Why the U.S. Is an Easy Mark for Hackers

In the wake of the attacks against Google, Adobe and other major high-tech companies, there was a lot of public shock and outrage that this kind of attack happened. But it was really just a small part of what’s been going on for years. In a conversation with Dennis Fisher, Tom Kellermann of Core Security explains why the U.S. government and private companies are so unprepared for these attacks.

In the wake of the attacks against Google, Adobe and other major high-tech companies, there was a lot of public shock and outrage that this kind of attack happened. But it was really just a small part of what’s been going on for years. In a conversation with Dennis Fisher, Tom Kellermann of Core Security explains why the U.S. government and private companies are so unprepared for these attacks.

This is an edited transcript of the podcast with Kellermann.

Dennis Fisher:  All right, welcome to the Digital Underground podcast. Very excited — I’ve got Tom Kellermann, vice president of security awareness and strategic partnerships at Core Security on the line.  Going to talk about a whole bunch of stuff:  what’s going on in Washington in terms of information security these days:  the Google attacks, a few other things — get Tom’s thoughts on all of this.  Tom how are you, man?

Tom Kellermann:  Doing well.  Thank you for having me.

Dennis Fisher: Absolutely.  It’s long overdue — I think it’s been awhile. So let’s start off with the cyber security czar, however we want to refer to that position now.  It’s been a few weeks since Howard Schmidt was appointed.  What was your first reaction when you found out that Howard had taken the job?

Tom Kellermann: Relieved. I was relieved that someone who understands the industry, the technology and the turf wars of Washington has accepted the position and hopeful that they are going to empower him with the resources and the authority necessary to lead us in this war in cyberspace.

Dennis Fisher: Do you think the fact that there was such a long time between Obama’s initial press conference in May, where he was talking about this position and the importance of it and the importance of cyber security in general and the time that he actually fulfilled the position — do you think there’s any real damage done by that or do you think it was just more perception from the media and people like me writing stories saying “Why isn’t this job filled yet?”

Tom Kellermann: I think there was real damage done, particularly from an international perspective, as the world was waiting for us to take the mantle, and to lead internationally on this issue. So the real loss here was sustained due to our international leadership. And the reality that internally within the White House there was this fight between the people that care about this issue and the people that believe that cyber security somehow inhibits economic growth.

Dennis Fisher
: Is there a big contingent that believes that?

Tom Kellermann
: Not a big contingent, but there are powerful folks, particularly economic advisors to the president who believe the K Street line that cyberspace should not be regulated, that net neutrality should be the dominant paradigm, and that cyber security standards and regulations would inhibit economic growth, due to the fact that they would incur costs.  What they don’t appreciate, which is rather simple, is that since IT is the underpinnings of our critical infrastructures, sustainable economic development cannot be achieved without securing cyberspace.  

So that real sustainable development argument that has been lacking in the halls of the White House, and I think finally because of the onslaught of attacks we’ve been facing and the galvanized work of the CSIS commission and other people that have been saber-rattling to force the administration to pick someone, you finally have the appointment; more importantly you have an appointment of Howard Schmidt, coordinator, wherein he is not to report to Larry Sommers, and that is the best part of the equation.

Dennis Fisher: Yeah, that was very interesting to me because originally the stories came out that whoever took that job was going to be reporting both to the National Economic Council and the National Security Council and people said that seems like a pretty limiting factor on the job, it’s tough to serve two masters, that puts you another layer underneath the president — all of that kind of stuff.

 It seems to me that Howard got — I don’t think he would have taken that job with those conditions, and he clearly didn’t. It seems to me that he said, “Look, if you want me in this job I’m not going to have two bosses.  I’m going to have one boss and it’s not going to be the Economic Council.”

Tom Kellermann: Exactly. And the real issue here, because of the delay there was a significant gap in continuity of operations from them — substantial work led by Melissa Hathaway and the work that needs to be done now. And during the delay you had this positioning, I’d say, of the four lead government departments and agencies who positioned themselves in cyberspace for more control.  So the turf war phenomenon had actually increased between DHS and DOJ and DOD in particular. That being said, he has a lot on his plate. First and foremost he’s got to organize and lead the relevant government agencies responsible for cyber security, as well as directing the OMB with priorities besides the security spending.  So let’s stop the bleeding and let’s play ball on the same team.

