Interview With The New New Internet: Cyber Expert Does Not Believe In ‘Urban Myths’
Senior Fellow at the military think-tank Global Securities.org and an expert in malicious software and computer virus’, George Smith recently interviewed with The New New Internet about the Obama Administration’s cyber security agenda. Smith was disapointed with the use of ‘scare tactics’ as an argument for change in cybersecurity and believes the 60-Day review contains the same content as previous administrations. Smith also does not support the UK’s hiring of ‘cyber soldiers’ because it is a waste of resources and will not resolve the issue.
The New New Internet: What is your background in Cyber Security?
George Smith: Back in 1994 I had a book published called the Virus Creation Labs; which was one of the first to describe the nature of the computer virus underground. It discussed who wrote the computer viruses, how and why they did it and there motivations. The speed of transfer for computer viruses has grown in magnitude since then. I have been writing regularly about computer security issues over the last 15 years for a variety of publications such as Security Focus and vmiz.com. I am currently Senior Fellow at Global Securities, a nonprofit organization that focuses on defense and intelligence news.
The New New Internet: What are your thoughts of the Obama Administration’s stance on cyber security?
George Smith: It fits into the continuum of plans on cybersecurity which have been issued before, its not particularly eye opening. Everyone wants better cyber security; the recommendations that have come out are similar to recommendations in the past.
The New New Internet: What did you think of the 60-day Cyberspace Review?
George Smith: One is always disappointed how little things change. I was disappointed to see the usual methodology of pointing to ‘scary things’ that are meant to inspire action. It was not a good idea to include an urban myth in the report and in the speech on cyber security. To insinuate that if something is not done about cyber security then bad outcomes such as the turning the electricity off in cities around the world is inevitable is unproductive. The report aligns exactly with what has happened in the last 15 years, its not really new. Its not exclusive property of any political party, we collect a bung of horrible and menacing sounding incidents and put them forward to say why things have to change immediately. Once sorted out and researched properly, one finds that most of these horrifying incidences are the equivalent of urban myths. So when you throw all that away you still have a good argument, you just don’t have to use that.
The New New Internet: As an expert in malicious software, should private companies be investing in offensive cyber capabilities or defense programs?
George Smith: Every company has to invest in a strong IT staff. They need to work there network instantiations so that disasters do not occur to them, small or large. Companies should have no interest in whether a staff member can conduct cyber warfare or any kind of events or operations in cyberspace, there is no productivity in that. One should be thinking about establishing security from a global perspective; that does not mean tearing down other people. We do not need to be adding to malicious software on the Internet, we already have quite enough.
To insinuate that if something is not done about cyber security then bad outcomes such as the turning the electricity off in cities around the world is inevitable is unproductive. The report aligns exactly with what has happened in the last 15 years, its not really new…Once sorted out and researched properly, one finds that most of these horrifying incidences are the equivalent of urban myths. So when you throw all that away you still have a good argument, you just don’t have to use that.
The New New Internet: The UK has hired former cyber hackers to work as offensive cyber soldiers, should America start a similar program?
George Smith: NO. It has always been a bad idea to encourage the idea that hacking is cool. When you give value and engage in malicious activity, you are spreading a bunch of different myths. The primary one being that it is a valuable activity, and every one who does it is automatically in the upper rings of savvy computer design or engineering. Instead you want to encourage the hiring of people who can think solidly on cyber security, not on the basis of what daily vulnerabilities have been found in software around the world. Don’t hire people who are just accumulators of details because those details become stale. Hot vulnerabilities are not hot a year from now. You should hire people who can think globally about establishing systems that are inherently secure rather than playing catch up all the time.
The New New Internet: Where do see cyber security headed in the next 2-3 years?
George Smith: We are stuck with a fundamentally insecure environment, and I’m sad to say its really too late to go back and change it now. There is no way to globally fix this so people are going to have to continue engaging and devoting in sincere efforts to improving cyber security on a day-to-day basis. There are no magical transformations or fixes down the road that will miraculously change the world to what we need.
Related posts:
