Herbert Lane is Senior Fellow in Information Policy and Security at the Center for International Security and Cooperation (CISAC) at Stanford University (USA).
Lin is also a Fellow in Policy and Information Security at the Hoover Institution, a prestigious center for public policy research. In addition to his work on information policy and security issues, Lin holds a Ph.D. in Physics from the Massachusetts Institute of Technology. Panda Security (PS): What is your general idea of the state of information security for organizations in 2017?
Herbert Lane (GL): Information security in organizations is very complex. Most companies know they need to be aware of these issues, but many don’t fully understand how to invest in information security. So if you’re the chief information security officer at your company and your manager says, “I’m willing to give you a million dollars,” how should you spend that money?
And I think most people can’t give an exact answer because they don’t have a [clear] idea of how to spend that money. This is the first problem. The second problem is that there is often an incorrect assessment of the risks that may actually be present.
Herbert Lane: I think management often doesn’t understand what their main assets are and what really needs to be protected. You can’t protect everyone on the same level, so you must prioritize the things that matter most. And it’s very difficult for companies to do that.
The third problem is that even if the company manages its business risks correctly (whatever the word “correctly” is), it manages them within the framework of its own company’s needs.
But a given institution may have a more important social function than the institution itself may think. And in this case, we can talk about the serious social consequences of a major information security issue for this project.
For example, if your business is an energy company, a power plant or the like, in case of closure, not only the company’s shareholders will suffer. Everyone who depends on your organization’s work will suffer. The next street hospital will suffer, all institutions and people who keep food in refrigerators, etc.
Note: Do you think critical infrastructure is adequately secured?
Herbert Lane GL: The question is, what does “adequately” mean? Can we do more? I’d love to do more, but in the US it’s an undeniable fact that more power outages are caused by squirrels than by cyberattacks.
Herbert Lane: What will happen in the future? I don’t know. It’s probably a stupid comparison, but squirrels still don’t do it maliciously, but criminals do. The fear is that if criminals do it maliciously, they can do far more damage than the squirrels.
Note: Ransomware attacks are still evolving. What conclusions can we draw from the recent WannaCry and Petya attacks?
A: Ransomware attacks are actually a type of DoS (Denial of Service) attack and therefore organizations must be able to deal with them, must have backup procedures in place and more.
Backing up is resource intensive and sometimes difficult, but you must do it. You must know how to act if you are in danger. For example, when your electronic medical records are not available to you online. You must know how to act in these circumstances.
PS: Can you tell that another large-scale ransomware attack is on the way?
GL: Yes, in general, I think so. You’ll see this sort of thing more and more, and ransomware is an easy way to make money.
Note: What role do you think companies will play in a potential cyber war?
LL: They will play an episodic and conscious role. One problem is that companies can accidentally make a mistake in one of their programs and not fix it.
This is a problem because they have a security vulnerability that has not been patched. So they play a role why this vulnerability is allowed. They didn’t knowingly do this, but they allowed a loophole in their software.
Companies have the ability to customize their systems in many ways, making them more or less secure. Sometimes companies offer their users some default profiles that are easy to configure and not completely secure.
This is their choice. The reason for this choice lies in the fact that they do it for the convenience of users. They don’t want users to tell them “your products are hard to use” because that puts too much pressure on them.
Thus, they make their products easier to use, but often less secure. And here this decision is a conscious decision of the company. In doing so, they inadvertently exacerbate the problem.
There are other examples of companies collaborating with government intelligence agencies to support offensive operations.
For example, an intelligence agency might go to a company (say, an antivirus company) and say, “Here’s a signature and we want you to ignore it, so we’ll pay you $10 million.” Why do they do this? Because they want to attack someone but they know that their future victims are using certain antivirus software.
I am not saying that this is a legal method, but it is still the method used by special services. So, in this example, the cooperating company is assisting in an offensive operation that could contribute in some way to electronic warfare.
Note: Do you think the world will be safer in 10 years or not?
LL: I think it will be worse, but the situation will not be catastrophic. If I had to pick the most likely outcome, I’d say that. How much worse? I don’t know. But I think it will be a little worse.
GL: Because I see all the trends going in that direction. People want the benefits of information technology, but they don’t want to pay the costs. So this comes at the cost of security.
I think that in the long run people will start to worry about this problem. In the meantime, it’s going to be “a little worse” because I don’t think we’re at a tipping point where the costs outweigh the benefits.
But sooner or later we will be there. Although I think the movement in this direction is slow. But when we get to that point, things will be different.
But why just “a little worse” and not catastrophically? I believe that ultimately the entire world is so interconnected that in the event of a catastrophe, everyone would suffer. China will not win if it “takes down” the global network.
They want to use you for their own little game. If you’re an explorer, you don’t want to kill your master. You just want to use it. But there is always a limit to how much you can extract on your own.
Note: What is the most important information security tip you give companies?
GL: I would argue that information security is a never-ending battle, and you’ll never be able to solve this problem once and for all. you should invest more than you think.