Interview with Colonel John Doody

Telephone interview held on 9th September 2017 – as follows between Alan Radley (questioner) and Colonel John Doody (relator):

Alan: What are your thoughts on the current state of cybersecurity, both for organisations and for consumers?

Nationally cybersecurity is a grave challenge. The success and failure of Cybersecurity is based upon people – people with the right skills, and people with the right technology implementation skills – and people are the weakest point, they are the point of all-failure.  And if you look at any data-breech or system security failure, it s always related to people not doing things properly.

Overall, in every case there are two primary reasons behind every security failure, the first (as stated) being People (and their behaviour), and the second relates to taking Ownership of properly audited assets. And in the public/private sector – ownership at board level is the key issue. However boards are often paying lip-service to cybersecurity; they don’t understand the value of their assets in terms of Cyber; and until Cybersecurity becomes an audit-able facet of the companies annual company report; then they will continue to pay lip-service and will be subject to continual attack.  So that’s the top level view.

1.1. Alan: So is there a way in which you can see the ownership of Cybersecurity issues happening?

Well its very difficult, because government doesn’t like to mandate. Because if a company goes down the pan because they have adopted a mandated product, then they could possibly be held to account (but they wont accept the liability – and it would be unfair competition to recommend a product).  Governments are reluctant to mandate anything; and so they can make recommendations but that is all.  So it is a real grey area – the issue of who takes ownership of cybersecurity on a national basis. So it is beholding on organisations like the IOD, Companies House and Chartered Institutes to make people more aware of their responsibilities in this respect.

Would you leave your house unlocked if you went away? That’s the analogy of not taking responsibility for your own security. But people don’t look at it like that – they think ‘Oh its electronic – its OK’ – ‘we are not going to get attacked’ – and – ‘if we do get attacked we wont say anything we will keep it quiet and absorb the loss’. But in years to come they wont be able to do that – because the losses will be so great that companies wont be able to just write it off.  But then it comes to the attention of shareholders – and something will have to be done when that happens.

Alan: What do you think of schemes like Cyber-essentials?

I was part of the industry group that worked on Cyber-essentials – thats good practice, its methodical, for adopting efficient and effective security protective measures and working procedures etc – at least for SMEs – and it is good that it is a contracted point of delivery. However we still have a long way to go. But big companies use ISO/IEC 27001.

These Cybersecurity factors are not new issues – and these are fundamental points that I have been making since 1993.  Fundamentally in security, nothing has really changed.  In 1993 a Review of Security laid down 5 principles:  Authentication, non-repudiation (accountability), confidentiality, availability, and integrity (reliability). Those haven’t changed; they are behind everything we do in Cybersecurity. And yet people have a hang-up on the new buzz-word of cybersecurity – whereas you have to ask yourself – what is the true terminology of Cybersecurity? What is it in actual fact (the subject matter itself)? Is it the same as InfoSecurity? Or its it the same as Information Assurance?

But I go back 60 years in this business; and in the old days we had the term ComSec; then we went to the term CompuSec in the 1990s, then Information Security;  with the 5 pillars (of protection – 1) what are we protecting, 2) detection – recognise vulnerabilities, 3) reaction – actions put in place to correct for a breach, 4) documentation – reduces risk in the other pillars by boosting understanding, and finally 5) prevention – protective mechanism and procedures both human an automated.

Then later we went to the term Information Assurance – related to the NSA triangle of confidentiality, integrity and availability – which speaks about assurance levels and network capability. And then finally we have the term Cyber –  and I defy anybody to clearly define what Cybersecurity actually is! And maybe thats something you should try and investigate for your book and website.

Alan: Yes – we don’t see any attempts to adequately define the Cybersecurity field – anywhere – and that is all we have been trying to do with the ScienceOfCybersecurity book and site. Which is startling (the fact that nobody has created a standard Lexicon of terms that define just what Cybersecurity means at a most fundamental level) .

Alan: What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

The big issue is money – firstly from the criminal aspect.  The second aspect is the inadequacy of computer software – because software programs like windows (containing we are told some 50 million lines of code) – have become so big – that it is very hard to compile them securely (that is analyse these massive programs into clearly understandable units of logic, action and possible causes and affects).

And so number one it (the nominal system) has to be secure be design, and not secure by add-on. Secondly security is not a thing that you can just forget; you have to nurture it and nurse it, and you have to keep on top of it You have to implement patches as soon as they come out. If you take the National Health Service issue (ransom-ware virus problem – the so-called Wannabe virus program) – that was because managers were diverting resources away from spending money on security systems and on to upgrading from Windows XP to Windows 7,8, 9 or 10.  Windows XP was not supported; and there were holes in it.  And thats the same right across the board – in many organisations today.

Alan: It does seem that what you are saying is that large software providers like Microsoft are not taking responsibility in any way? We are not really able to make them take responsibility for flawed products.