He’s got to secure the four major critical infrastructures: communications, finance, the high tech sector and the health care industry.  This effort must go above and beyond resiliency — that’s a key point that needs to be stressed.  For too long people have said, “Oh, we’ve got great cyber security because we have information security policies and incidence and response plans and we’ve got resiliency of operations and business continuity in place.  
But the name of the game is not surviving denial of service anymore, and you know that.

And I think accomplishing that will require us to revisit something called Operation Eligible Receiver.  You’re familiar with that, right?

Dennis Fisher: I am, yep.    

Tom Kellermann: I think that was an interesting exercise by the U.S. government to identify vulnerabilities in critical infrastructures before they were exploited, and we need to revisit that.  And I don’t care if the private sector takes issue with that because in the end they need to realize that the federal government can be of substantial assistance to them in protecting themselves from the 108 countries with cyber attack capabilities and the major criminal syndicates of the world.  

Dennis Fisher: Which leads us right into, obviously, the attacks that Google and Adobe and the other companies disclosed last week.  So a lot of the stories on those attacks focused on kind of the Chinese angle of this and this whole idea of cyber espionage and “Oh my God, I can’t believe this is happening.” At least in the general press — I think a lot of the IT press sort of understood that this stuff was going on in the past. How prevalent is this kind of operation, whether it’s state-sponsored or from a private, somewhat-organized group? How much does this happen?

Tom Kellermann: It happens all the time. And this is not as terrifying as the FBI investigation named “Titan Rain”, when they realized that we had lost many of our national secrets to Chinese spies that had infiltrated censored DOD systems. But what is important about this phenomenon is not necessarily sophistication of the attack. As we spoke about before basically they’re attacking a zero day flaw using client side attacks and then polluting the system.  

What’s more interesting about this is twofold:  first of all it’s advanced persistent presence that they’ve maintained within the systems after penetrating; and secondarily it’s the shift of where the attacks become more focused, where they’re aiming for the source code only, and more professional vis-à-vis encryption and subtlety of how these governments and their proxies will increasingly employ a professional set of mercenary hacking tactics and trade craft.

Why do they target certain systems and not others? Why did they go after certain source codes and certain organizations? Was it intellectual property or was it really backdooring the source code permanently of the critical operations that are widely utilized by the Western world. These are the terrifying questions that we need to grapple with.

To that point — back to the Howard Schmidt discussion:  it is paramount that we develop, he develop, the government develops a cohesive international strategy of deterrence to not only incentivize the global community to cooperate against cyber spying and cyber espionage, but also to create shared risk and real deterrence varies against nation states who harbor hackers and/or who’ve utilized hackers to wage cyber attacks against critical infrastructures and organizations.

The fact that Google had no real faith in the U.S. government stepping up on its behalf and had to essentially take the fight into its own hands represents the lack of the rule of law, as well as the lack of a cohesive international cyber strategy in this space.

Dennis Fisher: How receptive do you think the other nations will be to that kind of dialog, though?

Tom Kellermann: Well at least at the WTO level I don’t understand why this hasn’t reached up to that level. WTO and exclusive membership within that organization and free trading status is given to nations who illustrate and exhibit a standard of care in how they collaborate, cooperate and trade in the global marketplace. And what you’re seeing here, whether or not it was done by the nation-state of China, there are proxies within China, there’s a culture of hacking U.S. organizations in China that is blessed, sanctified and institutionalized by the government of China. And that needs to stop. And it needs to begin with serious diplomatic negotiations, from the Secretary of State onwards.

Dennis Fisher: To me the idea of it being the Chinese government that’s behind it is slightly — it doesn’t scare me nearly as much as it being a private organization, whether it was done with the knowledge of the Chinese government. I expect the Chinese government to do this, I expect other foreign governments to do this, just as the U.S. is doing this offensively against them. The idea that there are other organized groups doing this is certainly something I knew, you knew, other people knew, but this kind of large-scale coordinated attack is pretty blatant evidence of the talent sophistication that these folks have.

