READ FULL TRANSCRIPT
HEFFNER: I’m Alexander Heffner, your host on The Open Mind. A testament to its unprecedented importance to the world’s stability, cyber-security was the focus of my first 2013 program with John Palfrey of the Berkman Center for Internet and Society. Our conversation with William Pelgrin, the recently retired CEO of the Center for Internet Security will continue our exploration of that topic.
At the helm of the center, Pelgrin has revolutionized web safety standards and recently briefed President Obama and national leaders on cyberspace policy. The geo-politics of this issue are intriguing, from foreign to domestic attacks on American government and business interests—and we’re grateful to have Will at this table to navigate through. First things first, when we talk about enhancing our internet infrastructure, what do we really mean, Will?
PELGRIN: Well I think—well first let me thank you for inviting me here, I really appreciate it…
HEFFNER: Thanks for…
PELGRIN: …and for the kind words, uh, in the introduction. Um, we’ve got to recognize that the internet is relatively new. Uh, when I started in business, there wasn’t an internet. I mean, when you look at that it was developed in the late ‘60s, early ‘70s and that it then goes to sort of mass production in the 90s. Um, it’s a relatively new area for all of us and how we built that was to be an open and, and sort of valid, uh, infrastructure for everyone who’s going to be, uh, utilizing it. Uh, so the need to enhance our infrastructure, it really is one of looking at security, um, to facilitate—never to impede but to facilitate our ability to do our day-to-day lives. But to do it from the perspective and the optics of how can we be as secure as we can be. Uh, there’s no hundred percent security in anything but we can do a much better job and we are continuing to do a better job in providing that enhancement to be as secure as we can.
HEFFNER: Will, President Obama gave an interview to Re/code Magazine’s Kara Swisher. She asked him about encryption. What’s wrong with what Google and Apple are doing? And she points out that of course as President on the Presidential Blackberry, he has encryption and probably multiple layers of it. You were saying to me off-camera if encryption is not embedded into our email or into the major uses of the internet, then we may never have it as a general public.
PELGRIN: Well, I think that, you know, when we look at the types of, uh, enhancements that we can make to our security, we wanna make sure that from a user perspective, that security is baked in at the application level and is not something that’s added on or something that I really need to think about. So, whether or not it’s encryption, whether it’s Two-factor authentications, whether it’s all those different areas, whereas a consumer, as a user, that I want to, uh, improve my, my security. Make it easy for me to do so. Don’t make it hard for me to do so. So…
HEFFNER: Is a two layered, um, authentication process as secure as encryption?
PELGRIN: It, it’s—when you look at Two-factor, uh, authentication, it’s something you know and something you have. So it’s a level of, uh, authentication so that if you are going to open up and, and send an email and it was, you needed Two-factor in order to be able to do that, uh, we would know reasonably well that it was Alexander that it was doing it. Uh, encryption is the data is itself is not decipherable less it transfers from one place to another place or at rest depending on the nature of that encryption.
HEFFNER: In, in essence, you’re saying that you could combine a two-step process with encryption for the bodies of messages and that would be the most fool-proof that one could get.
PELGRIN: Well I was going to say, fool-proof is not the words that we like to use because it really isn’t, there isn’t a silver bullet out there. However, um, yes there’s two processes. One would be Two-factor authentication and the other would be, uh, encryption where appropriate.
HEFFNER: You think about what happened with Sony and WikiLeaks and the whole series of episodes in which classified or privileged information was leaked. You, you have to believe that a two-step process had not been adopted, uh, or at least the layers that would require, for example, the CEO of, uh, Sony for example, to have a code, a unique code on her Blackberry, um, that updates every five seconds, in addition to the passwords. Would that have, uh, prevented the North Korean or Asian attacks on, on, on Sony for example? Are you dubious that, uh, in, in actuality, these high level ambassadors or executives are not using the technology that’s already available.
