With cybersecurity, the rules of engagement that modern nations had locked into from 1993 to 2014 do not exist anymore. Russia has deviated from it. North Korea, Iran and other nations, as well. All of them are testing the waters: “How far is too far? How far can we go?” According to Kevin Mandia, CEO, FireEye, “The challenge is, there have been no risks or repercussions yet. So, every nation is developing a modern offensive capability, and there are no accepted rules of engagement. There is no one nation, five nations, or collection of 20 nations that are holding all nations accountable to abide by any rules of engagement. We need to have some kind of barrier put up, and I’m convinced we will sort it out.”
As we enter a new year, what is top of mind for you?
I can’t help but feel that it’s a time of uncertainty, but it’s also a time of opportunity. There are many challenges being hurled at cybersecurity practitioners. We have nations that aren’t really stable in the rules of engagement. That’s a big theme. We at FireEye have a skewed vantage – to some extent – since people don’t really hire us to respond to breaches when they’re five minutes behind the breach. The majority of breaches we respond to, are state-sponsored, or state condoned.
So, we see it firsthand – the rules of engagement that modern nations had locked into from 1993 to 2014 do not exist anymore. Russia has deviated from it. North Korea, Iran and other nations, as well. You can see them testing the waters: “How far is too far? How far can we go?” The challenge is, there have been no risks or repercussions yet. So, every nation is developing a modern offensive capability, and there are no accepted rules of engagement. There is no one nation, five nations, or collection of 20 nations that are holding all nations accountable to abide by any rules of engagement. We need to have some kind of barrier put up, and I’m convinced we will sort it out.
You said there is a bunch of challenges being hurled at cybersecurity practitioners – what else?
Another thing we have to do is change the game on identity. The idea that you can get someone’s date of birth, and their Social Security number or state ID number, and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change. Now, you’re seeing a lot of modern nations and sovereign nations start doing digital identification. This has to happen. Otherwise, every five months, we’re going to have a huge breach, and all we are going to do is go to the victim companies – companies that are doing the best they can do to protect themselves, companies that employ 10,000 people that depend on that job – and we’re going to crucify them. And that’s all that will happen time and time again, so we have to figure out a better way to do identity.
Also, we’re going to have to deal with international privacy issues. You look at this world of people who have essentially been prisoners of geography for 10,000 years, and suddenly we’re all connected globally. We’re international. Companies can connect to each other and work globally more than ever before based on the advances in communications we have made. As a result, we’re going to have to fix some privacy issues that stem from there.
Speaking of international challenges, what nation-state activity do you expect in 2018?
We talk about Russia, we talk about China, we talk about North Korea – for me, I’ve got my eyes on Iran. In 2017, Iran really started acting at scale, and I think to myself, “Just how big is that scale?” We don’t know if we are seeing five percent of Iran’s activities, or 90 percent – although I’m guessing it’s closer to five percent – but they’re operating at a scale where, for the first time in my career, I’m not convinced we’re responding more to Russia or China. It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state sponsored. Recently we did a report on APT33, a threat group out of Iran. They’re primarily targeting the kingdom of Saudi Arabia, the United States, and Israel. Those nations tend to pop up on Iran’s radar when it comes to targeting. It’s game on for them.
Shifting gears a little bit, what are your thoughts on cloud security as more folks shift to cloud-based platforms?
We need better cloud visibility. It’s as simple as that. I’ve been waiting for the day – and it’s been a long time coming – where the intrusions we respond to have cloud components. Those days are now here. I read our forensics reports. I know that a lot of people are depending on the cloud, and we need visibility. Many of these cloud providers are providing it, but we don’t always have security operations that can take advantage of that visibility and see what’s happening.
Right now, some of the smartest hackers are trying to access accounts by simply taking a publicly accessible email address and trying different passwords a few times a day – and they’ll keep doing it until they get in. You have to be ready for even the most seemingly simple threats, and you have to detect them, because I don’t believe we’re going to be able to do security risk transfer to have the cloud providers detect it. It’s a tough thing to do. They can’t tell you how your users normally use their email. They just try to make it available to your users. So, we’re going to have a lot of interesting challenges and complexities there.
Is there something that organisations should be doing in 2018 that they may not be thinking about right now?
One thing we’re going to have to start doing is protecting our own employees. I’ve dealt with this issue personally at FireEye, and we’re currently working with companies to figure this out. Many companies are thinking about how their employees are on their own when they go home. These staffers are at home and they’re using various personal email and social media accounts as part of their daily lives.
The question then becomes: If someone can hack your employees’ private accounts, can they hack your enterprise? Or can they at least make it so there is a perception that they hacked your enterprise? There are hackers out there who will hack an employee at a company, and they will post any document they can get, and they will say they hacked the company even if they haven’t. It’s a reputational thing – while it’s hard to gauge the public response to these types of incidents, right now many companies are being deemed irresponsible or negligent or compromised when they are none of those things.