Tom Kellermann: Yes, very much so, and I think the U.S. is suffering from a supply shortage in talent and I guess from a cultural perspective we need to begin the respect, the resolve, sophistication, organization, of our adversaries in cyberspace. I think it also begins with most of us beginning to take up a game of chess again. I think very few of us have played chess in a very long time, and it’s important not just to understand how you might be able to win the game in six moves but how your enemy can also defeat you in three. And what pieces are important to us and how the board could be used against us. There’s been a lack of that when it comes to cyber security strategy, both from a government, corporate and individual perspective for too long.

Dennis Fisher
: Do you think that has anything to do with there not being a sort of cohesive federal government-level acceptance of the need for offensive security operations?

Tom Kellermann: I think in part yes. I think part we need to get more Machiavellian in cyber space, as a nation. But also we need to understand that, again, the most terrifying thing about this incident is not the intellectual property theft or the Gmail accounts that were compromised within Google. Now let’s just wrap our heads around the fact that if they could have maintained persistence in these systems the amount of time that it did, could they not have also altered the source code, a/k/a/ the DNA of Google, and therein polluted every Google user in the world with some nefarious root kit. And that’s terrifying.

Dennis Fisher: It’s certainly far more terrifying than them going after the Gmail accounts of some Chinese dissidents, which is —

Tom Kellermann: We should be expecting it, right? I mean even with their institutionalization of hacking and their overt cyber warfare capabilities over the regime, you should presume that the worst case scenario has occurred.

Dennis Fisher: I think that’s right and I think that point has not been made nearly strongly enough in a lot of the coverage I’ve seen so far. I think it’s being talked about quietly inside the industry:  I’ve seen it on some mailing lists and heard people talking about it. Just the idea that Google used the words “intellectual property” as the target in their blog post to me was a really strong indication that they think that’s what happened.

Tom Kellermann: And I think that demonstrates the duality of attacks in today’s environment. I think on the surface these are not very sophisticated attacks, but they’re successful because even if you lock down your networks you’re always going to be vulnerable to web application, wireless and client-side attacks, right?

So that being said it’s not so much the vector that was employed but so much as how did they maintain the digital insider or the advanced persistent threats within those systems, and beyond the obvious, what could they have done within these systems to give themselves long-term access and capability to have command and control over that system? It’s like hemophilia: Now we’re dealing with governments and capabilities that can inherently pollute the bloodstream, the source code of an application permanently.

Dennis Fisher: So if you’re Google or if you’re Adobe or you’re one of the other targets of this attack and you feel like that might have been their main target, where do you go from there?  

Tom Kellermann
: I would hire people to review my source code. And I know that’s a hugely expensive and arduous process, but you and I both know very capable people out there that could do it and they should be spending the extra dollar to have their source code reviewed from start to finish: the whole 800 million lines of code.  I know that’s a lot but it needs to be done. More importantly, though, we need to appreciate that in today’s environment the name of the game for maintaining the advanced persistent threat is the memory injection attacks. So how many of these organizations have actually analyzed the memory space of all of their assets subsequent to this attack?

Dennis Fisher: I would say that’s a low number.

Tom Kellermann: Of those that are even aware of what I’m saying, how many of them are aware of what technologies and companies can do that well?

Dennis Fisher: Yeah, also a low number. Yeah.    

Tom Kellermann: Even if they do and they’re aware, even scarier, right? Are these few companies capable of actually — the manpower and the resources to get the job done?

Dennis Fisher: At least in a timely fashion — that’s a good question because a lot of the companies that can do that kind of thing very well might be smaller boutique firms that have highly highly, talented guys, but there’s not a huge pool of those people.

Tom Kellermann: It’s very troubling. This definitely ushered in a new era in the landscape of hacking, which is targeted, sophisticated attacks that are targeting source code that are using blended stage attack vectors to infiltrate the systems and maintain persistence. And whereas most of your readers have been well-aware of that because of your knowledge base and your circle of trust I think it’s important that this message be espoused to the mainstream IT community.

More importantly I think the time has come for the corporate governance shift to occur within organizations. For too long the security wonks have been reporting to the CIOs rather than presenting a balanced view to the Board of Directors and/or to the CEO. For too long our defensive coordinators have been reporting to our offensive coordinators and there needs to be a governance shift within all organizations to appreciate the views and perspectives of your listeners, as well as the folks that care about integrity and confidentiality, not so much about availability access and resiliency.

