Paul Wallbank – Brilliant Communications

Tag: security

  • Lessons from the CIA investment fund

    Lessons from the CIA investment fund

    One of the little discussed reasons for the US tech industry’s success is the role of military and intelligence spending by the government. Not only are various agencies funding research and enthusiastically buy technology, they are also being strategic investors in many companies.

    In Sydney last week Dawn Meyerriecks, the CIA’s Deputy Director for Science and Technology, gave an interesting insight into the agency’s investment philosophies at the SINET61 conference.

    The conference was aimed at drumming up interest in the technology security industry along with showcasing the connections between Australia’s Data61 venture and the US based Security Innovation Network (SINET).

    SINET itself is closely linked to the United States’ security agencies with chairman and founder Robert Rodriguez being a former US Secret Service agent prior to his move into security consulting, venture capitalism and network-building.

    Compounding the organisation’s spook credentials are its support from the US Department of Homeland Security along with the UK’s Government Communications Headquarters (GCHQ), so it was barely surprising the Australian conference was able to attract a senior Central Intelligence Agency officer.

    Investing in flat times

    “Flat is the new up,” says  Meyerriecks in describing the current investment climate of thin returns. In that environment, fund managers are looking for good investments and the imprimatur of the CIA’s investment arm, In-Q-Tel, is proving to be a good indicator that a business is likely to realise good returns.

    “If you can predict a market – and we are good predictors of markets – then the return on investment is huge,” she says.

    “In-Q-Tel really leverages capital funding for good ideas. We get a twelve for one return, for every dollar we put in it’s matched by twelve dollars in venture capital in emerging technologies.”

    Attracting investors

    For the companies In-Q-Tel invests in along with those that supply technology to the organization, the CIA encourages them to seek private sector investors.

    “What we’re telling our supply chains is you go ahead and tap into the capital markets,” Meyerriecks says. “If you can turn that into a commercially viable product then will will ride the way with the rest of the industry because it’s good for us, it’s good for the country and it’s good for the planet.”

    Adding to the CIA’s attractions as a startup investor are the opportunities for lucrative acquisition exits for the founders, she believes. “Not only are we using that venture capital approach for emerging technologies but our big suppliers are sitting on a ton of cash.”

    Diversity as an asset

    Another lesson that Meyerriecks believes will help the planet, and the tech industry, is diversity. “Globalisation has show isolationism doesn’t work,” she says.

    “Back in the day when I was a young engineer the best way to make sure your system was resilient was to harden its perimeters. the best ways to be ‘cyber resilient in the old days was by drawing the barriers to keep the bad guys out.”

    “The best way to be cyber-resilient in the old days was to draw big boundaries around yourself to keep the bad guys out. The latest studies look at other things because you want to be resilient, you want high availability.”

    Now, system diversity is seen as an asset.“Biologically the three factors that contribute to resilience are the ability to adapt, the ability to recovery and diversity,”  Meyerriecks says. “We look to deliver high availability among components that may not themselves have high reliability.”

    The future of investment

    “I think we’ll see commercialisation still driving investment for applied R&D in particular,”Meyerriecks said in a later panel on where the agency is looking at putting its money.

    “The big game changers will be around the edge, taking SDN (Software Defined Networking) to its logical extreme giving everyone their own personal networks, not just in data centres but at the edge of the network.”

    “I think there’s lots of things that the commercial industrialisation of the technology and physical system are going to force us to grapple with on many levels.”

    Risks in managing identity

    An interesting aspect of Meyerriecks’ talks at SINET61 was her take on some of the technology issues facing consumers and citizens, particularly in the idea for individuals having their own personalised network.

    “This opens up a whole range of things, ” she suggests. “Do I eventually not just be an IMSI or EIMI (the mobile telephone identifiers) but do I become an advertising node, does that become my unique ID? Do I a become a gaming avatar?”

    “Then we get into the whole Big Data area. Computational anonymity is a phrase we use. At some point people start saying ‘this is crossing the line’ – it crosses the ‘ooooh’ factor.”