PELGRIN: Well, you know, without even talking about the, the Sony issue, let’s just talk just generally across the board. We are doing, um, our behaviors in, in 2015 are very similar behaviors that we, we’ve done since people started using, uh, the internet. Um, we know right now that there are five things that you can do that would improve your cyber security tremendously, that would address the significant attack factors that are currently out there, that there’s estimates between 80, 85 percent of those of the known ones that we have. And we’re not using those behaviors. We’re not implementing those behaviors in a way that brings us to at least that level and then let’s focus all the resources on the remaining portion that’s really complex and really difficult to do. So when you look at, uh, those five areas, it’s, it’s really what is your environment, so counting basically. Uh, because I don’t know how you can protect what you don’t know you have.
PELGRIN: Configure that environment so now I know what my environment looks like, I know what devices I have as a user. I know what devices I have as a company. I know what my system architecture looks like. I know what my network looks like. You map that sufficiently and then you configure it to the best ability that you can. Meaning that the best standards out there, whether Federal standards, whether Center for Internet Security has standards. You, you raise that to that level of configuration, uh, then you control it. And you control it by who gets access to that. That’s a sort of, who has privileges to get access. Now as CEO of my old company, because of my title, they wanted to give me access to everything. Well, I had a right to get access to everything. My mandate was to have me be the least privileged person in the organization. And the reason is, I could get it when I needed it. But didn’t need it as of right because if I got compromised, then my company got compromised. So it was really important to have that conversation as to who needs what and when you get that access and how you get that access. Um, then patch. We need to patch better. We need to patch frequently and we need to make sure because when I started in this business, a… zero day exploit which means that an exploit’s out there, uh, actually taking advantage of a vulnerability before you really know it’s there. Uh, that was theory back when I started and now they’re just coming out, uh, with zero day exploits, um, at, at a rate that’s just startling.
HEFFNER: I have to say, Will, every—not to interrupt.
PELGRIN: That’s all right.
HEFFNER: Every time there is a mere second delay on Google or in Gmail, I get exceedingly worried that this whole system’s about collapse. Because of the work that you do and Richard Clarke and other cyber-security analysts, is that a possibility? One day we could wake up and Google would be hijacked by some either foreign terrorist element or, uh, mischief that’s happening internally.
PELGRIN: I wish there was a, uh, an intentional pause on, on a lot of things.
HEFFNER: A lot of people have said that.
PELGRIN: Because how many times have you written that email and accidentally CC’d the wrong people? How many times did you—in just your frustration put something that you rather not –and that goes lightning speed so actually I’m, I’m an advocate for pausing, you know, a 5 minute pause would be great for me. Um, again there’s no 100 percent, uh, security. You know, there’s that whole spectrum of, of actors out there. You know, like, actors from the script kiddies who are the, the what, I term the, the teenagers who are playing around and looking into it. It’s the Matthew Broderick… the WarGames, uh, getting into something that they didn’t realize they were getting into. Yet they can do damage. I mean, when you think about, there was a, a young teenager in Poland, uh, that like…trains but… but played with them in, on the real world… and derailed a number of them. And people got hurt in that incident a number of years ago– to the activists who are looking to, to right social wrong from their optics and from what they wanna do to the, the hackers out there. And that incorporates a really big group of actors from anything from, you know, financial crime to, to, to, to reputational damage to, you know, sad that we don’t see anymore—I say sad, there’s the common defacements that are just graffiti type defacements. There’s a lot more, uh, payload that goes along with those lately, um, all the way up to, uh, nation states and then, you know, the last of cyber-terrorism so you see that, that spectrum. From an end user, if we’re looking at us, uh, from that and the concern whether or not, uh, Google or Safari or whatever, you know, Mac is, is the target, or could be a target. Um, regardless of who’s doing it, what the intent is the impact and the consequence is the same to, to us. So I think we need to and I think companies like Google and others are, are constantly trying to, to make sure their systems are as secure as they can be and they’re, they’re moving forward in those arena, because their livelihood is dependent on that to be as secure as they can be. Um, but again, the hackers, uh, when you have a criminal population that can, um, from any place in the world, in the privacy of your home or wherever, play around with it, it’s so different than the, you know, the days of the Wild, Wild West where somebody had to, was gonna rob a bank, had to get off their horse and come into the bank and actually do so.