Dennis Fisher: Yeah, that’s an excellent point. I’ve known Howard Schmidt for a long time and I feel like he’s going to — I know that he gets that, and I feel like he’s got the influence and the juice, if you want to use that word, to kind of get that ball rolling in DC.

Tom Kellermann: I hope.

Dennis Fisher
: Yeah. Well what are the early indications?

Tom Kellermann: Indications from him?

Dennis Fisher: And from, you know, the rest of the DC security community — I mean what are you hearing in terms of what level of cooperation he’s going to get and the receptiveness to his hiring?

Tom Kellermann: I think everyone’s waiting to see right now. I mean he hasn’t really begun working yet; he hasn’t finished building his team yet. It’s going to very much be dependent not just on his own knowledge and relationships and integrity within the DC circles, but also who he has on his team. And he needs to pick the people correctly that can give him more cloud and more capacity to move the ball forward.

You have to remember right now one of his biggest fights internally is probably going to be with Vivek Kundra. You’ve got a guy who’s a CIO for the federal government who is pushing the cloud on every major government organization, who is focused on Smart Grid and the digitization of health records — all three of these priorities are inherently going to exacerbate the systemic and operational risk posture of the U.S. government and critical infrastructures period. We know that as security professionals.  

So Howard’s going to have to — that’s the biggest internal fight he’s going to have is “Hey, the cloud’s great and it’s great for resiliency purposes but let’s get serious about how we secure this thing, right?  Let’s take a stand on private clouds versus hybrid clouds versus public clouds, right? And I think the argument about cloud security will be the biggest issue this year, besides the obvious infiltration of systems by organized hackers.

Dennis Fisher: So you think that’s going to be a major roadblock to Howard addressing other priorities?

Tom Kellermann: Yes, I do. I think he’s going to have to fight the political fight internally with Mr. Kundra vis-à-vis this cyber everything in the government space and let’s move to the cloud and let’s use technology to emancipate ourselves from the brick and mortar and let’s do all these wondrous things at the same time.

Let’s be serious here: Mr. Kundra doesn’t have a clue about security; he’s never practiced security in his life. Track record of a DC government doesn’t express any of that, but to that point he’s more powerful than Howard within the administration. So that being said, Howard’s going to somehow have to convince this man that the devil exists.

Dennis Fisher: Well it may be to Howard’s advantage that he can sort of point to front page articles in USA Today, The New York Times saying, “Look:  there’s the devil right there.”

Tom Kellermann
: Yeah, but I think even beyond that I think the latest issuance of the commission report that we’re going to be finalizing in February and releasing should provide a great roadmap for Howard. But also I can only hope that again, he is given the authority and the resources to leap the technology revolution within the beltway versus having to retrofit security upon the revolution as it occurs.

Dennis Fisher: That report you’re talking about:  that’s the CSIS Commission?

Tom Kellermann: Commission on Cyber Security for the President. We were asked to stick around for another year to produce a final report to Congress and the President on — not just a progress report of where things have gone but let’s focus on distinct action items and strategic goals over a 500-day plan, essentially, for the seven top priorities of the U.S. government — what they should be as it relates to cyber.

So hopefully once we have that produced, people will look at it as a roadmap by which Howard can follow and build upon as a foundation.

Dennis Fisher: Can you give us any hints as to what those priorities might be, some of the things we’ve talked about?

Tom Kellermann: Definitely two things I will mention:  I’m sure international strategy is going to be a focal point, as well as the importance of improving authentication of not just users but devices and all sorts of protocols for that matter. Because the lack of attribution, the landscape is such that — you well know this — attribution is the Achilles’ Heel of forensics and incident response and it’s the main reason why, in this fog of war, why only less than 1% of hackers are ever prosecuted.

Dennis Fisher: Oh yeah, it’s a crazy low number.  It’s so low that any time anyone’s ever prosecuted for even the sort of lowest level attack it’s big news.

Tom Kellermann: Yep. And the international, again:  it’s critical that hopefully the Senate, the White House and State Department begin to grapple with the reality that this domain is lawless and there are no rules of engagement and there is no shared risk and we need to be incentivized, the various countries around the world that have institutionalized hackers and created hacker havens — and that’s going to be a very difficult challenge because regardless of everything we do in cyber security, my friend, we’ll never create Fortress America in cyberspace — it’ll never be achieved. We need to develop a global culture of security and we have to incentivize regimes and actors to be on the good side of this fight. And that goes beyond just the U.S. saber-rattling and saying, “You will do as we say because we are the U.S. hegemony.”

