Embed Size (px)
Citation preview
24In
fosecu
rity Tod
ayJuly/A
ugust 2005i
nf
os
ec
ur
it
y
to
da
y
in
te
rv
ie
w
Bob Ayers collects antiques. EarlyEnglish drinking silver and German
World War II militaria are his two mainareas of expertise, but his eye wasrecently caught by a small blueceramic elephant in a charity shopwindow. He bought it for four pounds,but it is worth about £150.“I knew theelephant had been made by the VanBriggle pottery factory in ColoradoSprings. Collecting antiques is a varianton intelligence.When you go to anauction if you know more about what'sbeing sold you will be successful”.
Ayers moved into the commercial
sector after thirty years service in the
US military and civil service as an
intelligence and counter-intelligence
specialist. He learned most, he says, as
the director, Defensive Information
Warfare Program and Department of
Defense Information Systems Security
Improvement Program.There, he
established the first DoD Computer
Emergency Response Team (CERT),
the first DoD Vulnerabilities Analysis
Assessment Programme, and the first
twenty-four by seven security
operations centre to monitor DoD
systems.
Countering organized adversariesThe concept of information warfarehas a central part in his philosophy ofsecurity.“If you think of IT security ashaving the objective of keeping ateenager from breaking into yourcomputer systems - which is,essentially, what it is - then defensiveinformation warfare is a programmedesigned to keep an organized,systematic adversary from breaking
into your machines.As a problem, it isan order of magnitude more difficult”.
Ayers is now bringing some of hismilitary intelligence experience andterminology to bear on securityproblems in the corporate sphere.“People in the private sector are notas concerned as they should beabout adversaries getting at theirinformation.They know whatinformation is important to them,true, but they tend not to have inplace mechanisms to ensure thattheir information is not leaking outelectronically, and casually, by way ofemails to friends, and so on”.
He tells a story of a Europeanbanking client who had procured hisconsultancy's services to do an emailsurvey.The good news, for themanaging director of the bank, thatthere was no leakage of informationto the outside.The bad news? Thatthe MD's second in command wasconspiring to have him removed in aboardroom coup.The would-beconspirator was fired on the spot.
Background checksA standard practice in militarycounter-intelligence is the pursuit ofthe 'developed character reference' asopposed to the character referencesthat people themselves provide.“There is a very risky absence in theUK of personnel security”, says Ayers.“You have to dig into the informationthat people supply when makingapplications.You need to speak to thereferences they list on their CVs.Youask the listed character references forthe names of others who may know
the applicant. Developed characterreferences are where the really goodinformation comes from”.
He bewails the lack of onlineinformation in the UK as opposed tothe US. "There is a lot moreinformation available online in theStates than there is here - for example,property records, voting records,driving licence information, andcriminal records . So you can do a fairlygood check not possible in the UK.
“It just makes no sense to spendmillions of pounds on IT security ifyou have a crook as your systemadministrator!”
Ayers gives a couple of examples
from his time in the military of when
the 'developed character reference'
came into its own.
He recalls that, when he was the
head of security, and the clearance
authority in a nuclear capable unit,
he got a slim dossier on an army
Dig deep andlook sidewaysBrian McKenna
Robert Lee Ayers was the director of the US's information warfareprogramme, and holds security clearance in the UK, where he nowlives. He spoke to Brian McKenna about the need for IT securityspecialists in the commercial world to dig a bit more, and think morelaterally.
Bob Ayers: business counter-intelligence goes beyond IT security
IS0206_interview (Read Only) 18/07/2005 14:15 Page 24
in
fo
se
cu
ri
ty
t
od
ay
i
nt
er
vi
ew
25In
fosecu
rity Tod
ayJuly/A
ugust 2005
officer with thirty years service.“He
was a great soldier, but the odd
thing was that there was no
verifiable record of his life prior to
his eighteenth birthday, when he
had signed up”.
