April 26, 2023
SAN FRANCISCO, RSA CONFERENCE -- Greater awareness of sensitive data and a call for cultural change within organizations to better support cybersecurity teams were some of the recommendations Asaf Kochan, Sentra's co-founder and president, offered in a conversation with InformationWeek here during the RSA Conference, a cybersecurity industry event underway in San Francisco.
Kochan previously served as commander of Unit 8200, an intelligence corps that specializes in cybersecurity within the Israeli Defense Force. He took some time out from the conference to discuss government responses to data collection, control, and privacy from a cybersecurity perspective, and how national cybersecurity strategies are being developed. The threat landscape, which is being populated by state-backed, bad actors and generative AI tools, seems primed to become even harder to navigate.
Given your background, what areas should organizations take a longer look at in cybersecurity? Have the TikTok hearings brought anything to light about data security?
One simple kind of notion that I saw, again and again, is that bad actors are after sensitive data. It’s so simple, yet you see it again and again. Most organizations kind of try to protect everything. So, you have these particular data stores or places where you have your sensitive data. It might be customer data. It might be personal data. It might be financial data. It might be proprietary [intellectual property]. It might be source code.
At the end of the day, bad actors will get there, and they will chase your sensitive data. And most organizations -- basically their approach is not related to data. They will protect their perimeter; they will protect their network; they will protect their endpoint -- everything besides understanding where the sensitive data is. This is basically a thing I saw again, and again, and again.
This is kind of one fundamental notion. But in the global kind of context, the thing that you started with, is related to a major kind of clash, which is going on between the U.S. and China right now. This clash is about computational dominance, and this clash is from the very basic layer of manufacturing chips, which fuel the computer industry, design infrastructure, core networks, and cloud infrastructure up to the endpoints and to the devices.
Basically, whoever has access to the data can manipulate it, can use it, can bridge it. And the TikTok thing is about where the data sits. Who has access to the data?
Do you think organizations have been taking a real look at data security, bad actors, and new types of threats -- or is there a kind of belief that they have everything under control and don’t have to change? Are organizations trying to navigate this space without alerting others when they have issues because they don’t want the public to think maybe they are not on top of security?
On the one hand, it’s very clear to an organization when its continuity of operations is hit. It will suffer immensely, especially organizations that are based on the Internet. You take a company like Uber or Booking.com -- if a threat comes up, hits their continuity, and hits their revenue when it comes to data, it’s more complicated. The cultural part of it is that security teams are judged sometimes on basically having zero events, so they would be expected to not have any events.
In real life, you can’t live in such an environment. You’re always going to be breached; you’re always going to be hit by some kind of an actor. Statistically, if you’re defending a network, the defender has to succeed in 100 attempts, 100 times. The attacker has to succeed just once. So, statistics are on the side of the attacker.
Some organizations basically do not admit to and do not address data breaches the way they should be addressed; sometimes they will kind of hide it and sometimes they will minimize it.
The first change should be culture change. Understand that you shouldn’t be ashamed if you’re breached because it’s going to happen to everyone. Second would be to take your data hygiene seriously, and basically apply and enforce policies, retention policies, and policies which enable you to understand where your critical data is but also demonstrate it. You should have a monitoring system, which enables you to show auditors where your sensitive data is. I think data is still not in the right place it should be.
From about 2015, we started to see hackers encrypting data. Soon after we saw hackers encrypting and sucking out data and leaking data, they were asking for ransom. One of the next stages we’re going to see is that attackers will also hit data integrity. It’s also about the ability to maintain your data. You want it to be clean. You don’t want anyone messing with your numbers, with your proprietary IP. This kind of warfare is evolving.
Has the nature of the motivation for hackers evolved as well? I remember the early times when it was believed hackers were just anarchists trying to disrupt the establishment. Then they wanted money, and now we’re talking about potentially state-backed action.
The biggest operational cyber scene in the world is crime still, in terms of generating revenue. Very strong security controls are on the way, so it’s becoming more sophisticated. It’s growing the AI part, which is coming in.
The AI component, which enables impersonation to carry out machine-based, sophisticated kinds of attacks. You can do it much wider effectively.
We do see nation-state actions. You have to understand the doctrine behind very different nation-states. Some nation-states will act in order to achieve a political goal. Some will act in order to generate foreign currency. And some will act in order to get an IP advantage in order to promote R&D. They would like to develop something, and they will steal your IP in order to do it. We are seeing more and more interventions, which are in the areas of information and data.
We call it new media warfare and data warfare, whereby data is used in order to hit the trust between citizens and their state. Look at what happened in the 2016 election, and it happened since then again and again.
The trajectory is very clear, the world is becoming more dependent on computation. The sophistication of cybercrime is growing. AI is adding a very accessible component. I would personally advise the private sector to primarily focus on cybercrime, which is becoming more complicated.
What are your thoughts on the still-evolving national cybersecurity policy and approach in the U.S.? Other nations are a little bit more proactive on this, and some are playing catch up. Are states really trying to evolve as quickly as they can or is there some dragging of their feet on cybersecurity, knowing where data resides, and policies for what’s happening in this landscape?
It’s very clear that democracies and liberal democracies are much more vulnerable and are much more aware, generally speaking. The cyber game is not like tennis; it’s like kind of a basketball or a football match. It’s a team game.
You see frameworks of like-minded states, collaborating between them in order to mitigate threats. In most cases, the fundamental players have the same values, democracy. I think this specific administration in the U.S. is extremely aware of it and is very much proactive about promoting these international alliances. The current administration also has a very clear understanding of the nature of this threat. A few other countries in Europe, I would say the UK is part of this awareness; France and Germany are part of it.
What to Read Next:
About the Author(s)
You May Also Like