Dennis Fisher: Oh for sure. Some of the researchers and guys that I know that come from some eastern European countries and some South American countries that are often cited as haves for this kind of activity say, “Look, the economies in these countries are on such shaky ground that guys coming out of college with computer science degrees that would be happy to take an entry level job as a software developer or as a security guy in a legitimate company, they can’t find those jobs. And so they get contacted by somebody saying, “Hey, you want to do some coding for the equivalent of a year’s salary for a month’s work? Don’t you worry about what we’re going to do with the code.” How are they going to turn that down?  And that’s not an unusual occurrence; it’s happening a lot.

Tom Kellermann: Very much so — so much so that it’s — it’s hard — to be honest with you it’s really hard to have faith in our power to stem the tide, at this point, because of the realities, the economic realities of the world that we live in.

Dennis Fisher: Yeah, it’s not like — people love to make analogies to on the ground politics and military operations and that kind of stuff, but they’re not analogous in any real way, I don’t think.  The government of any country, they just don’t have control over what private citizens do in cyberspace. Even China, obviously, the most restrictive regimes cannot control what their citizens are doing with their computers on any real scale.

Tom Kellermann: And then even more importantly you have the reality that many of these users don’t have any incentive to control any of that, that they see this, particularly in the developing world, as Robin Hood.

Dennis Fisher: Oh sure.

Tom Kellermann: They say about the cyber attack.  “No one died, we stole intellectual property, it gave our country a comparative advantage in the global marketplace. Our citizen over here hacked this U.S. bank and brought platinum cards back to our country and we got 20%.”  And last but not least:  “We have the capacity to front-run major global investment deals because of the fact that this hacker crew that we’ve protected from the investigations of Interpol shares this information with us.”

Dennis Fisher: Right.

Tom Kellermann: There’s no real reason why they should care, to be honest, except being righteous, but from their perspective, given what the G8 has done to the rest of the world with its financial crisis I think many of the developing countries of the world have lost faith in the global economic paradigm.  And because of that lack of faith they’re beginning to appreciate and be incentivized by the shadow economy versus the legitimate economy.

Dennis Fisher: I agree 100%.  It almost seems to me like there’s much more incentive for them to conduct operations against the U.S., the UK, Germany, whatever — the rest of the G8.  As you said, it sort of brings them — it’s kind of a nationalistic thing, where they’re like, “Hah, look what I did to America.  I did this:  I defaced this website, I stole 1,000 credit cards from this American credit union in the name of –” whatever, patriotism — whatever country they’re in.  It’s a really scary sort of affairs — there’s no question about it. There’s been a lot of talk about this as well but I’d like to get your thoughts on it:  How much credit would you give Google for coming out and talking about this in public?

Tom Kellermann: I give them utmost credit; I pay homage to the leadership of Google for literally changing the corporate paradigm as it relates to reporting of cyber breaches. For too long there’s been this mentality of plausible deniability and/or the reality of deny, deny, deny because of worries over reputational risk, without appreciation of  the long-term need for public accountability for activities by nefarious actors. Because without more reporting we can never justify actions by the governments and/or resources internally to deal with the problems at hand. And so I commend them:  bravo.

Dennis Fisher: For the people who don’t know:  you worked in the financial services sector for a long time at the World Bank, and obviously the default position of financial services companies was to “no comment”, to deny any kind of incidents that were whispered about, any of that kind of thing. So there was always that — people could always take the position of “Okay, well point me to some incident where there’s been a state-sponsored action, or some incident where you’ve seen some organized attack crew go after a bank or a high tech company.” And people like you and other people who have been involved in this could say:  “Well I can’t.  I know it’s happened but I can’t tell you how I know.” Now we can all point to this and say, “Look, the biggest company online was infiltrated in a very serious and persistent way, and it’s entirely possible that their source code was compromised in a persistent way.” That’s about as big as it gets.

