Interview: Larry Clinton, ISA Head, on state of online security

LC: I was invited by the US Embassy and I think the core purpose of the visit is to promote awareness of sound cyber security policies and procedures and to encourage international cooperation with regard to cyber security. As cyber security is inherently an international problem we need collective action, and the US Embassy is very interested in strong relationships with the Indian government and the Indian industry. We have to work collectively to solve this problem.

LC: The Internet Security Alliance is an international trade association started in 2000 it consists primarily of major multinational organizations who generally do a very good job with respect to cyber security – in that they’re the industry leaders – but they’re also interested in expanding the perimeter of cyber security, getting more organizations to promote cyber security, etc. So the ISA has three major goals. First is thought leadership. Cyber security is such a new era, that we really haven’t figured out how to approach it, unlike a lot of other things, and thought leadership is very important. The second thing that we do is to do public policy advocacy. Because as I said, industry and government need to be working collectively to promote a sustainable system of cyber security. And the third is to promote the adoption of actual security practices and technology, so the mission of the ISA is to take advanced technology and blend it with economics to create a sustained system of cyber security. We see the problem very differently than most. Most people have historically thought of cyber security primarily as a technical issue. We see it more as an economic issue. Actually, we know a great deal, technically, about how to solve our cyber security problems. But the incentives to promote good cyber security are not in place. So what we want to do is blend those economic incentives together with the advanced technology and have supportive government policy so that we create a sustained digital future for ourselves.

LC: There are enormous numbers of threats out there. In fact you can go on the Internet and purchase them for very little money and make a lot of money with them. And the threats really run the gamut from fairly routine sorts of things that can be easily prevented all the way up to extremely sophisticated cybertechs. So the vast majority of cybertechs that are out there, maybe 80-95 per cent of those could be properly dealt with simply by adopting standards and practices that are already existing in the community. For those it’s really an implementation problem, not a development problem. And then there are the ultra-sophisticated attacks – things we call the advanced persistent threat or the APT. These are not hackers, these are ultra sophisticated individuals often affiliated with nation states who use increasingly sophisticated waves of cyber attack to constantly get in the system and one of the things that makes this APT sort of attacks so unique is that eventually they will compromise any perimeter defence. So the notion of keeping the attacker out really is an antiquated one, when we are dealing with ultra sophisticated cyber attacks. And those are some of the things that are most dangerous, particularly to our critical infrastructure, and the intellectual property of our major companies, and, frankly, our major governments. So there’s a whole range of things that we need to be aware of and different sorts of solutions that need to be put in place in order to deal with this growing problem.

LC: Absolutely. As I mentioned, somewhere between 80-95% of cyberattacks could be easily prevented and frankly, fairly economically prevented simply by adopting well-known standards and practices that are already out in the market. The problem isn’t that we don’t know how to deal with cyber security. The problem is that we haven’t been implementing the cyber security practices that we ought to be implementing.

Most of us, frankly, don’t like security. Most of us, for example, if we buy a smartphone, we want something that’s cheap and easy to use, or even pretty. Very few of us ask about the security features. And if there are security features on them, we tend to turn the security features off, because that slows things down. So what we have to do is rethink how we’re adopting security. This can’t be done for us, we need to be personally involved in our own security. We have to learn about these things, which is why educational programs like the one I’m been invited on here in India this week are so important and the work you’re doing to publicize this is so important. So people have to become aware of this, but we also have to motivate people much more to adopt the standards and practices that are out there. For these ultra sophisticated attacks, that’s an entirely different ball game. We have to do things very very differently to deal with those ultra sophisticated sort of attacks.

LC: Not very good, and let me explain. People in their mid-20s right now would fall into what the demographers would call “the digital native” category. They were born into the digital world that we exist in. I’m in the “digital immigrant” category. I was not born into this world. And most of the policy makers, unfortunately, are older guys like me. They done not have a very good understanding of cyber security, what cyber security is and how to engage their population in cyber security. So we need a vast educational effort of the policy makers.

There was a study that was published here in India about Indian cyber security last year which said that the policy here – as it is with the rest of the world – is very chaotic at this stage and we really haven’t come up with a coherent approach to this problem. So we’re going to have to rethink this problem. And we have to start by understanding that we’re essentially dealing with the invention of gunpowder here. Something that has fundamentally altered the nature of what we’re doing. Digitalization changes everything – it changes the way our lives operate, changes our notion of what privacy is, changes our notions of national defence, and changes our notions of the economy. Until the policy makers rethink the problem and can understand it in a much more broad-based and sophisticated manner, the public policies that we’re going to be enacting are probably going to be a little simplistic and ineffective. So that’s got to change.

LC: Well, India is certainly one of the countries that has been most progressive with respect to cyber policy, particularly on the industrial side. You have organizations like NASSCOM who have done a terrific job with education with respect to cyber security. There is probably less intellectual property theft in India than there is, for example, in the United States. India has done a pretty good job. That being said, the amount of cybercrime in India doubled between 2010 and 2011, that’s the last number we have statistics for. India is among the top in the Asian rim countries in terms of web-based attacks. So there’s a growing problem here in India, and the cyber policy is just beginning to evolve. And right now in India we’re seeing a kind of tension between the old way of thinking – which is to adopt traditional government-centric regulatory policy which isn’t going to work in cyberspace, because things change much too quickly. And, on the other hand, having a self-regulatory organization approach.

