Bloomberg TV Appearance: Large Hack Targets Federal Workers. What’s Next?

bloombergTriumfant CEO John Prisco was a featured guest on the Bloomberg television program “Bloomberg Markets” on June 12 to discuss the recent OPM hack.  As more federal personnel records have been hacked than previously reported and U.S and U.S. officials are weighing responses ranging from launching new counterintelligence initiatives to destroying the data in the intruders’ servers, according to people briefed on the investigation.

Host:   Mr. Prisco, why did this happen?

Prisco: Unfortunately, it’s just so darn easy to breach computer systems, whether they’re federal government systems or large enterprises like Sony.  And 90% of the battle is just having good cyber-hygiene.  And by that I mean making sure you do the little things, like patch well your systems.  So many companies, so many agencies have old computers that have come out of support that they’re just not patching them, and it makes it very easy to adversaries.  It’s not like you have to have the A team from China or Russia to do this.  It’s pretty easy.

Host:  Sir, U.S. cyber policy.  Is it sophisticated enough?  Are we behind the curve?

Prisco: I think we’re behind the curve, and it’s primarily because our processes take too long.  When you go through a procurement, it’s going to take 18 months.  There’s going to be a pilot project that will take another year, and by the time it’s implemented, you’re talking about three, three and a half years.  And in cyber terms, that’s a lifetime, so products and systems are being deployed that are obsolete as soon as they are deployed.

Host: Mr. Prisco, am I wrong, but does it seem as if we are always two or three steps behind people who would do us harm in this phase?

Prisco: You’re not wrong.  We are behind, and we’re not playing on a level field.  It’s much harder to play defense.  The adversaries are playing offense and they only have to complete one forward pass and they score.  So we have to defend against everything.  Unfortunately, we haven’t evolved quickly enough, and we’re using twentieth century technology to fight twenty-first century adversaries.

Host: Sir, when you say that I’m shocked, and I’m sure our audience is too, that also begs the question why?  We are in the twenty-first century, and it seems that some of our adversaries in this space, they have better technology than we do.

Prisco:  Well, look at the big companies that are in this space.  They’ve been living off of anti-virus software that we’re all familiar with.  But those products don’t work anymore, because they’re all based on having some form of prior knowledge, what we call signatures.  The bad guys are too smart.  They just say well, I know that this signature exists in this product, so I’m going to write something special just to breach this one individual company or agency.  And in fact, 70 to 90% of all attacks are specifically engineered to go after a company or an agency.

Host: Sir, is then just a question of cost?  What are the economics of beefing up our cyber security defenses?

Prisco: Well I think it’s interesting that budgets are getting cut left and right in the federal government, for cyber security.  And we keep talking about how important this is.  But from where I sit, it’s really not important enough.  Large corporations aren’t doing enough, the government’s not doing enough.  And it’s going to take some major event like knocking the power grid off in the northeast during winter to get people to really pay attention to this.  And that’s a shame.  Every week there’s a breach.  We could have our own show about the breach of the week here.

Host: Is this close to being happen?  Is this something that keeps you awake at night?  The power grid going off, or maybe a nuclear power plant being knocked offline and compromised?

Prisco:  It is worrisome.  Because I believe that all of these systems are still quite vulnerable.  And unless we start using some of the newer technology that’s based on really understanding the DNA or the atomic structure of a computer and looking at anomalous behavior, we’re going to keep failing once we use the prior knowledge techniques of the twentieth century.

Host:  Mr. Prisco, right now the debate seems to be whether cyber security, whether the rules should be voluntary or whether the rules should be mandated by the federal government in terms of or under the auspices of national security.  Where do you fall in this debate?

Prisco:  I don’t think regulation is going to help.  Because if the federal government was going to do something positive about this, they’d do it for themselves.  Now you have over four million federal workers — family of mine, friends of mine, colleagues of mine — that are going to get an 18-month life lock kind of identity prevention policy.  We’re just telling our adversaries, “Be patient.  Wait 19 months.  And then you can steal our personal information.”

Host:  Sir, in about 30 seconds, what’s the answer then?

 Prisco:   The answer is deploying the best technology.  Too often, people are worried about getting fired for buying innovative products.  You know the old saying, “Nobody ever got fired for buying IBM.”  Well there are millions and millions of dollars being spent on marketing products that just don’t work.  So we need to show some nerve and buy the type of products that start-up companies in this country are very good at producing.

Host:  Is that nerve going to have to come from the private sector do you think?

Prisco:  I think it is, and as long as people keep deploying old computers that aren’t being patched, you’re going to see a breach every week.