    Changing Cybersecurity

    “I think the definition of cybersecurity will be expanded to much more beyond wheat we’ve classically thought about in the past.”

    Meyerriecks’ presentation and later panel appearance was a fascinating glimpse into the commercial imperatives of the United States’ intelligence community along with flagging some of the areas which concern its members as citizens and technology users.

    The US security community’s role in the development of the nation’s tech sector shouldn’t be understated and Meyerriecks’ observation that private sector investors tend to follow the CIA’s investment path underscores their continued critical role.

    Similar posts:

  • Protecting yourself online

    Protecting yourself online

    What can consumers do to protect themselves online? Nuix’s Chief Information Security Officer, Chris Pogue, believes it’s all about sticking to the basics.

    “It’s honestly easier than you think. It’s basic IT hygiene.” “Just the basics – bad passwords, reutilisation of passwords. There’s password managers available for ten dollars a year. Don’t reuse passwords.

    “Close your wi-fi, don’t broadcast your Wi-Fi SSID. Make your PSK password longer than normal. Just make sure that you’re being smart and you’re exercising due diligence and you can stop a lot of attacks.”

    Pogue also points out no computer, or device, is unhackable. The point with security is to make your devices less attractive to opportunistic cybercrooks.

    “If you make it a little bit harder, the attacker have an ROI for their time. It’s a business, a multi-billion dollar business. They’re not going to mess around with you if you’re messing up their gross margin. Just make it not cost effective.”

    “Nothing is unhackable but you just make it so it takes too much time,” he says.

    One useful resource for home users is the Australian Signals Directorate’s Top Security Tips for the Home User. While basic, that advice is well worth while for those looking at protecting their systems.

    Paul travelled to Las Vegas for the Black Hat conference as a guest of Nuix

    Similar posts:

    • No Related Posts
  • Forget eliminating risk

    Forget eliminating risk

    “How are you going to manage, not stop, risk?” Asked John Suffolk, the Global Cyber Security & Privacy Officer of Huawei Technologies at the company’s ICT roadshow in Sydney today.

    Suffolk’s message is one that should be heeded by all business owners, managers and executives in areas more than just IT security.

    One of the conceits of the late Twentieth Century management philosophies is that risk could be managed out of business, partly through technology but mainly through legalisms that attempted to push liabilities onto suppliers, contractors, resellers and customers.

    That philosophy still holds true in many organisations today, particularly government agencies, and it costs them dearly.

    In truth, business is risky and trying to eliminate risk is a fool’s errand. How it’s managed is the real test for leaders.

    Similar posts:

    • No Related Posts
  • Trust, security and the internet of things

    Trust, security and the internet of things

    I’ve spent the last week in Las Vegas attending the Black Hat and DefCon security conferences. Among much of the discussion about protecting oneself against the misuse of technology, one thing that stood out was the focus on the Internet of Things.

    Listening to some of the discussions and speaking to various people, it’s increasingly clear the consensus is the IoT is effectively unsecurable – the range of devices connected to the internet is just too great to be protected.

    Compounding the problem are the plethora of poorly designed devices where security is, at best, a vague afterthought along with an older generation of equipment that was never intended to be connected to the public facing internet.

    Given many of these devices are going to be critical to business and individual lifestyles, their reliability and quality of the data gathered by them is going to increasingly come into question and the systems that rely upon them are going to need ways to validate the information they receive.

    Perhaps this is where machine learning and artificial intelligence are going to be valuable in watching for anomalies in the information and flagging where problems are happening within networks.

    As those networks become more essential to society, we’re going to have build more  redundancy and robustness into our systems, the key component though may be trust.

    Similar posts:

    • No Related Posts
  • Enemies of the state

    Enemies of the state

    One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.

    At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.

    In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.

    The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.

    Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.

    For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.

    Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.

    Galperin and Quintin have three conclusions from examining these attacks.

    • Attacks don’t need to be sophisticated to work
    • None of this research is sexy
    • The tools and actors are not sophisticated

    While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.

    As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.

    We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.

    Similar posts: