2
Network Security August 2005 12 INTERVIEW Bob Ayers collects antiques. Early English drinking silver and German World War II militaria are his two main areas of expertise, but his eye was recent- ly caught by a small blue ceramic ele- phant in a charity shop window. He bought it for four pounds, but it is worth about £150. “I knew the elephant had been made by the Van Briggle pot- tery factory in Colorado Springs. Collecting antiques is a variant on intel- ligence. When you go to an auction if you know more about what's being sold you will be successful”. Ayers moved into the commercial sec- tor after 30 years service in the US mili- tary and civil service as an intelligence and counter-intelligence specialist. He learned most, he says, as the director, Defensive Information Warfare Program and Department of Defense Information Systems Security Improvement Program. There, he estab- lished the first DoD Computer Emergency Response Team (CERT), the first DoD Vulnerabilities Analysis Assessment Programme, and the first twenty-four by seven security opera- tions centre to monitor DoD systems. Countering organized adversaries The concept of information warfare has a central part in his philosophy of secu- rity. “If you think of IT security as hav- ing the objective of keeping a teenager from breaking into your computer sys- tems - which is, essentially, what it is - then defensive information warfare is a programme designed to keep an orga- nized, systematic adversary from break- ing into your machines. As a problem, it is an order of magnitude more difficult”. Ayers is now bringing some of his mili- tary intelligence experience and terminol- ogy to bear on security problems in the corporate sphere. “People in the private sector are not as concerned as they should be about adversaries getting at their infor- mation. They know what information is important to them, true, but they tend not to have in place mechanisms to ensure that their information is not leak- ing out electronically, and casually, by way of emails to friends, and so on”. He tells a story of a European banking client who had procured his consultancy's services to do an email survey. The good news, for the managing director of the bank, that there was no leakage of infor- mation to the outside. The bad news? That the MD's second in command was conspiring to have him removed in a boardroom coup. The would-be conspira- tor was fired on the spot. Background checks A standard practice in military counter- intelligence is the pursuit of the 'devel- oped character reference' as opposed to the character references that people themselves provide. “There is a very risky absence in the UK of personnel security”, says Ayers. “You have to dig into the information that people supply when making applications. You need to speak to the references they list on their CVs. You ask the listed character refer- ences for the names of others who may know the applicant. Developed character references are where the really good information comes from”. He bewails the lack of online informa- tion in the UK as opposed to the US. "There is a lot more information available online in the States than there is here - for example, property records, voting records, driving licence information, and criminal records . So you can do a fairly good check not possible in the UK. “It just makes no sense to spend mil- lions of pounds on IT security if you have a crook as your system administrator!” Ayers gives a couple of examples from his time in the military of when the 'developed character reference' came into its own. He recalls that, when he was the head of security, and the clearance authority in a nuclear capable unit, he got a slim dossier on an army officer with thirty years service. “He was a great soldier, but the odd thing was that there was no veri- fiable record of his life prior to his eigh- teenth birthday, when he had signed up”. His fingerprints were checked with the FBI, and it turned out he was a deserter. He had signed up, illegally, as a 15-year- old, angry that his brother had been killed in Korea. He then got scared when about to be shipped overseas. “After years of living with the shame of being a deserter, he re-enlisted under an assumed name to make amends for what he perceived to be his earlier cowardice. “He started crying when I confronted him with this information” , says Ayers. The upshot was that the soldier was given a non-judicial commanding officer punishment of two weeks confined to barracks - which was suspended. And so, his record was cleaned up. A less happy incident involved a US captain whose German wife turned out to be a spy. “Her mother's birthplace was in the DDR, and she'd made over 40 trips to East Berlin in a short space of time. Dig deep and look sideways Brian McKenna Robert Lee Ayers was the director of the US's information warfare pro- gramme, and holds security clearance in the UK, where he now lives. He spoke to Brian McKenna about the need for IT security specialists in the commercial world to dig a bit more, and think more laterally. Bob Ayers

Dig deep and look sideways

Embed Size (px)

Citation preview

Page 1: Dig deep and look sideways

Network Security August 200512

INTERVIEW

Bob Ayers collects antiques. EarlyEnglish drinking silver and GermanWorld War II militaria are his two mainareas of expertise, but his eye was recent-ly caught by a small blue ceramic ele-phant in a charity shop window. Hebought it for four pounds, but it isworth about £150. “I knew the elephanthad been made by the Van Briggle pot-tery factory in Colorado Springs.Collecting antiques is a variant on intel-ligence. When you go to an auction ifyou know more about what's being soldyou will be successful”.

Ayers moved into the commercial sec-tor after 30 years service in the US mili-tary and civil service as an intelligenceand counter-intelligence specialist. Helearned most, he says, as the director,Defensive Information Warfare Programand Department of DefenseInformation Systems SecurityImprovement Program. There, he estab-lished the first DoD ComputerEmergency Response Team (CERT),the first DoD Vulnerabilities AnalysisAssessment Programme, and the firsttwenty-four by seven security opera-tions centre to monitor DoD systems.

Countering organizedadversaries

The concept of information warfare hasa central part in his philosophy of secu-rity. “If you think of IT security as hav-ing the objective of keeping a teenagerfrom breaking into your computer sys-tems - which is, essentially, what it is -then defensive information warfare is aprogramme designed to keep an orga-nized, systematic adversary from break-ing into your machines. As a problem, itis an order of magnitude more difficult”.

Ayers is now bringing some of his mili-tary intelligence experience and terminol-ogy to bear on security problems in thecorporate sphere. “People in the privatesector are not as concerned as they shouldbe about adversaries getting at their infor-mation. They know what information isimportant to them, true, but they tendnot to have in place mechanisms toensure that their information is not leak-ing out electronically, and casually, by wayof emails to friends, and so on”.

He tells a story of a European bankingclient who had procured his consultancy'sservices to do an email survey. The goodnews, for the managing director of thebank, that there was no leakage of infor-mation to the outside. The bad news?That the MD's second in command wasconspiring to have him removed in aboardroom coup. The would-be conspira-tor was fired on the spot.

Background checks

A standard practice in military counter-intelligence is the pursuit of the 'devel-oped character reference' as opposed tothe character references that peoplethemselves provide. “There is a very

risky absence in the UK of personnelsecurity”, says Ayers. “You have to diginto the information that people supplywhen making applications. You need tospeak to the references they list on theirCVs. You ask the listed character refer-ences for the names of others who mayknow the applicant. Developed characterreferences are where the really goodinformation comes from”.

He bewails the lack of online informa-tion in the UK as opposed to the US."There is a lot more information availableonline in the States than there is here - forexample, property records, voting records,driving licence information, and criminalrecords . So you can do a fairly goodcheck not possible in the UK.

“It just makes no sense to spend mil-lions of pounds on IT security if you havea crook as your system administrator!”

Ayers gives a couple of examples fromhis time in the military of when the'developed character reference' came intoits own.

He recalls that, when he was the headof security, and the clearance authority ina nuclear capable unit, he got a slimdossier on an army officer with thirtyyears service. “He was a great soldier, butthe odd thing was that there was no veri-fiable record of his life prior to his eigh-teenth birthday, when he had signed up”.

His fingerprints were checked with theFBI, and it turned out he was a deserter.He had signed up, illegally, as a 15-year-old, angry that his brother had beenkilled in Korea. He then got scared whenabout to be shipped overseas.

“After years of living with the shame ofbeing a deserter, he re-enlisted under anassumed name to make amends for whathe perceived to be his earlier cowardice.

“He started crying when I confrontedhim with this information” , says Ayers.The upshot was that the soldier wasgiven a non-judicial commanding officerpunishment of two weeks confined tobarracks - which was suspended. And so,his record was cleaned up.

A less happy incident involved a UScaptain whose German wife turned out tobe a spy. “Her mother's birthplace was inthe DDR, and she'd made over 40 tripsto East Berlin in a short space of time.

Dig deep and look sidewaysBrian McKenna

Robert Lee Ayers was the director of the US's information warfare pro-gramme, and holds security clearance in the UK, where he now lives.He spoke to Brian McKenna about the need for IT security specialists inthe commercial world to dig a bit more, and think more laterally.

Bob Ayers

Page 2: Dig deep and look sideways

August 2005 Network Security13

INTERVIEW

Now, you don't go to East Berlin for theshopping. It would be like going to thetip. Anyway, it turned out that her rela-tives in the DDR were being threatenedby the Stasi, and she was, indeed, a spy.The husband knew nothing of her tripsto East Berlin”.

Incidental patternsThe most enjoyable interlude in Ayerscareer also demonstrates a preference forthe lateral.From 1979-1983 he served as staffofficer at the US DoD Indications andWarning System Secretariat. There heconceived, developed and implementedthe DoD Worldwide IndicatorMonitoring System, which was anautomated programme to detect andpredict attacks on US military forces.He developed detailed scenarios usedfor Soviet/Warsaw Pact attack onNATO forces, North Korean attack onSouth Korea and Sino-Vietnameseconflict.

“Essentially, I was interested in seeinghow automation could be brought tobear on to solve indication and warn-ing problems. I got sent out to

Stanford to work with mathematiciansthere, and became the subject matterexpert on the North Korean warningproblem. So we would lay out theproblem, the likely sequence of events,the Stanford people would convert that into computer programmes. Weautomated a problem that no one hadpreviously thought was automatable”.

Cyber-terrorismAyers is impatient with the view thatcyber-terrorism is over-hyped. “No, the threat is very real. The technologycoming out of Afghanistan and Iraqindicates that people you might see as technically illiterate terrorists waving AK-47s in the air are, in fact,technologically sophisticated. And themore effective physical counter-terroristprogrammes become the more likely itis that these people will turn to logicalweapons”.

The irony of information warfare, hesays, is that “the more technologicallyadvanced you are, the greater is theharm that you can have happen toyou. The less technologically sophisti-cated you are, the more immune to

significant damage you are. It's anasymmetric relationship.

“We've been very fortunate not tohave had a real systematic attack. Think about the damage done by themalicious code programmes releasedover the last few years, and imaginewhat would happen if you had 50 people working on a multitude ofattacks. It would be catastrophic"

Curriculum Vitae

Career

2003 - 2004 Director, Critical National Infrastructure Defence, Northrop Grumman Information Technology2002 - 2003 Director, Business Risk Services, @stake, United Kingdom 2000 - 2002 Managing Director, Para-Protect Europe, United Kingdom 1998 - 2000 Principal Security Consultant, Admiral plc, United 1997 - 1998 Senior US Representative, Polish NATO C2 Interoperability, US 1992 - 1997 Director, Defensive Information Warfare Program and DoD Information Systems Security Improvement

Program, Defense Information Systems Agency (DISA)

1979- 1992 Defense Intelligence Agency (DIA)Director, DoD Intelligence Information Systems (DoDIIS) Computer Security Program (1990-1992)Deputy, Information Systems Operation and DoDIIS Architecture and Engineering Directorate (198 -1990)Program Manager, Consolidated CIA and DIA Support to Analysts File Environment (SAFE) Program (1983 -1988)Staff Officer, DoD Indications and Warning System Secretariat (1979 - 1983)

1969 - 1979 US Army Intelligence Officer, Worldwide Service

Education

1965-69 Lynchburg College, Lynchburg, VA1976 State University of New York, Buffalo, NY, Bachelor of Science, Psychology

“The irony ofinformationwarfare is thatthe more technologicallyadvanced youare, the greateris the danger toyou”


Dig Really Deep, to Work Past Your "Limits"

Dig Really Deep, to Work Past Your "Limits"

Career
Dig Deep Impact Report 2013

Dig Deep Impact Report 2013

Documents
The Inner Game Of Career Success: How to Dig Deep ...kathycaprino.com/wp-content/...TheInnerGameOfCareerSuccess-Slides.pdfThe Inner Game Of Career Success: How to Dig Deep, Discover

The Inner Game Of Career Success: How to Dig Deep ...kathycaprino.com/wp-content/...TheInnerGameOfCareerSuccess-Slides.pdfThe Inner Game Of Career Success: How to Dig Deep, Discover

Documents
Dig Deep But Don't Go Under

Dig Deep But Don't Go Under

Education
Dig Deep: Achieve Supply Chain Reslience & Agility Case

Dig Deep: Achieve Supply Chain Reslience & Agility Case

Documents
Using Eventbrite Reports: How to dig deep with your event data

Using Eventbrite Reports: How to dig deep with your event data

Software
Dig Deep Solutions Credentials

Dig Deep Solutions Credentials

Healthcare
Slides for the dig deep approach with auto quiz

Slides for the dig deep approach with auto quiz

Education
Particulars for Sideways, 14 Stone Street, Boxford ... · Sideways, 14 Stone Street, Boxford, Sudbury, CO10 5NR . Particulars for Sideways, 14 Stone Street, Boxford, Sudbury, CO10

Particulars for Sideways, 14 Stone Street, Boxford ... · Sideways, 14 Stone Street, Boxford, Sudbury, CO10 5NR . Particulars for Sideways, 14 Stone Street, Boxford, Sudbury, CO10

Documents
2008 Sideways

2008 Sideways

Documents
SECTOR REVIEW Deep dig on mining capex & capital allocation

SECTOR REVIEW Deep dig on mining capex & capital allocation

Documents
Selected Responses How deep does the question dig?????

Selected Responses How deep does the question dig?????

Documents
When forty winters besiege thy brow, And dig deep trenches into thy beauty’s field

When forty winters besiege thy brow, And dig deep trenches into thy beauty’s field

Documents
Dig Deep : A Water Organization Asking Big Questions...1 Dig Deep By Megan Kashner Clinical Assistant Professor, Director of Social Impact Northwestern University megan.kashner@kellogg.northwestern.edu

Dig Deep : A Water Organization Asking Big Questions...1 Dig Deep By Megan Kashner Clinical Assistant Professor, Director of Social Impact Northwestern University [email protected]

Documents
Uranus “The sideways planet”

Uranus “The sideways planet”

Documents
Over, Under, Sideways, Down

Over, Under, Sideways, Down

Documents
Inspiring every child to ‘dig deep’ and be their best. › wp-content › uploads › 2017 › 02 › Broadfi… · Inspiring every child to ‘dig deep’ and be their best

Inspiring every child to ‘dig deep’ and be their best. › wp-content › uploads › 2017 › 02 › Broadfi… · Inspiring every child to ‘dig deep’ and be their best

Documents
OUR STRENGTH RUNS DEEP - Deep South Industrial Services · aper Machine CleaningP ... • Hydro & Pneumatic Vacuum Excavation Services (Safe Dig) • Online Boiler Deslag Solutions

OUR STRENGTH RUNS DEEP - Deep South Industrial Services · aper Machine CleaningP ... • Hydro & Pneumatic Vacuum Excavation Services (Safe Dig) • Online Boiler Deslag Solutions

Documents
Knowing Thyself: Getting Students to Dig Deep in Personal

Knowing Thyself: Getting Students to Dig Deep in Personal

Documents
PowerPoint Presentationmbaofpr.com/wp-content/uploads/2017/06/Edwin...(DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . INVESTIGATIONS OF INSPECTOR GENERAL AGEN FHFA

PowerPoint Presentationmbaofpr.com/wp-content/uploads/2017/06/Edwin...(DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . FHFA (DIG . INVESTIGATIONS OF INSPECTOR GENERAL AGEN FHFA

Documents
Dealing with: &. Heard it all before Put it to use Dig Deep Be an Inspiration

Dealing with: &. Heard it all before Put it to use Dig Deep Be an Inspiration

Documents
Dig Deep: An Introduction to Genealogy & Ancestry Library Edition

Dig Deep: An Introduction to Genealogy & Ancestry Library Edition

Documents
Slowly Dying Sideways

Slowly Dying Sideways

Documents
Dig Deep into FlexiSpy for Android...Dig Deep into FlexiSpy for Android Kai Lu(@k3vinlusec) Fortinet’s Fortiguard Labs About Me •Security Researcher •Focus on android security

Dig Deep into FlexiSpy for Android...Dig Deep into FlexiSpy for Android Kai Lu(@k3vinlusec) Fortinet’s Fortiguard Labs About Me •Security Researcher •Focus on android security

Documents
Manage Sideways

Manage Sideways

Business
Managing up, down & sideways

Managing up, down & sideways

Documents
Dig Deep Lesson Plan

Dig Deep Lesson Plan

Documents
Active Value Investing: Making Money in This Sideways Marketcsinvesting.org/wp-content/uploads/2012/12/Sideways-Markets1.pdf1 Active Value Investing: Making Money in This Sideways

Active Value Investing: Making Money in This Sideways Marketcsinvesting.org/wp-content/uploads/2012/12/Sideways-Markets1.pdf1 Active Value Investing: Making Money in This Sideways

Documents
Creating A Better Future: Think Big, Dig Deep, Start Small ...Creating A Better Future: Think Big, Dig Deep, Start Small, Act Fast Hong Kong Hospital Authority Convention 3 May 2016

Creating A Better Future: Think Big, Dig Deep, Start Small ...Creating A Better Future: Think Big, Dig Deep, Start Small, Act Fast Hong Kong Hospital Authority Convention 3 May 2016

Documents
Bowel obstruction secondary to deep infiltrating ...obstruction secondary to deep infiltrating endometriosis of the ileum . Rev Esp Enferm Dig 2018. doi: 10.17235/reed.2018.5364/2017

Bowel obstruction secondary to deep infiltrating ...obstruction secondary to deep infiltrating endometriosis of the ileum . Rev Esp Enferm Dig 2018. doi: 10.17235/reed.2018.5364/2017

Documents