“Any Fortune 500 company that has a CIO, ought to have a CSO”, so said the former president of Lockheed Martin and General Motors International Operations, Lou Hughes, in a recent Fox News interview. Hughes’ words should not be taken lightly. Unlike other corporate leaders who routinely pay lip service to cyber security, Hughes has put his money where his mouth is. He is currently CEO for security firm, InZero Systems; an emerging firm whose hardware-separated security solutions have been receiving increasing attention among major corporations and government institutions.
Hughes and other executives interviewed by Fox agreed that Obama’s announcement to take action against those who engineer cyber attacks against the US is a good first step, but they add, unsurprisingly, that much more needs to be done. As if to underline this need, shortly after Obama made the announcement, the White House admitted that a Russian cyber attack had penetrated its defenses. In a masterstroke of understatement, John Kerry noted that what was needed was “the necessary re-architecting of the classified and unclassified networks”. As it stands, the White House and, no doubt, other government networks, remain as relatively easy targets. Jennifer Emick, a former member of the hacktivist group Anonymous remarked, “I wouldn’t think it would be easy” (to crack a secretary of state’s ‘state.gov’ account) “but a suitably determined intruder isn’t going to find the task insurmountable.”
The current breach apparently used spear phishing to compromise the White House network. This technique simply uses social engineering to make an email or message look like it is coming from a legitimate person with a legitimate need. If the attacker gets the victim to open a malware-laden attachment or visit a compromised website, the door to the attack is opened. The malware contacts the remote attacker that it was successful and the rest of the malware package is subsequently loaded onto the network with no one being aware of anything being wrong. The reason this particular attack resurfaced more than 6 months after it was thought to have been removed was that newer malware knows how to hide.
Spear phishing has been identified as the leading threat to companies and institutions. Hughes points out that his company has solved this problem with an architecture that separates one device, such as a smartphone, into two devices at the hardware level, virtually putting two operating systems on one device. The company refers to this as ‘WorkPlay Technology’. Had the system been in place on White House devices, users could have been infected through spear phishing on their personal (play) side of the device, but this would not enable the attacker to cross the barrier and access any sensitive government data on the other (work) side of the device. In the same manner, Hilary Clinton wouldn’t have had to worry about carrying two devices, one for her personal email and one for her official email. She could have used any email service she wanted for her personal emails without compromising government security. All the turmoil over her email choices would have been a non-issue.
One of InZero’s advisory board members, retired Rear Admiral Jay Cohen, formerly the undersecretary of the Department of Homeland Security, pointed out that “we are extremely vulnerable. This InZero system is years ahead of anything the government or private sector currently possesses to protect our computer networks from cyber attacks. It is particularly important in the area of homeland security.” Hughes added, “this is essentially what Congress and the Administration have been calling for. It is not only vital for our national security, but is a very important development for the American economy and our major corporations, especially defense contractors.”
If you think such advanced technology would be prohibitively expensive, think again. First of all, the technology itself is inexpensive. Secondly, each person connected to a network would virtually have two devices. With their devices separated into two separate operating systems, there would be no need for companies to consider buying devices for employees to use solely on their networks. In addition, as Hughes points out, “your IT administrator no longer has to worry about what you do personally. Hence, half of the problem is solved.” In other words, your IT department could concentrate on more important matters. This being the case, perhaps we could amend Hughes’ initial statement on the need for companies to have a CSO. Perhaps it should read, “any Fortune 500 company that has a CIO, ought to have either a CSO or InZero’s WorkPlay Technology.” Let’s see if the government will finally take Hughes’ advice.