agency and U.S. Cyber Command before launching his security firm in 2015. Mr Kelly shared with Risk & Compliance Journal some insights on the impact of data privacy regulation, on what he sees as the futility of firewalls, and how a breach means different things for the reputations of a chief executive and of a chief security officer.
A new regulation requiring companies to report any breaches involving personal data within 72 hours will come into effect next May in Europe, something you believe will run counter its goal of protecting the consumer. Why is that?
Mr Kelly: The goal of regulation is to protect the consumer, to keep the consumer informed and to coerce companies into a proper course of behavior–all laudable goals. But the company already has a natural inclination to want to protect itself and by extension the consumer. Companies don’t want information to get out, they don’t want the hacker to succeed, they don’t want to have to pay money to a criminal. The requirement to report a breach quickly lest they have this extremely onerous penalty will force companies to focus on getting the report out the door. It will distract them from minimizing what will cause them and the consumers more harm. Any information that has to be reported that quickly is likely to be wrong, and if you’re going to be wrong you will err on the side of caution and make the scope as wide as possible. Regulation should focus on the fact that the company has been a victim of a crime, so the incentive should be for the company to work with law enforcement and contain the damage. The disclosure itself doesn’t help consumers.
Is there a way to beat cybercrime?
Mr Kelly: Cybercrime now is just crime, and we don’t necessarily have to concentrate on the medium—it’s the people. By and large, the cybersecurity industry doesn’t acknowledge there’s a person behind [the crime], it focuses on trying to manipulate things on the wire and deal with it purely as a technical problem–firewalls are philosophically a perfect example of this. But these are people doing this…there are reasons why they’re doing it, and you can manipulate those motivations, once you identify who they are. Companies need to start thinking about their infrastructure—of those walls they buy but that for some reason seem to be permeable—not as walls but as cameras. You need to rely on them to tell you if something goes wrong, not to prevent something from happening.
Cyber breaches often carry reputation damage for a company. Does reputation matter when it seems that all companies will get hacked at some point?
Mr Kelly: Absolutely, reputation is a huge risk and it’s a thing you cannot insure for. CEOs are missing the point that, when something bad happens, the career of the Chief Security Officer (CSO) generally gets better. A CSO who has been through a big breach becomes more desirable…they have come through their initiation and that makes them more marketable. Of course, the CSOs will lose a lot of sleep, will get fired, but they will be picked up because they are ready for the next level. The CEO, on the other hand, all that they have been able to demonstrate is that they didn’t understand the security risk. My team is working on some analytics of four major breaches, and the preliminary results show that the meantime that the CEO is fired following the breach is a matter of weeks, not months. CEOs wouldn’t do this in any other section of their business, they wouldn’t leave sales entirely to the chief marketing officer, but they do it in security and it’s a reputation risk for the company, and a huge risk for the CEO.
What can companies do to compel employees to improve their own online safety and thus protect the company’s networks?
Mr Kelly: If you are a big corporation, you have to think there will always be someone using a computer who will be tricked into doing something they shouldn’t do. As a company, you have to mitigate the risk of the damage the employees can cause. One of our customers found out—like everyone else–that the easiest way into their network was through phishing, and as they had some weak internal controls, that meant it was easy to spear-phish [a targeted attack] against the company. They spent some time training the whole workforce…and after a few fake phishing trials had an 80% success rate, which I think is spectacular—unfortunately the 20% was the C-suite that failed. The company then built a plug-in for their email software, a button for staff to report suspicious emails. The button is a constant reminder of the risk, and when a suspicious email is reported, it is taken away from the employee. Also, the program can identify other messages in the system carrying the same type of attachment or link and automatically pull them all from the system, so all it takes is one person to push the button. The infection rate into the network fell dramatically. There’s no easy way to replicate that, but on a company level, that is very effective.
Credit: Mara Lemos Stein for The Wall Street Journal, 1 December 2017.