Corporation cybersecurity breaches of international businesses is the most pressing matter in cybersecurity currently, says Lance James, an information security specialist, adding corporate cybersecurity is an increasingly crucial subject, bringing cryptography and information technology (IT) security to the fore.
In an increasingly networked world, the security and integrity of government and corporate networks must be supported by a fundamentally secure cyberspace architecture, says James, who has has more than 15 years of experience in programming, network security, digital forensics, malware research, cryptography design, cryptanalysis, counterintelligence, and protocol exploitation.
He is the founder of one of the first cyber-threat intelligence firms, Secure Science Corporation. Credited with the identification of the Zeus trojan horse and other malware, James is an active contributor to the evolution of security practices and counterintelligence tactics and strategies, James is the founding force behind the CryptoLocker working group, where he and his team of researchers were acknowledged for their critical role in disrupting CryptoLocker as part of an FBI-led takedown operation.
Most recently he has worked for Deloitte & Touch in New York, as Head of Cyber Intelligence. In this role, he led the development of cyber-threat Intelligence capabilities within the firm. James spoke to DEALSTREETASIA at the World Capital Markets Symposium 2015 to discuss cybersecurity issues and the threats facing corporate and government cyberspace assets.
What is the most pressing matter of cybersecurity right now?
Corporation cybersecurity is the most pressing matter according to the world. It is the breaches of businesses like Sony and Ashley Madison which brings up the private blackmail issue and how corporations respond to it. There’s this gap that has changed the game, and these breaches are getting more poignant psychologically and socially.
The CEO of Ashley Madison stepped down, which is a massive kinetic effect and comprises its existence as a corporation. While I’m not in agreement with illegal activity, these breaches did uncover something important. This is in terms of the dichotomy between ideologies that have an agenda, which can open our eyes and cause us discomfort. The solution to a hidden agenda is transparency. More precisely, accountability and transparency.
We need to be ok with the hard questions that emerge and confront us. With reference to cybersecurity ethics, I’m more worried about how people don’t understand the impact of each and every breach and tend to tolerate it until it reaches a limit. We need to build an understanding of threats and priorities, in terms of knowing what the chances are and what adversary we are dealing with.
In order to fix these problems, we need to go back to the 1990s and think lean, in terms of going back and securing our systems and infrastructure. One major security feature that is underused or unused is that lack of compartmentalisation of information.
There are compartmentalised areas in US federal buildings, in terms of the physical segmentation. By applying the principle of compartmentalisation, we can already lower the attack surface by blocking, attacking, deceiving and trapping adversaries and intruders. With corporate cyberspace, it’s about building the security, isolate the exploits and sharing the information with LEOs (law enforcement officers).
How does your musical background link to your cybersecurity prowess?
Music and mathematics expand lateral and logical thinking. Mathematics has a lot to do with music, which is a programme to tell what you’re typing based on your key notes. Music is a discipline and I’ve practiced it daily. Because I know what it is like to practice a discipline, it crosses over to what I deal with in cybersecurity. Music and creativity are inter-related and with all the stress of the industry, music is a great outlet for calming down
Many hackers and programmers often talk about how what people are doing is dumb in terms of their frame of reference. I like to ask: “How do we solve a problem?” in the real world. Very few people focus on cybersecurity as a crucial subject. With music, it expands creativity and helps in terms of developing insights into patterns (e.g. melodies). I apply that musical creativity into how I perceive things.
For instance, an insider threat isn’t as complicated as people make it out to be. It’s not if the right operational security procedures and technologies are in place. Using digital signatures and cryptography, combined with maintaining accountability for different people, based on their level of access, would work very well. Maintaining dual modes for phones would also be useful.
Mobile working: ‘Bring your own devices’ (BYOD) or separate work phone?
While separate devices are the most secure approach, I think we need an abstraction layer to keep devices separate. For instance, the iPad has sandboxing on each application. Sometimes there’s a vulnerability but it’s patched very fast. Overall, the majority of information is on the cloud network nowadays. For instance, with Fitbit, I’d rather go back into the cloud and get the data.
When it comes to exploits for iPhone and mobile devices, governments just love to access that sort of information. But it’s not the mobile devices, so much as the cloud, that will be targeted for breaching more often than not.
Musicians have a knack for pattern recognition. What I mean is that people tend to choose passwords for their mobile devices due to using their thumbs and fingers. Cracking these mobile security measures can be done using frequency analysis and data analytics
What is the role of blockchain-based technologies in corporate cybersecurity?
A blockchain is, in essence, a historical record of transactions.The blockchain is a big file of bitcoin’s distributed data system. And in some kind of Reddit-style platform, it would grant regulators a lot of power. It’s a very powerful and mathematically proven method. Naturally, it’s mathematically secure.
It’s a really cool concept and it is solving a lot of problems.The public ledger allows regulators to validate transactions and deters misbehaviour. The cool thing about bitcoin is that it is autonomous. I think its great for analysis and archiving records and keeping a history of transactions in an authenticated way.
It’s the serial number on the money you see, and you can look at volume, volatility and volumetrics and understand the dynamics of the entire system. Personally, I’d rather see people make use of it or start adapting a “zero cash“ approach to their transactions.
Bitcoin should be approached by people in a manner where they should step back and see how its going. Barclays Bank is the first British bank to support Bitcoin via Coindesk, by aiding charities to process and accept Bitcoin donations.
It’s opening up the doors and seeing how it can understand Bitcoin. It’s already autonomous and will help discourage illegal activities. Overall, blockchains are good for business
What should government agencies be doing in response to the emerging threats that the face?
Data protection at rest (i.e. encryption) is critical for governments. Encryption is their friend. If they don’t want people to know about something, they should lock it down and make sure it is unavailable on the Internet. If anything, any material that is confidential or is sensitive in any manner, it should be encrypted and locked down. This considerably reduces its vulnerability and aids in minimising the possibility of a cyberspace attack.