Dubai
Anything that tries to protect software with software is not very good and people need to understand that the problem is with their computers, former chief information security officer at Central Intelligence Agency (CIA), told Gulf News in an exclusive interview.
“There haven’t been major improvements in the software. The hackers have revealed that there are still some basic holes in the operating systems that we use, be it Microsoft or open sources like Unix and Linux. Truly, they have never been patched,” said Robert Bigman.
Bigman retired two years ago from the CIA after serving for 30 years and founded the 2BSecure company. He contributed to almost every Intelligence Community and US Government information security policy and frequently briefed congressional committees and presidential commissions.
The best example is Java, he said. The reason is that Oracle keeps replacing it with newer version and adding functionality or capability and every time they do that there are still holes left.
“The numbers aren’t going down. Now we have smartphones operating systems also. There are more codes out there to exploit and that is what we are seeing,” Bigman said.
“I tell my customers not to buy the very next product. I tell my customers to fix the problems themselves. Basically, what people need to do is to re-engineer their networks by isolating yourself from the internet,” he said.
With the recent news of Heartbleed bug affecting millions of websites security, malware is on the minds of tech consumers more than ever.
Steal information
The bug was disclosed by the OpenSSL on April 7 that would allow hackers to steal information. Users cannot have “easy access to the internet and security” at the same time and that is impossible. “The Cyber security industry has convinced people that they can have both and lot of people has bought that idea. It is not true,” Bigman said.
He said there are methods like hypervisor-based computing which basically works like a cloud and that helps somewhat and makes it harder for hackers while the other is micro virtualisation, which uses hardware to the software, but it is not 100 per cent safe. It is much better than “software protecting software.”
Encryption does well but no one does it right, he said. Encryption makes it difficult for hackers to steal data. If people and companies do all these things, there is a pretty “good chance of protecting yourself” but you cannot do all these things and hope for the best.
When asked about cyber espionage, he said it is a known fact and many governments worldwide are monitoring the information on the internet.
From an intelligence perspective, he said it is very efficient and not hard. You don’t have to pay anyone and you don’t have to travel to do it and can be done from your desktop. That is why everyone does it.
Buying information
He denied that CIA uses hackers to steal information for them. However, he said that CIA uses contractors like everyone else to provide information and they buy useful information they want. It is a business, but the approach is different and the target role is different.
“People need to understand that the problem is with their computers. The products we buy from the cyber security companies do not solve the main issue. They can solve problems like encryption, white listing and cyber intelligence. The main problem is that the operating systems on the computer are not secure,” he said.
Bigman said the basic equation is that if you don’t have control of your IT assets, you are going to lose no matter what you buy.
As Internet of Things is gaining traction globally, it is going to make “life easier” for hackers. The vulnerable operating systems are going to be placed in cars, pacemakers and wearable devices. This is what the “hackers are asking for and that is what they need, he said.
“We fall in love with the capabilities but we don’t think of the consequences,” he added.
