Former hacker warns: Tech alone won’t keep us safe

Dr Aleksander Olech, Defence24.com: You were once among the world’s most infamous hackers and now advise governments and major corporations. What personal experience most shaped your view on how national cybersecurity should truly be organised?

Greg Van Der Gaast: Perhaps the most foundational element of my hacking days was not the hacking but defending my own computer system from other hackers. This was before many of today’s cybersecurity technologies fending off threats/attacks and involved simply building and configuring things properly.

Today I’ve taken this concept further and come to the realisation that to achieve the outcome of security, the focus should not be on risk, but rather on quality in what we build as to not have the risks that need mitigating in the first place.

It should be pointed out that every other mature industry focuses on reducing defects, not mitigating the risks they cause and are seeing significant reductions in incidents (shipping disasters, plane crashes, etc.

Having penetrated highly secure systems in the past, how do you assess the current state of cyber defence in critical sectors such as energy, defence and public administration? Are we genuinely safer today?

I would argue that complexity is increasing, which is a hurdle both for security practitioners and attackers. That said, the industry approach is focused more on ramping up mitigation than on improving quality of systems and applications so that they don’t have defects in the first place (vulnerabilities are fundamentally quality defects in code, configuration, build, process, access, etc.).

It is an arms race we cannot win, and we see breaches getting more frequent and bigger, at a time where we are increasingly dependent on technology.

The line between state-sponsored cyberattacks and criminal activity is increasingly blurred. How should democratic nations respond when the origin of a major cyber incident remains uncertain?

I would argue it’s somewhat irrelevant. We should instead look inward. When a ship sinks, the accident report doesn’t list the water as the culprit, but rather the failures that let it in. It’s here we should be concentrating rather than worrying where things will come from.

Considering virtually all cyber-attacks involve known vulnerabilities with available fixes, often available for a long time, there is much room for improvement here.

As a former hacker turned security leader, do you believe traditional „compliance-driven” cybersecurity models are outdated? What must change for organisations to become genuinely resilient rather than merely compliant?

The question here is interpretation. Compliance to what? Compliance to a third-party standard is unlikely to get organisations truly secure. It’s important to realise that security isn’t functional or linear, in the same way that a one metre-wide fishtank won’t hold 99% of its water if the bottom pane is 99cm long. A holistic approach is needed or there will always be a way around. And I don’t mean of security solution, but rather all parts of business and IT process.

We recommend systematically going through these to define how to best do them with the lowest risk possible and being aware of any residual risk. Those definitions should be your personalised compliance gold standard.

Resilience is another term I don’t really like. It has come to mean ability to recover, to get back up. I much prefer real resilience; whereby systems don’t present issues that can knock them down in the first place. I don’t know of a breach, for the past decade or more, that couldn’t have been prevented by a process change.

With AI and automation reshaping offensive and defensive capabilities, what emerging technologies will most transform the nature of cyber warfare in the next decade?

I think this focus is typical of the industry, and wrong. We need to stop looking at security as a technology issue. HR uses technology, Finance uses technology, Marketing uses technology… are they technology disciplines? Security is no different.

Technology is a tool, but fundamentally we need to choose the tools that allow us to best identify and improve quality issues. Far more security assurance is obtained from developing very mature IT capabilities than from plugging in „cyber” tools, and yet security budgets (and teams) focus almost exclusively on the latter.

Europe and NATO face constant hybrid pressure from Russia, China and other actors. From a strategic perspective, what should be the top priorities for building credible cyber deterrence on the Alliance’s eastern flank?

Part of the problem with the previous question is that attribution is hard, and responses can cause escalations, and none of it is very helpful on top of getting breached.

The reality is that a system that registers no issues will get targeted less than one with many issues and controls trying to mitigate those issues.

Many hackers, including nation states, will just sit and wait for a vulnerability to appear (a symptom of an underlying quality defect like poor engineering, maintenance, etc) to compromise a system. If the processes are good so that systems are built well and issues are resolved in hours or days (rather than weeks, months, even years as we often see today) then systems have far fewer avenues of compromise, and exploiting them becomes more difficult, more time consuming, if even possible. Well-designed systems, even if compromised, tend to allow for less damage too.

All this adds up to either not appearing at all on the radar of would-be attackers (You will never be a target of opportunity if you have no visible vulnerabilities, for example), or being so time, effort and cost intensive, to inflict a reduced level of damage, that it’s no longer economically viable for an attacker to do so.

I saw the following statistics a couple of years ago: 99% of breaches involve a known vulnerability with an available fix as part of the attack chain. In over 60% of them the fix had been available for a year and a half.

It’s our own vulnerabilities that fuel this threat ecosystem, and the best solution is to starve it. There is still much low-hanging fruit if we focus on what matters.

Based on your experience at CDW and in advising CISOs worldwide, how can the private sector and government build trust-based cooperation that goes beyond procurement — towards a true partnership for security and innovation?

One of my main observations at CDW was how many customer organisations asked us to supply them with what they needed for their security strategies.

But I would not consider these strategies at all. They were often shopping lists of cybersecurity technologies, often for no clear reason other than trends and hype cycles. Or to tick compliance tick-boxes - done in a way that would not yield actual assurance.

They didn’t reflect on what underlying problems these organisations had that was causing their security issues, ask themselves how they came to have those problems, how they could move away from them, and what a strategy to do so would look like.

To illustrate this, a hotel full of rat traps may have a rat problem, but it’s never going away until you address the hygiene problem that caused it, and if the only focus is on rat traps you will never get out of it.

It’s solvingthat problem that will allow for a lasting improvement and reduction in issues.

In terms of collaboration, whether it be with government or any other group of organisations, the biggest barrier I see is that all such efforts that I’ve seen have been focused on security technologies, and threats, rather than how to build more fundamentally secure organisations, what that looks like, how to achieve the needed structure and authority to reshape IT and business process to introduce less risk in the first place, and so on.

These activities tend to be highly bespoke, but success stories and methodologies should be shared. Sometimes something as simple as understanding what a strategy should look like, how to speak in business terms, and how to offer your CEO a cup of coffee to get on their radar can drive better security improvements than millions spent on „cyber” technology.

”Greg Van Der Gaast is now working as a renowned cyber security speaker for the Cyber Security Speakers Agency .”