The Internet Security Alliance thinks that we need a combination of those two approaches. A government does have a role in cyber security but it’s not the traditional role. An industry does have a role, but the notion that there should be no government involvement in industry is probably ill-conceived. We think the industry’s role ought to be to continually innovate standards and practices in technology so they can do that much better than the government can. The government’s role should be to motivate the voluntary adoption of good standards and practices by deploying economic incentives to do so. Compared to the old regulatory model where people are forced to do minimum standards, we instead use market forces to get people to want to be increasingly more cyber secure. And if we can turn the economic model over, we can have a much more progressive policy. Right now, all the economic incentives favour the bad guys. Attacks are cheap, easy and profitable. Defence is a generation behind the attacker, it’s hard to show return on investments to things you’ve prevented, and effective prosecution of cybercrime is virtually non-existent. So so long as we’ve got this imbalance in place, we’re never going to solve the problems. We have to rebalance these things. And many of the new technologies and business processes like cloud computing, and bring your own devices to work are economically efficient, so companies almost have to adopt them, but they lower security. So, again, we have to rebalance these things economically.

So we think that that different approach is what India needs to take, and frankly, the rest of the world needs to take. We need to understand that this is a new world. The digital world has changed and so we have to think of this as a very different problem with very different sorts of solutions.

LC: Well, there clearly has been an effect, it has been documented with some recent statistics that in some parts of the world, China, for example, and Asia, there has been a statistically significant impact on American technology companies coming out of the disclosures that [Edward] Snowden generated. I think that that’s probably unwarranted. A lot of the technology companies being hurt by this are victims of these Snowden disclosures, but I think that’s going to be a fairly short term blip. As we move forward, what people are going to want to buy are technologies that are efficient, that are effective and are innovative and I think the more of those that come on board, the Snowden disclosures will eventually have less effect, with respect to technologies and technology companies. Now, with respect to government policy, with regard to protecting individual privacy, now that’s a separate matter. I think there may be more staying power to the disclosures on that end.

LC: I don’t think that’s a long-term solution. The fact of the matter is that we live in a global economy. We are inherently interconnected to each other, and I think the efficiencies of a worldwide Internet are going to overcome any of these issues that have come out of these disclosures. I think that this is another example of policy makers and digital immigrants taking a sort of old world solution, an isolationist solution to a 21st century product. I don’t think it’s going to work, I think they’re going to discover that it’s not going to work and hopefully when they do they will turn their thinking to a much more collaborative, open approach and realize that their nation as well as the community of nations are going to be better off if we work together to create a sustained system of cyber security rather than wall each other off in order to protect ourselves. That has never worked in the past and is certainly not going to work in the future and efforts in that direction in my opinion are counter-productive.

LC: Well, I think as you say this is a reality. We are living in this digital world, it is all-encompassing and particularly younger people are growing up with an understanding and appreciation of this that is going to carry through moving forward. You need to embrace the Internet of Things. And I think that this is a solvable problem. People look at the cyber security problems and say ‘Well, that’s really hard to solve’. And it is. But actually, creating the Internet was probably harder and we did that. You know, there are lots of things that are harder, that we have done.

As I said, we haven’t really thought about this [cyber security] enough. You know, there aren’t schools of Internet philosophy or thought leadership with respect to cyber security. All we have pretty much are these technical orientations, and the technologists are way ahead of the public policy people and the philosophers with respect to this new technology. But eventually we’re going to catch up and merge these two things together so I’m very optimistic about the future and what digitalization is going to create.

I think we’re going to see more openness. I think we’re going to see more communication. I think we’re going to see more economic development. I think we’re going to see more freedom throughout the world because you’re not going to be able to ward off the Internet and we’re going to have to manage this security problem. I think we can do that and I think with that will trigger a tremendous renaissance worldwide with respect to knowledge, development and economic security.

LC: I think that we can have security and protect individual privacy. A part of the problem is that we’ve had the wrong people managing security. We have, for example, military, people on the intelligence community, who have legitimate goals. But they shouldn’t be examining the economic and social aspects of the Internet. So I think that the government does have a role, it’s just not the traditional controlling role that the government has had in the last century or two. I think they have a role to motivate the adoption of good practices and they have economic levers at their disposal that can do that. I don’t think that they need to know everything about every individual. It is totally legitimate for governments to be prosecuting crime and using digital technology to do that. And as someone whose brother who worked in the World Trade Centre (and who is fine) and here in Mumbai – who are certainly familiar with the effects of international terrorism – it is absolutely critical that we have government working in those spaces.

But that doesn’t mean that the government needs to be monitoring their own citizens, all of them, on a daily basis. I think what we have is an instance where certain elements of the government could do things because of the technology, so they did things that the technology could use. I think that’s pushed the envelope a little too far and I think that would now be pulled back and I think we will come up with a more moderate approach that allows for the protection of individual rights and privacy but also allows for the legitimate security needs of the government to move forward.

And a part of it is becoming more sophisticated about cyber security. In truth, in order to secure most networks, we don’t – for example – need to know who’s attacking them. We just need to know what the attacks are and how to stop them. So there is no need for any personal information to be involved in this. So I absolutely believe that we can come up with a reasonable role for government that doesn’t violate individual right, but does allow for the appropriate security measures, too.

LC: I think we’ll continue to make progress. As I said, currently all the incentives favour the bad guys and so we’re going to have to rebalance those incentives, but I think certainly in the United States, I have seen a fundamental shift in policy with respect to cyber security in just the last year in a much more progressive direction. I’m seeing similar sorts of signs, at least among industry if not government in Europe, and even here in India. So I think we are going to make progress. I don’t think we’re going to solve the problem [of cyber security] any more than we solved the problem of murder or theft or lots of other things, but I think that we’ll be in a position to do much better as we move forward.