The interview took place before the PRISM-program was revealed.
This article is published in I/O Magazine, June 2013
What are the most important challenges for the US when it comes to cyber security?
‘On the top of our list is the area of education. We need a new generation of cyber-security defenders. In the US, fewer and fewer students are going into science and technology, yet the job market in cyber security continues to expand. In order to get kids interested in the field, we have organised a national cyber-defence competition at the collegiate level. In total, 1500 kids took part in a competition in which they had to defend a computer network. In the last few days we have been talking about this with our Dutch partners to see whether we can help them in setting up something like this in the Netherlands. Companies can help to fund such a competition, and they can find their next generation of employees among the kids that take part.’
In terms of challenges, I guess I was thinking more about cyber crime and cyber warfare...
‘Sure, cyber crime is a big concern. Criminals tend to have the latest technologies and law enforcement often lags a bit behind, so of course we are fighting to catch up.
Another big challenge is how to share information between the public and private sectors. In the US, the private sector owns 85 to 90% of the critical infrastructure such as power grids, water supplies and telecommunication. We at the government often have information about cyber threats that we need to share with the private sector in order to defend those critical infrastructures. The threats we are facing are basically the same threats that the Netherlands is facing, so there you can already see the importance of working together.’
I was surprised to learn that a country as huge as the US would want to collaborate with a country as small as the Netherlands in the field of cyber security.
‘I wouldn’t put it like that. In the world of cyberspace you can’t solve problems alone. We try to work with anybody who has good ideas. We also have partnerships with countries like the UK, France and Sweden. I have been in the cyber-security research community for 25 years now, and I think the Dutch academic community in this field is extremely strong. The Dutch have a very strong background in computer systems. And in cyber forensics the Dutch are ahead of most others – if not all others – in the world. We view the US-Dutch collaboration as extremely important, and I believe we are going to have a fruitful partnership.’
What do you expect of the partnership?
‘Our goal at the DHS is to get cyber-security technologies researched, developed and commercialised, so we are more focused on applied than on basic research. We fund projects that have a possibility of being commercialised. We know that we will fund some research at the Dutch Forensics Institute (NFI). Furthermore, we have talked in the last two days with the Dutch National Cyber Security Centre as well as NWO about some other concrete projects, but we haven’t finalised those talks yet. We are also discussing the possibility of calls for collaborative research: respondents would have to show a research proposal with both a US and a Dutch component.’
Can you tell a bit more about some of the research areas that will be involved in the partnership?
‘One common theme for both the US and the Netherlands is setting up Incident Response Teams. How do you put together a team that has to act in case of some cyber emergency? What are the types of skills that members of such a team would need? This is not a technical problem, but rather a social-science problem. Cyber security is not only a technical field. Sometimes it’s more about humans than people realise. Furthermore, there is an economics question: what causes companies to invest or not to invest in new cyber-security technology? And what are the incentives for criminals? From the side of law enforcement, there is the key question of how to extract information for legal prosecution from the data owned by cyber criminals. These are the themes that we have agreed on so far. We are still discussing collaboration in the field of control systems for vital infrastructures and in the field of electronic identity. Which technologies can we develop to make digital identities more secure?’
Will the research done within the partnership be open or classified?
‘It will be open, like almost all of the DHS research programmes. Only some of the research that the DHS does with the law-enforcement community is classified.’
Apart from technical issues, isn’t raising public awareness another important aspect of cyber security? Many ordinary computer and Internet users have no idea about their vulnerabilities.
‘Sure. That’s the reason that the US has started the national campaign “Stop. Think. Connect.” This campaign is aimed at increasing the public’s understanding on issues like identity theft, fraud and phishing, cyber bullying and cyber predators: people who search online for other people in order to use, control or harm them in some way.’
What can realistically be achieved in cyber security in the near future?
‘First of all, we can make improvements in the security of the Internet infrastructure. Domain Name System security is one such improvement. It means that when you visit a website, you can be sure that it is really the website you intended to visit and not a fake website that looks similar. The same goes for data integrity. If you go to google.com and you get data, it should be automatically guaranteed that the data have not been changed underway. Second, since so much of Internet use takes place nowadays via mobile devices, we have to stay ahead in the mobile world, which is a very different one from the traditional desktop world. Third, the next generation of hardware and software systems needs to have built-in security. Internet users should not have to worry about security. The Internet should be like water or air.’
I am sure that you know the TV-series ‘Person of Interest’. How realistic is it according to you?
‘Hollywood is always interesting when it’s doing cyber security. Some of such series have been predictive. However, I think that ‘Person of Interest’ causes more anxiety than that it raises awareness. Hollywood is Hollywood. Sometimes they are ahead of the game, and sometimes they are not.’
---------------------------------------------------------------------------------
NWO research projects on cyber security
In April 2013, nine Dutch cyber-security research projects received a total of EUR 3.2 million in funding from the Netherlands Organisation for Scientific Research (NWO) in connection with the first call for proposals in the long-term Cyber Security research programme. The nine projects will investigate a wide variety of cyber-security challenges. For example: Can ‘backdoors’ in embedded devices (allowing cyber criminals to control them remotely) be automatically detected? What can we learn about the personality traits, the motivations and the networks of cyber criminals? How can we strengthen the weakest link in cyber security: consumers without any expertise? How can we find a balance between securing personal data and keeping information systems user-friendly? How can security analysts best detect malware? A second call for research proposals is expected this summer. The proposed research all fits in with the Dutch National Cyber Security Strategy (NCSS). As part of the strategy, in January 2012 the Cyber Security Centre has been founded, that collaborates with NWO.
Internet
Cyber-security treaty signed between the US and the Netherlands:
www.nwo.nl/actueel/nieuws/2012/nwo-en-ncsc-geven-invulling-aan-nederlands-amerikaanse-samenwerking-in-cyber-security-onderzoek.html
Nine NWO projects on cyber security:
www.nwo.nl/actueel/nieuws/2013/ew/negen-projecten-in-cyber-security-onderzoek-van-start.html
Nationaal Cyber Security Centrum:
https://www.ncsc.nl
Department of Homeland Security on cyber security:
www.dhs.gov/topic/cybersecurity
Cyber-security awareness campaign ‘Stop, think, connect’:
www.dhs.gov/stopthinkconnect
DHS Science & Technology Directorate, Cyber Security Division:
www.dhs.gov/st-csd