Eric Cole: A Good Cyber Offence Is Not The Best Cyber Defence

Earlier today, American cyber security expert Dr Eric Cole was inducted into the Hall of Fame at InfoSec, Europe’s largest event for information security professionals.

Every year InfoSec honours notable security experts for their contributions to the industry, and Cole joins the list of such luminaries as Bruce Schneier, Phil Zimmerman, Eugene Kaspersky and Graham Cluley.

When he is not writing books, inventing new software features or securing Industrial Control Systems, Cole works as the chief scientist at Secure Anchor Consulting and fellow at the SANS Institute, where he is responsible for the Cyber Defence curriculum.

TechWeekEurope had a chance to quiz Cole about his first steps in cyber security, the importance of InfoSec and one of the biggest threats facing the world today: cyber weapons. He says the security industry is too focused on breaking into systems, and not enough on protecting them – something he’s trying to fix, one lecture at a time.

Fame

For a man who doesn’t look a day over 30, Cole has had quite a fruitful career: he worked for CIA for seven years, did a brief stint as the chief scientist at Lockheed Martin, founded several companies and served as the CTO at McAfee before it was sold to Intel –which means he was taking orders from our favourite eccentric, John McAfee.

So how did it all begin? “I was always interested in architecture and how things were created,” explains Cole. “Back in the 80s, when I was about 16, one of the friends of the family said ‘everything is going to be controlled by computers, why don’t you major in computer science, and then you could get into any other field.’”

But young Eric found computer science classes boring, and asked for an internship to see if he would like the practical work. Fortunately, the intern office set him up with a job in the cyber security department of the US government, and his first assignment was to try and break Windows NT, then develop a fix. “From then on, I was hooked. I love creativity; I love finding and solving problems. After 23 years in the field, I’ve never looked back.”

Cole told us he is humbled by the recognition of his achievements, because he never saw himself a leading authority on security. “When I first got the announcement that I’m being inducted into the Hall of Fame, my initial thought was there must be some mistake, they must have the wrong Eric Cole,” he jokes. “The other folks in the Hall of Fame are the people I look up to, the real visionaries.”

Cole says his true passion is cyber defence – something that’s currently under-represented in the security industry: “Don’t get me wrong, pen-testing is fun and forensics is fun, but to me it ultimately comes down to how you make the adversary cause as little damage as possible.” He teaches this philosophy at the SANS Institute, a professional education establishment in the US that he has been involved with for the past 15 years.

Cyber warfare

Cole admits that his work makes him worried about the future, and he is especially concerned with the evolution of malware into cyber weapons.

“If you look at the next 5-10 years, cyber warfare is what concerns me the most, and the reason is this: in traditional warfare, we regulate certain weapons of mass destruction. For example, there are some countries that are not allowed to have nuclear weapons, and there are organisations like the UN that manage these weapons to minimise the impact they might have.

“The problem is, none of those regulations, none of those groups exist for the cyber security industry. So these countries can go and create nuclear cyber weapons that can be just as devastating. It’s easy and simple for them to develop, but it’s very hard to control.”

For example, Cole says it is completely feasible to write a piece of code that could disable air traffic control over a large city, or take down the power grid, or infiltrate the systems of a water treatment facility to contaminate the drinking water.

“I would argue that the damage and loss of life that would cause would be as devastating as any weapon of mass destruction, but it’s simpler to build, and they [adversaries] can do it virtually undetected.

“If one rogue state wanted to start launching these types of weapons – most countries do not have proper boundaries or ways to stop these attacks.” In an attempt to remedy the situation, Cole has created a SANS course in Industrial Control Systems that focuses on the ways to protect critical infrastructure.

“There are a lot of courses out there on control systems and infrastructure, but what they all have in common is they are offense-based. They are teaching you how to break in, how to find exposures and vulnerabilities.

“That’s cool, that’s exciting and that will sell, but it’s not really helping people. Organisations do not need to train their staff in how to break in, they need to teach more of their staff how to secure and lock down the environment. So in our course, we focus on defensive posture, on how to protect your systems to prevent those attacks from occurring.”

“Penetration testing is good when you have fixed everything, you believe you are secure, and you’re not sure what you’re missing,” concludes Cole. “But you have organisations that know they have all these problems and they are hiring people for pen-test – that’s a waste of money!”

How well do you know network security? Try our quiz and find out!