Well Microsoft is a business, and they are out to make money – so return in investment is the number one priority.  But if you ask a customer of Windows; how much of the capability in that software do you use?  And I would suggest that 70 percent of Windows is not used by most people. So why are we creating these megaliths for everyday use when in fact nobody is using most of the functionality?  Why cant we have a cut down version for most people – one that would be far simpler and easier to protect – and with more easily understandable vulnerabilities/security-bugs and related security protective measures. We need one version of Windows for business and one version for individuals for example, and not just named versions of the same software, actually completely different operating systems.

Alan: I have always said networked computers are beyond any single human’s understanding (or even a group of humans) – we have hundreds of millions of lines of code, running dozens of programs –  potentially connected to hundreds of millions of networked computers!

No, they don’t! And there is side issue there in relation to connectivity.

But overall, an important issue is standardisation and accreditation of networks and related topics – to allow safe connection of computers to the open network. But people still do stupid things, opening up email attachments from people they don’t know, connecting to WIFI networks that do not have adequate  virus and malware protection (e.g. in coffee shops or at work on wifi dongles etc) – and these sorts of networks are open and they can get your details – the hackers can.
An example of foolish behaviour is when I used to go and do penetration testing on some major organisations – and within the first half an hour we had many password and login IDs because they were on post-it notes near peoples desks (for example). Also the system admins had failed to delete dormant accounts for people who had left the employer a long time previously – leaving an open door for hackers (a front door).

And theres the actual patching – many of the networks were not patched properly and were out of date – the administrator had not done his job.

Alan: Where do you go to find your “science” of cybersecurity?

Well, I do a allot of research on-line; I have attended many-many conferences; I chair allot of conferences; and there I pick up policy, processes, procedures etc. But at the end of the day,  most of it is common sense.  There is nothing magic about it – the most common vulnerabilities are similar to not locking your front door when you leave your house etc.

But we must all recognise that information and data has a value – and accordingly, CISO and CTOs should make great efforts to value and provide the appropriate protection for their assets – at all levels – and in all situational circumstances.

Another issue is that we are faced with ever increasing costs in order to protect data; yet the hacker has no costs – they are minimal. And the utopian aim should be to redress that balance and reverse this dynamic – making costs exponentially high for hackers and very low for the defenders!  The question is how!

Alan: Do you recommend a particular cybersecurity blog that our readers could follow?

That’s difficult. I am still connected to certain parties who I cannot divulge. I would suggest that people go to the National Cybersecurity Centre for advice and help – which is the main authority in the UK (formerly CESG).

Alan: What keeps you up at night in the context of the cyber environment that the world finds itself in?

Well sometimes I get up in the night to answer natures call – and I walk past my router – and I see lots of green flashing lights on it to indicate network traffic. I wonder what on earth is going on – and who/what is connected to my computer and what is happening on my computer – which I always leave switched on.  Is it a hacker or a legitimate connection – I don’t think anyone knows.  The other thing that keeps me awake is those people who don’t worry – who don’t care about the valuable assts that they are responsible for.

Thank you kindly Colonel John Doody for taking the time out of what must be a busy schedule to answer our questions in such an educative and interesting way.

Interviewee: Colonel (Retd) John Doody,

FBCS FCMI CITP IISP MIOD,

Director, Interlocutor Services Limited, UK.

BIOGRAPHY – COLONEL (Retd) JOHN DOODY

FBCS FCMI CITP IISP MIOD

John Doody is Director of Interlocutor Services Limited, a company established in 2003 to promote Information Assurance and Cyber Security issues both nationally and internationally, the company offers a range of services including Marketing, Communications, Public Speaking, Strategy Reviews, Information Assurance and Information Technology, these services are geared to the strategic level within government and industry. Prior to this John served at CESG/GCHQ for 10 years in the appointment of Head of Information Assurance Customer Services. He has a wealth of knowledge across the whole spectrum of Information Assurance and Cyber Security. In this latter appointment he was a major contributor to CESG’s move to a commercial business footing. He also has a major role as a Non Executive Director to a security company as well as providing Strategic Advice to a number of major UK and US IT Security companies. John is a retired officer of the UK Royal Corps of Signals, a Corps in which he served for 33 years to the rank of Colonel.  He is a qualified engineer and has held a number of strategic engineering appointments in the UK Ministry of Defence including system support to PTARMIGAN and WAVELL, the army’s tactical communication and CIS systems, Director in the Procurement Executive as Project Manager for Army Electronic Warfare, Battlefield Target Engagement System (BATES), Air Defence CIS system (ADCIS) and WAVELL. John  has worked in the R&D environment working on Electronic Warfare Simulation.  John has chaired many international committees dealing with Information Assurance, communications and interoperability. John is well known on the national and international Information Assurance and Cyber Conference circuit where he has chaired many events and has given many talks on Cyber Information Assurance. He has delivered over 100 papers on Security.  He is a past President and Vice-President of AFCEA UK WEST Chapter and served as a Member at large for AFCEA London in the early 90s. He is also a member of the BCS Community of Security Expertise.

John is well know in the Cyber and Information Assurance domain having had 59 years’ experience in defence, government and industry and brings a wealth of knowledge to the Cyber and Information Assurance debate.

He is a committed Cyber Security Evangelist.

He was recently elevated to the Infosecurity Europe Hall of Fame.