His fingerprints were checked with
the FBI, and it turned out he was a
deserter. He had signed up, illegally, as
a fifteen-year-old, angry that his
brother had been killed in Korea. He
then got scared when about to be
shipped overseas.
“After years of living with the
shame of being a deserter, he re-
enlisted under an assumed name to
make amends for what he perceived
to be his earlier cowardice.
“He started crying when I
confronted him with this information” ,
says Ayers.The upshot was that the
soldier was given a non-judicial
commanding officer punishment of
two weeks confined to barracks -
which was suspended.And so, his
record was cleaned up.
A less happy incident involved a UScaptain whose German wife turnedout to be a spy.“Her mother'sbirthplace was in the DDR, and she'dmade over 40 trips to East Berlin in ashort space of time. Now, you don'tgo to East Berlin for the shopping. Itwould be like going to the tip.Anyway, it turned out that herrelatives in the DDR were beingthreatened by the Stasi, and she was,indeed, a spy.The husband knewnothing of her trips to East Berlin”.
Incidental patterns
The most enjoyable interlude in Ayerscareer also demonstrates a preferencefor the lateral.
From 1979-1983 he served as staffofficer at the US DoD Indications andWarning System Secretariat.There heconceived, developed andimplemented the DoD WorldwideIndicator Monitoring System, whichwas an automated programme todetect and predict attacks on USmilitary forces. He developed detailedscenarios used for Soviet/Warsaw Pactattack on NATO forces, North Koreanattack on South Korea and Sino-Vietnamese conflict.
“Essentially, I was interested in seeinghow automation could be brought tobear on to solve indication and warningproblems. I got sent out to Stanford towork with mathematicians there, and
became the subject matter expert onthe North Korean warning problem.Sowe would lay out the problem, thelikely sequence of events, the Stanfordpeople would convert that intocomputer programmes.We automated aproblem that no one had previouslythought was automatable”.
Cyber-terrorismAyers is impatient with the view that
cyber-terrorism is over-hyped.“No,
the threat is very real.The technology
coming out of Afghanistan and Iraq
indicates that people you might see
as technically illiterate terrorists
waving AK-47s in the air are, in fact,
technologically sophisticated.And the
more effective physical counter-
terrorist programmes become the
more likely it is that these people will
turn to logical weapons”.
The irony of information warfare, he
says, is that “the more technologically
advanced you are, the greater is the
harm that you can have happen to you.
The less technologically sophisticated
you are, the more immune to
significant damage you are. It's an
asymmetric relationship.
“We've been very fortunate not to
have had a real systematic attack.Think
about the damage done by the
malicious code programmes released
over the last few years, and imagine
what would happen if you had 50
people working on a multitude of
attacks. It would be catastrophic".
Curriculum VitaeCareer2003 - 2004 Director, Critical National Infrastructure Defence, Northrop Grumman Information Technology2002 - 2003 Director, Business Risk Services, @stake, United Kingdom 2000 - 2002 Managing Director, Para-Protect Europe, United Kingdom 1998 - 2000 Principal Security Consultant, Admiral plc, United 1997 - 1998 Senior US Representative, Polish NATO C2 Interoperability, US 1992 - 1997 Director, Defensive Information Warfare Program and DoD Information Systems Security Improvement Program,
Defense Information Systems Agency (DISA)1979- 1992 Defense Intelligence Agency (DIA)
Director, DoD Intelligence Information Systems (DoDIIS) Computer Security Program (1990-1992)Deputy, Information Systems Operation and DoDIIS Architecture and Engineering Directorate (198 -1990)Program Manager, Consolidated CIA and DIA Support to Analysts File Environment (SAFE) Program (1983 -1988)Staff Officer, DoD Indications and Warning System Secretariat (1979 - 1983)
1969 - 1979 US Army Intelligence Officer, Worldwide Service
Education1965-69 Lynchburg College, Lynchburg, VA1976 State University of New York, Buffalo, NY, Bachelor of Science, Psychology
In antiques as in security : knowledgeis power
IS0206_interview (Read Only) 18/07/2005 14:15 Page 25