Tom Kellermann: That is as big as it gets. And what’s most terrifying is — I guess the final point I’ll make on Howard Schmidt’s priorities, point four which would be we really need to be able to tackle — he needs to tackle the systemic risks posed by the high tech supply chain. And there’s way too much dependency on operations that are ephemeral and applications that are developed inside and outside of the U.S. and on assistant companies and managed service providers that exist without anyone every truly conducting approaching risk assessments as we do — penetration tests of those systems and applications on a regular basis to prevent the exploitation of those sensitive protocols. And that supply chain risk in the high tech sector is something that’s going to be paramount in managing the threat of today. So we need to really identify it and assess it appropriately. And I think hopefully he’ll be given the authority to do just that.

Dennis Fisher: Yeah, that’ll be interesting to see, because it’s obviously got economic ramifications, and international relations ramifications — all that kind of thing. But we’ve already seen examples of this happening with these USB thumb drives that have been showing up in stores already compromised with malware on them. And — what was the other thing — weren’t there digital picture frames a couple of years ago that had malware on them? I mean that seems kind of ridiculous, but think about it:  anything that you can attach to your computer that has malware on it, you’re owned. The thumb drives — the DOD took the position of saying, “Okay, no more thumb drives at all in our environments.” I mean that’s a drastic action to take.

Tom Kellermann: And if you’ll notice, DOD then applied a standard for how thumb drives need to be created, protected and encrypted and all of that, and that standard was applied, and now you see a major defense contractor like Lockheed-Martin partnering with a major thumb drive manufacturer and producing something called Iron Clad. They released this — I think the public announcement of this was two days ago. And that is an example of yes, DOD took a severe step, it forced the industry to change, and change how they do things, and now they’re producing secure drives to be used within the DOD.  And that needs to happen more often. The government needs to use acquisitions power to force the industry to change how it develops things and how elements of the supply chain are secured.

Dennis Fisher: I agree. They’ve tried to do that, in some ways, in getting different versions of Windows that are made to their specification, all that kind of thing. And I think Energy tried to do that with Oracle software as well. But I mean the reality is that a huge percentage of these thumb drives and other sort of commodity hardware is made overseas in these developing nations with really tough economic conditions. And I’ve had people tell me off the record that all it takes is a pretty small payment to somebody that works in one of these factories producing thumb drives — they load a CD with your malware on it, all of a sudden you’ve got thousands of compromised thumb drives being shipped to the U.S.

Tom Kellermann: From my perspective what’s more terrifying than the hardware-based boot kit that we’re discussing is really — there are critical infrastructures out there that have not been defined as critical infrastructures. So let’s say the financial sector is dependent upon seven major shared service providers.

Dennis Fisher: Yeah.

Tom Kellermann: And you’ve got major managed service and shared service providers that are providing the bulk of the outsourcing IT services to the Fortune 1000, right?  These entities also pose a systemic risk to the entire system. These entities are also not the best in the world at securing their enterprise, but these entities are becoming more and more targeted by sophisticated cyber adversaries because they’re well aware that if you can compromise one of these entities you can compromise hundreds of serious Fortune 1000 organizations and government agencies that are dependent upon the digital water that resides within those systems.

Dennis Fisher: Yeah, that’s a good point:  at what point do you consider things like Amazon’s cloud service and Salesforce.com to be critical infrastructure?  I mean I think you can make an argument that they’re there right now.

Tom Kellermann: I would make that argument and I think that’s part of supply chain that hasn’t been well-defined and evaluated because when people think supply chain they’re consistently thinking hardware root kits.  And that’s right and they should be worried about that, but they still have to be very concerned about this other supply chain — the ephemeral one.

Dennis Fisher: So when is the next commission report coming out? You said some time in February?

Tom Kellermann: Yes.  Final meeting is this Friday and then we will be working our working groups to polish the document. And then essentially we will be releasing it I think at the end of February. I presume the goal is to get it released before RSA, but you never know with these things — there’s a lot of cooks in the kitchen.  I hope that our recommendations are not watered down and that really provide a good strategic foundation for Howard to work from in the coming years.

Dennis Fisher: I’m interested to see it. I thought the first iteration of it had a lot of good recommendations and good information in it. So I’d like to see it expand on that and I’m sure Howard will take it seriously. I mean he was on the original commission, right?

Tom Kellermann: Yeah, I hope he will take it seriously. Again, I don’t think it’s a question of Howard taking it seriously; I think, again, it’s going to be the internal battle between Mr. Sommers, Mr. Kundra and Howard over priorities in economic growth and IT investment, and how cyber security plays. I hope that the number one message that they realize from this is that we cannot achieve sustainable economic development without securing the controls and the IT assets that serve as the backbone for this economy.

