SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

Interview: Casey Fleming, Chairman & CEO of BLACKOPS Partners

Thanks, everyone, for joining us on the Security Influencers Channel. We're hosting a series of brief and highly informative interviews with influential security leaders and in 2015, we're talking about the implications of rapid software development and continuous security. Today, I'm pleased to have with us, Casey Fleming. Casey is the Chairman and CEO of BLACKOPS Partners. Prior to BLACKOPS, Casey was the CEO of Strategic Security Partners. He was a Senior VP and General Manager of Good Technology and he previously held executive positions with Deloitte Consulting and IBM Global Services.

In this interview, we discuss why this past year is being referred to as the year of the breach. We saw Target CEO and CIO let go after the breach and there are number of other high profile breaches that raised the public consciousness. Casey shares his thoughts on how the Board and senior executives need to change their view of information security. We also discuss why many businesses almost prefer not to make the security updates even when they know they've been compromised. 

The following is a brief excerpt of our interview:

Jeff Williams: So tell me, what's the biggest takeaway you have about today's information security situation?

Casey Fleming: Well, I think we're all realizing that the year 2014 was the year of the massive cyber breach or massive information security breach. The biggest take there - I'm gonna give you three takeaways - not just one. Number one is U.S. companies are in a full-blown economic war.

Jeff: You think it's fair to call it a war?

Casey: Well, the reason I say that is because we lose about one-third of our GDP every year to stolen innovation and stolen trade secrets, so that's why I say it's an economic war. It's supported by lots of documentation out there. One that I'd recommend everybody look at is the 2011 National Counterintelligence Executive Report. Take a look at that and it will bring you up to speed. That will be some light reading for everybody.

Hackers have better tools than you...

The second thing is insider threat. The entire industry is around cyber, cyber, cyber to the huge exclusion of the actual human side of the cyber threat. The insider threat eclipses the cyber piece of it. I'd like to open up everybody's mind to the insider piece of it. Over 95% of all cyber breaches are facilitated by some type of human intervention whether it's an insider spy or insider carelessness or something or other.

The number three biggest takeaway I'll give you is what most companies do today is a defensive type of perimeter strategy. The way that we have to fix that and we have to have people look at it is from an offensive or data-centric and intelligence-based strategy. Those are the three takeaways I'll give you when you only asked for one.

Jeff: Let me dig into this a little bit. So on the first thing, you said a third of GDP. So that's what? Roughly $5 trillion?

Casey: Absolutely. 2014 GDP was $16.7 trillion. When you look at we're losing about $500 billion a year in just the raw innovation, the raw research and development, trade secrets and so on. But when you multiply that by the 10 years, that that's supposed to generate the company or generate the revenue, profit and jobs for a company, that's how you get to $5 trillion a year, because you're removing not just the raw innovation from the economy, you're removing the 10 years worth of value that was supposed to generate. So that's how you arrive at $5 trillion.

Jeff: Sure. So if some foreign country steals some of our intellectual property from Boeing or Sony or someone and then they release it in their country, then the U.S. loses all the future revenue from that innovation.

Casey: Absolutely. In most cases, nation states develop that back in their own country takes about a year and a half since all the innovation is done and research and development is done, and then they release it back into the United States usually at 45 cents to 50 cents on the dollar because they don't have any innovation cost. So it's your worst nightmare. You've got your worst competitor using your innovation.

Jeff: What kind of innovations are we talking about here? Is it fighter jets? Is it software? Is it drug formulas? Where are we talking about?

Casey: It's absolutely everything. When you look at $500 billion a year, it's every industry, every technology. It's everything you mentioned and more. It's all of it. It's cancer drugs. It's fighters. It's printers. It's computers. It's engineering designs. It's anything that generates value or a competitive advantage for a company.

Jeff: You're saying this must be in almost every company. To get to a five trillion number, you've got to hit a huge number of companies.

Casey: That is absolutely the truth.

Jeff: So you're saying that the huge percentage of U.S. companies are already penetrated and their IP is already being stolen and exported to foreign countries.

Casey: That's exactly what I'm saying.

Jeff: Yeah. Sobering, very sobering.

Casey: By the way, most cyber breaches, the cyber attackers have been in your network or in your company as an insider spy for an average of about three years. That's documented in a number of reports.

Jeff: Let's go to that second point, the insider threat point, because there's a lot of contention about whether these threats are actually done by insiders or not. You're saying they are. So you're saying there's foreign national threat agents infiltrating American companies and they're responsible for 95% of these thefts.

Casey: Of the cyber breaches, over 95% are facilitated by some type of human intervention, whether it's an insider spy that could be a foreign national, but it could be a guy like you or I. I was born in the United States but I was on date- For example, hypothetically, I was on a dating site and I had a foreign national end up being my girlfriend, and now she's gonna inform my wife or my company so that I have to keep continuing to supply information. That's called a honey pot.

Every time you go to Wi-Fi, be careful. Any time you go to your local coffee house, you go to your local restaurant, trust me, it's across the street from your design group, your engineering group, and so on and so forth. There are spies that are in that Wi-Fi that are getting your VPN passwords and so on. When I'm telling you that we're in a full-blown economic war, please understand. We've got evidence, chapter and verse from our own intelligence as well as our own companies that we consult to and so on.

When I'm saying there's an economic war and we're losing $5 trillion a year, it's a full-blown economic war. In that report I mentioned earlier, the National Counterintelligence Executive, they speak to China that has a program called Project 863. It's been in existence since 1986 to basically put themselves on par or on equal footing with the West by stealing trade secrets and innovation.

To hear the rest of my interview with Casey, click here. 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.

SUBSCRIBE TO THE BLOG

Learn how to unify security strategy across & development operations. See how to set up a CAS program with only eight activities!

Download the Handbook