Interview with Raj Samani, McAfee Chief Scientist and Europol Cybercrime Centre Special Advisor
We interviewed McAfee Chief Scientist, Raj Samani, on the future of cyber security. He talked about the future of cyber threats and what we can do to create a culture of cyber security in every aspect of our lives. He also shared advice on how to approach social media with kids, and on how to demand better cyber security products. He talked about the cons and pros of living in a digital society and how cyber security is not an “IT issue” but an everyday and every aspect of our lives issue. Here you can read some of the answers he gave us.
Q-What would you say are the most persistent threats that private users, business and governments face?
A-I think the biggest or the most persistent issue that we see it’s the fact that it’s constantly changing, evolving and adapting. I’ll give you an example. One of the initiatives I co-founded, was No More Ransom. And of course, we were talking about ransomware 5 years ago and today we are talking about ransomware like it’s the same thing but it’s not…
For me personally, the biggest challenge I face are my children. From a cyber security broad spectrum, I think the adversary’s innovation is the biggest challenge that we face. They are getting better, they are getting smarter, they are evolving all of the time and no longer is it just a lone individual, now we are talking about fully funded organized criminal gangs, we are talking about nation state hackers. That, I think it’s the biggest challenge that we have, the adversary.
Q-You have previously said that manufacturers don’t care about security of information and how cybersecurity is usually underestimated.
So how can we, as consumers, do something to demand better products, cybersecurity wise?
A-I think we need to ask the question. When you go out and buy something, you ask what features it has or how much it costs, but at no point do we ever ask the question “Do you as a manufacturer have a vulnerability disclosure?” To me that’s important. I travelled the market for buying a new car and that’s actually a question I look at. I want to buy an electric car, a car that has autonomous driving capabilities built-in, so I want to know whether the manufacturer of the car does simple things like having a vulnerability disclosure or actively having a security research team. And you may say to me, that’s what you do because you work in cybersecurity, but if I start to ask this questions, other people, I hope, will ask this questions, and then maybe, cybersecurity can be seen as a differentiate, because if you a are buying a car that literally drives itself, you want to know that they actively do research against vulnerabilities, it’s a matter of life and death. Those are the questions that we have got to start asking.
Q-You are the coauthor of “Applied Cyber Security and the Smart Grid”. Could you share us more about your book?
A-Actually, I want to talk about my favorite chapter, which is the chapter on privacy. It is interesting, that we talk about smart grids and we think about critical infrastructures and we think about nation state attacks but for me what the smart grid represents is really a change that’s going on in our own home. There was a time when we had privacy in our homes but now we don’t. The smart grids, and smart meters themselves, are and interesting aspect to that. One of the things I talked a lot about is low intrusive activity, low monitoring, where literally electrical signals within the house are being captured by these little devices and of course from that we can determine when you have the jacuzzi on or when you have the TV on, and it’s an opportunity to determine what TV shows you are watching and for me this represents a change in the way that we live. We worry about all the information the social networks have about us, but in the future, the utility companies will know whether you are watching Game of Thrones before it comes out, they will also be able to notice if you are growing marihuana. What got stuck with me during all the research was that there is a change in the way that we are going to live as a society, and if we don’t arm ourselves with information and we don’t articulate what the issues are and we don’t tell the business that we worked with, what is ok and what is not, every single thing that we do is going to be tracked, monitored and monetized for the benefit of other people. And I don’t think that’s acceptable.
Q-What would you say are the first steps in building a Culture of Cyber Security in every aspect of our lives?
A-You need to talk to people… I realized that in every single conversation that I have I need to talk to people about why this matters. Every once a month or once a quarter I go and speak to schools and explain why cyber security. And it’s not about “there are bad guys on the internet”, it is about getting people to understand that this is about every single aspect of our lives. It controls whether you get a mortgage, whether you get a job, it controls how you get to work and whether I have electricity in this house. Everything is underpinned by the three tenants of security, which are confidentiality, integrity and availability. And we, which maybe is our fault, had made people believe this is about malware, APT groups and technology, but in reality it’s not. The impact is bigger than that. I saw this with my own eyes after the Wanna Cry ransomware outbreak. When I was in the hospital, I actually saw them switch off the internet and all the impact that it had, and yet we still regard this as an IT issue. It impacts jobs, it impacts the reality of our lives, so without scaring people, without trying to mystify what we do, just talk to people. Explain to them what we do, say to them “hey you know what? maybe you don’t want to have your eleven-year-old on the social network, because actually you don’t know who she is going to be communicating with”. So just take some time out. Go to a school, talk to young kids. Maybe not start with malware but with cybersecurity and with trust in the digital systems we depend on. It’s about trust.
Q-What advice do you give your kids about how to use social media?
A-Honestly that’s the hardest job of my life. I started knocking every system down and not permitting them access, and I kind of still do that today with the young ones. They can’t download any new apps unless I approve them, so I get this requests and I have to review this apps and it’s hard. It takes a lot of time. With the older ones what I started to do is have that conversation with them regularly. We had a long debate about TikTok the other day. To be honest I didn’t even know what TikTok was, and I had to do my research and we had the discussion and I got to know more about it. Same with Snapchat. So it’s all about having that conversation and having that dialogue. Talk to them about what’s acceptable and what’s not acceptable, that’s the way forward.
I think that what scares me more about it is that, if you are a child today, 15 or 16 years old, and you are caught on video, saying something racist for example, saying something you regret, that stuff can follow you for the rest of your life. What really scares me is that children today, they have a remarkable opportunity, but fundamentally comes back down to this underlying issue which is you are not allowed to make mistakes. And that’s the point from being a child. You make mistakes, you learn from your mistakes. That’s what scares me more about my children, that they are going to say or do something stupid, it’s going to be recorded, and it will be the dead of their future careers.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.