Interview: Former CIA CISO Robert Bigman

Robert Bigman (2)How has the threat landscape changed since you began working at the CIA?

In my opinion it hasn’t at all. The same threats and risks that exist now existed in the seventies; there is the same inherent risk in technology and computers. You could say that these risks have been amplified by consumerisation, but, historically, we have never addressed the critical issues. In this age, the capabilities of the Internet of Things is creating more problems.

2BSecure says it believes in ‘Thoughtful information technology architecture.’ Can you give your definition of what this is?

For many years, industries, governments and consumers have been sold the idea of ‘you can have it all without any security risk.’ Well they are fast learning that that isn’t true. Nothing is ever free in life, and that is especially apt in the case of the Internet. So many security companies try and tell you “use my product and you will be OK.” The reality is this is not true. Security issues are tied to the Internet; it is the main target of those who are out to exploit flaws. All the right technology will still be breached; if you are a target, hackers will get you. Thoughtful architecture means having solid foundations at its base, whereas what we have now are old, weak, decrepit foundations, on top of which are built layers of software, and the whole thing is due a collapse.

You’ve previously mentioned how Unix and Microsoft architectures have remained the same from when they were developed in the 1970s, leaving huge vulnerabilities. What needs to be done to solve this underlying problem?

These architectures are 25-30 years old, and were built in the days of smaller computing needs. When you consider that these same architectures are now being employed on mobile computers, which are so widely bought, it seems like madness. You’re left thinking ‘how on earth did these end up on the mass market?’ Windows 7 and even Windows 8 is based on 20-year-old architecture, and it has issues. The internet was initially based on private network exchanges between remote nodes, and we didn’t know what it would turn into. TCP/IP protocol at least allows you to modify for performance and scale, which is what we implemented at the CIA.

In the grand scheme of things, when did cybersecurity first become a major issue?

It still hasn’t. Every week there is a conference about what you can do to improve your security, but a fundamental rethink of the product architectures that are used to move data – and new R&D – is needed. At the same time, it is not viable to upset the economy and suddenly switch horses in terms of security strategy, it has to be a gradual transition. Waiting for a new product to come along won’t solve the problem; encryption certainly hasn’t stopped cybercriminals.

It’s a morbid analogy, but I view the reality of security weakness as the same as a reaction to a family member’s death. At the moment we are in the stage of realisation, where we are beginning to understand what is happening but haven’t fully grasped the gravity of the situation; we haven’t got a rational answer of how to respond. We need to move from the emotional response to form a rational plan of action. It has dawned on the US government that this is a really big problem; but the likes of Cisco aren’t helping with the IoT, where everything is connected: your car, your clothes, your cat. It’s madness.

What was the biggest challenge you faced in your career at the CIA?

Simply enough, to keep the agency’s systems from being penetrated. It is one thing to keep your systems secure, and another to keep them hidden. Both were a challenge, and when you have really bad technologies as your defence, you really are in trouble. Another main challenge was explaining abstract technical concepts like the movement of electrons to senior personnel within the CIA. These are people who can’t understand how the technical aspects of a phone call work. I became highly proficient in explaining concepts with video – and moving puppets.

Having said that, the acceptance of risk there was zero, unlike in industry, where companies don’t have the same prudence. There, unless there is a gun to their head, they don’t do much. When there is a serious possibility of losing information, they do everything to stop it, but until then, not enough.

Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


The free newsletter covering the top industry headlines