Dennis Fisher: Well it’ll be interesting to watch.  I’ve never dealt with Kundra; from all accounts he seems like a smart guy, so I feel like hopefully if he has other smart people advising him and he listens to them maybe he’ll understand the realities of the situation.

Tom Kellermann: It is my hope that he learns to appreciate risk management in 2010.

Dennis Fisher: Well we shall see very soon, I think. So I guess I’ll see you in a few weeks at RSA.

Tom Kellermann: I look forward to that.  Thank you for taking the time today.

Dennis Fisher: Absolutely.  Thanks a lot, Tom.

Suggested articles

Discussion

  • Eliot Ness on

    Messrs. Fisher & Kellerman:

    In re: Howard Schmidt's credibility ... www.PrintcafeSecuritiesFraud.com/#HowardSchmidt

     

     

  • Anonymous on

    Btw, the National Security Agency was recently hacked. Yes hacked! But it was downplayed to the media for obvious shameful reasons. Here’s the link :

    http://pinoysecurity.blogspot.com/2010/02/wwwnsagov-hacked.html

  • Anonymous on

    Quite a phone conversation. Highly technical & informative.Thank you.

  • Techno Dan on

    "It's like hemophilia: Now we're dealing with governments and capabilities that can inherently pollute the bloodstream, the source code of an application permanently."

    No, it's like a blood transfusion, not hemophilia (which often requires blood transfusions.)  But the metaphor is false anyway.  How is it that the "source code" of an application can be corrupted "permanently"?  Has anyone ever heard of a backup?  I'm sure any system that runs software can be rebooted and restored.  Seems like a no-brainer.

  • George D. Curtis on

    The chinese lobby "bought" the Congress years ago -- that is why there is an exchange rate favorable to them, as well as no effective tariff to even begin to level the playing field.

    So, don't expect much help from our government.

     

  • Jim Large on

    I am disturbed by the way that Mr. Kellerman conflated "net neutrality" with "lack of security" and "lack of regulation."  Net neutrality can only be achieved with regulation, and it is wholly unrelated to issues of privacy and security.

    Mr. Kellerman seems to think that the internet plays an important role in our economy.  He ought to be aware then that net neutrality is the status quo:  The net is "neutral" today, and "neutrality" is at the root of what made the internet such a success.

    Net neutrality is an extension of the legal concept of "common carrier" to the internet.  Common carrier laws were written to regulate commerce on public highways.  They permit freight haulers to charge customers by weight, by size, by the mile, etc.  They permit haulers to charge more for hazardous cargoes, or for cargoes that require special handling, but they forbid haulers from charging different rates based on certain other considerations.  For example, a moving company is forbidden from giving discounts to customers who bought their furniture at Ikea.

    Common carrier laws were immediately and obviously applied to the telephone and telegraph businesses when those technologies were invented.  Imagine, if you tried to dial your local pharmacy's phone number, and you were connected instead to a different pharmacy.  Imagine that, upon complaining to the phone company, you found out that your neighborhood pharmacist is not one of their preferred business partners, and that their policy is to connect all of his phone calls to a competing pharmacy.  That is how the phones would work today if not for common carrier laws.

    Same thing goes for the internet.  The fight over net neutrality is a fight over who gets paid.  Google is making a fortune.  Maybe, when you visit Google's web site, the bits are sent through AT&T's wires.  AT&T wants a piece of that action.  They don't just want to be paid for moving bits, they want a share of Google's profits, and they say they're entitled to it just because they hold the power to cut the wires if they so choose.  In a net-without-neutrality, your internet service provider will be like the cable company, offering different levels of service.  Basic service might let you visit twenty or thirty different web sites—sites that they choose, and it might let you have an e-Mail address with their name on it, maybe create a personal page on their social networking site.  At higher levels of service, you might get to choose from a larger menu of web sites, you might be allowed to create pages on facebook, or edit wikipedia articles, etc.  Want to create a web site of your own?  One that isn't branded by anybody else?...  Well, let's just say, that won't be any harder than it is to create a new cable TV channel today.

    That's what "net neutrality" is about.  It's nothing to do with security.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.