Admiral Mike Rogers discusses the current state of cybersecurity and how we can better secure our enterprises from malicious attackers.
David Spark: Mike, you were just on stage. You just opened the Key Conference or KeyConf here in New York City. Just give us a very quick 30, 60 second summary of what your talk was about.
Admiral Mike Rogers: So, I was trying to set the stage for what is happening with respect to cybersecurity. What the implications are for identity and what is it then that given that cyber security implications given where we are with the importance of identity. What does that mean for companies? That was really my focus, those three things.
DS: What I found so interesting about what you were saying on stage was Covid has actually just accelerated or exploded what was already in the pipeline in terms of cybercrime. Isolate down like maybe two or three examples of what you’re talking about.
MR: So first of all, I thought it was an, I hear a lot of people talk about well COVID is a disruptor and I thought, no, it’s much more of an accelerant than it is a disruptor. Many of the basic things that we are seeing unfold. Now we’re already underway, but this has just added more fuel. We were going to do Cloud before COVID came along. But as we went to this physically dispersed workforce.
DS: Well, it just put a timeline on something which was now.
MR: Cloud became even more relevant.
DS: People who are talking about digital transformation were like, I think we’re doing it now.
MR: Exactly. So, ask me again. I apologize.
DS: Well, so give me the examples of what were the criminal proceedings that were happening or the cybercrime that was happening that you felt that COVID like alright we’re doubling. We’re tripling down on this and it’s accelerating what was already going on.
MR: So, criminal activity and ransomware already existed.
MR: But two years ago, you did not see ransomware almost as a service. I mean, literally, you had actors who had some level of knowledge and capability. Now, you have an entire industry built around the idea. You may not have the capability yourself but if you’re interested in getting in a ransomware, you can buy the malware from us. We’ll help you negotiate.
DS: The thing about ransomware that just blows my mind and I’m talking to police officers about this as well. What other crime, you tell me if you can think of it. Unbelievably low risk doesn’t take much skill, little to none because there’s ransomware as a service and pale be huge. Like is there another crime that hits all three of those?
MR: I don’t think so. I was just reading something that said in 2021 global ransom payments were in the neighborhood of almost a trillion dollars like $945 billion dollars and I’m thinking that kind of money and we’re surprised that so many actors out there want to get into ransomware?
DS: And there’s probably lots more that are literally like, “Oh, how do I get in there?”
MR: Yeah, that’s right I want some of this.
DS: Well, all it takes for ransomware is extremely low morals and that’s about it. I think that’s the one criteria.
MR: Yeah, exactly.
DS: Alright, so let’s get into the identity issue right now because could literally if we can somehow manage identity to the level that we ideally would want it through passwords which we do not get just from passwords alone. How many of our problems can literally drop off if we truly had 100% knowledge of identity when a user was essentially accessing data?
MR: The way I phrase it is, without identity, without accuracy of identity, and without confidence and identity, I guarantee you every security strategy is invalidated. With confidence in identity with a measure of control of identity. It doesn’t guarantee you that no one will ever enter your system but it does ensure that you will have a much higher probability of successfully being able to respond and precluding them from getting in in the first place.
DS: Well, the Verizon data breach investigation report, it’s in, I can’t remember what the latest one but I know the last few have been in the 60 percentiles. That all data breaches have been through legitimate credentials. So, you’re looking at, if you can deal with the identity issue, you’re dealing with 60% of the problem.
MR: Have a significant advantage compared to where you are now.
DS: So, where are…
MR: We are at point, it is important to remind people, but it’s not 100%.
DS: No, nothing’s 100%. We know that. There’s nothing 100% in our lives at all. But where are sort of the key drop off points in identity?
MR: Well, right now I think you start from a fundamental challenge that Most organizations that I deal with don’t have an accurate sense day to day of just how many entities. I use the phrase entity. Because remember identity is not just people. It’s machines. It’s endpoint. It’s hardware. It’s software. We just can’t think of identity as well.
DS: Identity is your machine. Oh, and API security is all about another ball game. So, I guess opening up your mind to the definition of identity and understanding, and I’m discussing this with the Chase Cunningham later is that, trust is not me trusting you the individual. It’s trusting the data access, which is a whole different thing. It’s not you’re losing trust in people, but trying to manage the trust of the data access.
MR: But I mean the reality is we have evolved into a Zero Trust architecture and strategy in part because we said to ourselves, you know we can’t assume identity the way we used to.
DS: And the federal government in this latest request is specifically asking companies to start building a Zero Trust architecture. It’s no longer a cool hip industry thing to do. The government which is truly usually late to the game, they’re even saying – get on it guys.
MR: What don’t you understand? No, you’re right. I mean the reality is we live in a world where we can no longer assume that once we verify identity. That’s it. We don’t need to do it again. Clearly Zero Trust is built around the fundamental idea. We cannot assume that. Therefore, we must continually reassess, reevaluate.
DS: So, let’s close on this. If could get along just one message to the community that is desperately trying to deal with their own security issues. And they not only hear this message, they adhere to it and they move towards managing it. What is the one message that they’re not getting now you want them to hear.
MR: First of all, there’s no one thing that’s going to solve their problem.
DS: No, one thing but you think would have the most significant impact.
MR: Dave, I’ll do two things.
DS: Alright, I’ll give you two.
MR: Thank you. First, resilience, resilience, resilience. Most organizations seem to spend their time on cyber defense. I’m going to make the walls of the castle high, sick. I’m going to build a big boat.
DS: Well, the classic line is you build a 10-foot wall. The market for 11-foot ladders goes out.
MR: Right. And so, my view is look, you got to focus more and more on resilience. How am I going to execute? How am I going to continue my business activity in the face of a successful penetration? That would be one and secondly, Zero Trust I think is a really foundational methodology for the future. This is not just a one off. Oh, don’t worry about it. I truly think this is foundational to the future.
DS: And as we’ve always heard, like security in general, Zero Trust is a journey.
DS: It is not something. Oh, boom, we got it ourselves here.
MR: You’re right about that. Well, thanks Dave.
DS: Mike, thank you so much for joining us. I was speaking with MR Rogers who is the former Chief of Command..?
MR: Well, former commander of Cyber Command and director of the National Security Agency.
DS: Thank you so much for joining us.
MR: Thank you.