HEFFNER: Right. And let’s not underestimate the, the massive, I’m sure mammoth servers and layers of protection that companies that we might say are too big in the tech universe to bust, uh, to breakdown, whether it’s, uh, the kiddies that you mention or a more sophisticated attack. Uh, but what have you found in your discovery of these threats to be the motivation, uh, principally political actors or no?
PELGRIN: And, and just to go to the, the size.
PELGRIN: I think we, and, and the vigilance cause I think that’s something that, that’s really important. I don’t think we can ever say we’re too big or we’re too small, uh, to—we’re too big and therefore we’re not gonna get an attack because we got this infrastructure in place. Or we’re too small and we shouldn’t have to worry about it. I’ve seen attacks on very small, uh, systems and companies, uh, that you wouldn’t think that they would be, uh, targeted. And, the same with very large companies as well. When you see, um, reports off all different size companies and, and security companies as well have been attacked and some of them, uh, successful. So I—one it’s about vigilance, one is about rapid detection and response and one thing we have to get away from, we got get away from the blame game. We can’t, I mean, if somebody did something criminal, let’s go after them and let’s bring them to justice. But, what we don’t want is to build an environment that people are scared to say that something went on and something went wrong because they were either gonna lose their job or they fear some type of, different type of negative appraisal against them. And the reason for that is that I can guarantee it, there are two types people out there. Those that know they’ve had a security breach and those that had but just don’t know it yet. So, I don’t think anybody else, unless you’re not connected at all, hasn’t experienced a cyber-security event in some way shape or form. So when you take that and you say we’re not going to, to, uh, encourage people to report it in. You put us all at risk because then it’s gonna go on to the next one. So have an environment that allows people to come forward and really report that something going on cause it is right now as important about that rapid detection and then response than it is about just the prevention of it.
HEFFNER: Other story that was drawn to my attention recently in Re/code, um, was on this, this most recent case of the Federal government being under attack and the social security numbers of Federal workers, um, being divulged. And in this article in Re/code there is a .. “Why the Federal government Sucks at Cyber-security” … Does, does it suck at cyber-security?
PELGRIN: No. I think that there, there are a lot of great people that are working very hard at the Federal level. Think about the massive level of what we’re, we’re talking about as well. Can we do a better job collectively? Yes. Can I do a better job? Yeah, we can all do a better job. But, um, I think that the, just the, that’s too, too general of a term to be able to apply. Again, it goes to that sort of negative context of that. Um, but that the, the OPM or the Office of Personnel Management breach that you’re referring to, uh, I may even have been included in that. So it’s, you know, I’m still waiting to get my letter saying you’re one of the 21.5 million people that may have been, uh… breached…
HEFFNER: And that’s a problem too that if your data has been breached, you don’t necessarily know about it until X months later.
PELGRIN: State by state has their own right now, it’s not a national.
HEFFNER:… It’s not a Federal.
PELGRIN: There’s a state by state law relative to it. And right now, there’s about 800 million, uh, record breaches that have occurred, that have been reported since those laws came into effect back in 2005. Just think about it, it’s almost three times the population of the United States. I say that that’s, it’s rampant, that we have to do something, uh, about that, um, relative to it —But one more point about the OPM breach because this is the first time that I know of that what we had is data—when you have your data stolen, like mine has been stolen in the past, I found out when I went to file my taxes, somebody already filed ’em. And when I went and reported it to the people I needed to report it to, my first question was, If they paid my taxes, I’m okay. I don’t need to go any further. But if they didn’t then I wanna be able to clean this up. Course, they didn’t pay my taxes, they actually got refund and, and dealt with my identity and how I had to, to bring that back to full circle. The OPM breach, including in the 21.5 data, uh, one point one million, uh, fingerprints, records. So now you not only have data that, that’s been compromised but, but now your essential, you know, what I call your DNA, uh, that’s, you can’t get another fingerprint. You, you know, so that’s, that’s a real concern as well as how then do we take action to then – sort of—I know what I did to, to sort of buffer myself knowing that my data had been compromised. It’s very difficult when your, your DNA gets compromised as well.
HEFFNER: I can imagine.
HEFFNER: And in this instance, the standards that were created by Open Web Application Security Project, um, found that in non-security, uh, computer portals, 76 percent of the time, web applications in use by Federal agencies failed to comply with security standards. Is that because of the patch issue that you described? It’s, it’s so hard to, to keep a pace?
