Cyber expert Marcus Sachs, director of SANS Internet Storm Center and executive director of government affairs for national security policy at Verizon had a few minutes to discuss with The New New Internet the future of cyber security. Sachs emphasizes the difference between what should be done and what will be done in terms of cyber security. Sachs recognizes that there are other, more pressing issues on the Obama Administration policy agenda than cyber security and appreciates the Obama Administration’s collaboration with the private sector in forming the 60-Day Review. Sachs also supports the Obama Administration’s openness to a variety of perspectives and opinions, including the appointment of his friend Jeff Moss to the DHS Advisory Committee.
The New New Internet: What is the current role of Internet Storm Center and what do you hope it will play with the new Obama cyber security emphasis in the new Administration?
Marcus: We are a volunteer-driven international watchdog organization with incident handlers around the world. That gives us the ability to have somebody awake twenty-four hours a day. We know that cyber space is a global phenomenon, it touches every country, every society, all religions and ethnic backgrounds and we try to work in the original spirit of the Internet; a world of cooperative behavior, of working together collaboratively to solve problems. In terms of President Obama’s agenda on cyber security, I think that we exemplify what he wants citizens to do – to give back to society some of our personal skills for the betterment of everybody.
The New New Internet: Do you support Melissa Hathaway’s cyber attack response plan and what did you think of her initial guideline?
Marcus: The sixty day policy review is a remarkable document and it was written largely in cooperation with private sector organizations. I was fortunate to participate in its development and we all really applaud what the White House did in terms of incorporating views and opinions of the private sector. But it is embarrassing that we don’t already a national response plan. The sooner one can come out even in draft form the better so that there can be more collaborative work responding in cyber space as a public/private partnership. It cannot be just the federal government responding; there is a high dependence and very clear role for the private sector in responding to any threats in cyber space.
The New New Internet: How should the private sector prepare for the new Administration’s emphasis on cyber security?
Marcus: There is certainly a lot more Administration interest in the economy, healthcare, immigration, wars overseas, and the environment than there is in securing cyberspace. But for many of us in the private/public cyberspace sector, security is what we think about day after day. We continue to work with the federal government in sharing what we know, partnering as best we can, and pushing cyber security as something that is important -but also recognizing that it will not be a top priority item. We hope that cyber security can be integrated into many other aspects of the Presidents agenda. In the end security is like a good haircut, you don’t know it’s there, don’t even see that it’s happened, it’s just somewhat invisible. That is the best way to approach cyber security, not make a big deal about it but just make it happen.
The New New Internet: We recently interviewed Professor Marjorie Blumenthal and she said that the key to solving cyber security is more research funding, do you agree?
Marcus: Funding research is absolutely essential. The private sector will certainly fund its own research, but on a very small scale. As we enter the twenty-first century the essence of our country – what is going to make us competitive, and whether or not we win -is how well we understand, manage, and operate cyber space. This is like the steam of the industrial age; cyberspace is the fuel that is going to power us for centuries so we have to understand it, we have to study it and learn how it works and then bring the fruits of that research back into the private sector so that we can build the tools and the networks and the products going forward to keep America in the leadership role that we have historically enjoyed.
“We hope that cyber security can be integrated into many other aspects of the Presidents agenda. In the end security is like a good haircut, you don’t know it’s there, don’t even see that it’s happened, it’s just somewhat invisible. That is the best way to approach cyber security, not make a big deal about it but just make it happen”.
The New New Internet: What do you think of the UK hiring former cyber hackers for the new cyber security division and President Obama choosing Jeff Moss to be on the Homeland Security Advisory Committee?
Marcus: Jeff Moss is a good friend of mine and he’s got a wealth of experience in working with people and cybersecurity; bringing Jeff in was a really good idea. I think that he will offer a perspective that others cannot, a view “from the trenches” that is frequently missed by more senior advisors. In terms of hiring former hackers, there is a difference between lawful hacking and unlawful hacking. Lawful hackers are exactly who you want on your teams; somebody who has the good strong skills but also has strong ethics. Oftentimes we get wrapped into just the technologies and feel that better, faster patching or more resilient firewalls are important when in fact it really is finding people who understand the threats from both sides that matters most. These individuals can help leaders understand what the threats and the vulnerabilities are and how to work together to mitigate them. In any country it is always a dilemma about whether to hire a hacker. The FBI hired a convicted felon many years ago because they felt that he alone knew how to make check fraud work even though his ethics were questionable. But with proper supervision you can tap those individual’s brains while making sure that their ethics don’t get them into trouble again.
The New New Internet: Where do you see cyber security in five years?
Marcus: In five years I’m afraid it is probably going to be worse than it is today. Cybersecurity is a completely different animal than what wethought it would be. It is going to take a generation before we really come to grips with how we must fundamentally change cyber space; how we as humans deal with it in order to engineer out many of the problems that we are having now. But we have to be fair to ourselves; it took many generations of accidents with steam, steel, electricity, cars and airplanes before large industrial systems became safe. I don’t think we should expect cyber space to become secure overnight. Back to Marjorie Blumenthal’s comment about investing, we need to ramp up our investments in our research so that we better understand what cyber space is and how to manage it and control it and shape it so that it can become more secure. Five years from now we will have incremental solutions but we will not have solved the fundamental problems. It may take a generation.