PELGRIN: No I, you know, whether it’s the Federal government, any company X,Y,Z, any uh, home owner or user on it, um, we have to do a better job on both developing application software that is security built in it—making sure our app developers have training in not just code development and functionality but also on the cyber-security side of the house and how do we do that to make sure it’s as secure as possible. It can’t be layered in after the fact and that’s what, a lot of the times, is what’s happening. Applications get out. You know, the paradigm used to be something like time to market, functionality, and if security was in that paradigm of, it was down at the bottom. It really needs to be flipped. And I, I don’t believe security wins in every case. But I think that, that, that judgement as to what the balance and the risk is relative to the functionality needs to be had. And all too often that’s not occurring at the level it should be. So application development needs to, to really take at the fore and we should encourage and incentivize individuals to, you know, build as secure code as you can. But when you’re talking about millions and millions and millions lines of code, how many times did you, when you type in your password, did you miss it, you screwed up at least once or twice, right? And then you’re getting nervous because if you do it too many times, it’s gonna wipe out your system. Just think about that, but on, on a factor that’s a, you know, millions of times and you’re building code. Uh, things are gonna happen. So we need, uh, a way to, to minimize that and to be more vigilant on that code before it hits the marketplace. Uh, we wouldn’t tolerate it if your brakes only worked 50 percent of the time in your car, just wouldn’t do it. But we consider it almost a rite of passage or, you know, that we have to be resolved that we’re gonna do that in, in software and we shouldn’t have that.
HEFFNER: And your mission as the CEO and now in your practice to engage in a, a cyber-hygiene regimen.
HEFFNER: Uh, what does that look like?
PELGRIN: Uh, and thank you, cause I think it’s really important to talk about cyber-hygiene. Um, and, and in that way you have to talk about a campaign. You know, we, it, we have campaigns against most major challenges out there. We have a campaign to, uh, cure cancer. We have a campaign to, to end world hunger. We have these campaigns you know, on these big, huge social issues that we really wanna address. Um, have you heard about it one for, for cyber-security in a way that really resonates? And, and so the concept was, how do we start developing this campaign, that equates to there are things that are within our control. And there are things outside of our control. Let’s just deal with the things that we can control and make it better. Because we’ll improve our cyber-security by 80, 85 percent immediately by doing that. It’s like, you know, right now everybody brushes their teeth.
HEFFNER: We would improve it 80 to 85 percent by adopting, when you think of cyber-hygiene…
PELGRIN: Right, five, five things. Count, configure, control, patch, and then repeat. Institutionalize that.
HEFFNER: A lot of those are individual choices.
HEFFNER: Is what you’re saying, as opposed to reflective in the code and whether it’s screwy.
PELGRIN: Exactly. Exactly. And, and but so you can do certain things though and again, you can’t be at, you know what I’m saying, next to the app developer and even if you could, you wouldn’t know what they were doing as to whether or not the code is, is good. But there are things you can do on your side of the ledger that, that does improve that. So let’s do a campaign, let’s get it out there, let’s all sort of start moving, let’s start tracking it. Let’s have metrics on it. Because I think we can start to show that we’re showing an improvement in this. And then, let’s rally around it just like we did with both seatbelts and brushing your teeth. You, you know, we have less cavities now because we brush our teeth. You know, there are less death and fatalities because of, of wearing seatbelts.
HEFFNER: And also there are fewer pop up ads and we basically worked around the model where the internet, talk about hygiene, it, it was a place where not only were there illegal file transfers occurring very readily, it, it was not a particularly hygienic climate dating back to ’03, ’02. If you’re using, if your employing the right tools and browser now, you can avoid that. So, when you talk about metrics associated with improved cleanliness if you will, what metrics are you talking about?
PELGRIN: That—just what you, just what you said. I think those metrics on that — what happened with, with the browsers and doing far better job in trying to, to carve out and filter out all of the things that are, are really malicious right from the get-go that we know about and that you never even see. Cause the noise out there, I call it the din, is so loud, uh, based upon what’s going on—if that all just came in, you’d be overwhelmed. It’s just, just way too—you could go and turn on your firewall and just say, I wanna see everything, and it would be frightening to see what, what’s being bounced back automatically. So I think that’s really important to start showing—‘cause I think we’re, we all like sort of that, that thermometer and fundraiser that, that you don’t have to bring us to a better state. And we do that. We do it, need to do it incrementally. Because, if you think about cyber-security and what needs to get done, it’s daunting. It’s almost overwhelming that you won’t do anything and it’s the start that stops most of us. But if we start chunking it up and start doing these baby steps forward, we can raise that bar incrementally and, and be in a much better place than, uh, we are today.
HEFFNER: One of the things that we do lack is a kind of Wikipedia for, uh, or an encyclopedia, a digest of the particular sites who, who operationally are, um, either exploiting your data or protecting it. Now Firefox for example is one of the browsers that claims the mantle, um, as a non-profit, non-commercial enterprise of, uh, we’re not gonna get any, anything out of sharing your data with advertisers because that’s not how we function as a model.
PELGRIN: That’s a great question. And it’s almost like you want a cyber-index which is what I think we need to have…
PELGRIN: …that sort of, uh, that Good Housekeeping seal of approval that we all, at least when I was growing up, you were looking for it before you bought that product. That type of thing would be, I think, helpful. It’s also, it becomes, you become a target then also because hackers like those types of, you know, put the stake in the ground, we’ll show you, we’ll go after you if you think you’re that secure. But as consumers, what’s difficult’s two, two fold. One, we’re not using our buying power sufficiently. Because, when asked about what you want when you’re buying software, security rarely, if ever, comes up. And if it did, it would start to be built in then at the beginning stages. If we were as consumers saying we cannot tolerate it any longer, we really need to have better products that comes out from the get-go, understanding that at some point in time something’s gonna happen and, and that we’ll have to improve them going forward. Uh, so we’re not doing that in the way that, that, uh, allows us to, to leverage that, that buying power. Um, the, um, uh, security on the, uh, other side, the, the sort of the application side of the house. Um, and that cyber-index is, is difficult… so how many times, I’m a lawyer by education, how many times have you read a privacy statement on a website? How many times have you looked at that agreement before you hit “buy” —we’ve made it too complex to, to read all of that.
HEFFNER: It’s a lot different from anything pre-dated it in, in the infrastructure setup to, um, regulate television, for example.
PELGRIN: Well we should have like a, a TripAdvisor for, uh, cyber-security so that people can rate, you know, come back and say, you know what, this was a good experience, this was, you know, a secure transaction. We had no problem. Or where there are problems that we can start sort of finding it. Because I think that also, uh, moves it. I think—but, you know, that, the assumption is that companies aren’t wanting to do that. I think if you’re a good company that there is part of that process of your, your even for-profit role is to make sure your customer base is secure in what they’re doing, that the transactions and, and the services that you’re gonna provide are actually what they’re gonna get and they’re gonna get it in a way that doesn’t harm them more. So hopefully that is at a core, just a fundamental basis.
HEFFNER: And as we’re concluding here, I just have to ask you, Will, long heralded as the most secure mobile platform, Blackberry, but it’s practically extinct. Has, has the iPhone become more secure?
PELGRIN: You know, I hesitate to, to, to answer because we can never be complacent on any device that we use. And I get asked all the time, Is Apple more secure than, than—it’s—the, the question becomes, there are attacks on, on all the infrastructure. There are attacks on all, uh, systems. Whether it’s, it’s a, a Mac or whether it’s a PC. Um, and that just sitting back and saying one is better than the other means that you’re gonna be complacent and, and something’s gonna happen because you’re gonna that be one percent that, that may get it. As I said a little while ago that a hacker only has to be right once. Uh, you have to be right a hundred percent of the time. So…
HEFFNER: Will, thank you for being with us today.
PELGRIN: My pleasure.
HEFFNER: And thanks to you in the audience. I hope you join us again next time for a thoughtful excursion into the world of ideas. Until then, keep an open mind. Please visit The Open Mind website at Thirteen.org/openmind to view this program online or to access over 1,500 other Open Mind interviews. And do check us out on Twitter and Facebook @OpenMindTV for updates on future programming.