.Former New York City Mayor Rudy Giuliani testifies on Capitol Hill in Washington, D.C., July 10, 2013. (Photo: Jacquelyn Martin/AP/File)
Former New York City Mayor Rudy Giuliani brought a marker to a cybersecurity conference Tuesday. The occasional advisor to President Trump had a few things to say to attendees of the V4 Cybersecurity Conference, & he needed a visual aid to obtain those points across.
Giuliani was a late addition to the agenda of this half-day gathering put on by the Visegrád Group, which represents the shared interests of the Czech Republic, Hungary, Poland, & Slovakia. He did not obtain into the same level of technical detail as other V4 speakers, yet his half-hour talk did yield some insights into his cybersecurity priorities & those of the president who passed on appointing him as Secretary of State.
We didn’t see this coming
Giuliani, now chair of the cybersecurity, privacy & crisis-management practice at Greenberg Traurig, LLP, led off his talk at the Washington offices of Google (GOOG) with a cybersecurity confession most of us could make: “We spent too little time talking approximately it in the past.”
He cited CompStat, the crime-tracking system the New York Police Department launched in 1995 to map offenses precinct by precinct.
“It wasn’t until 1997 or 1998 that I thought approximately defending it,” Giuliani said. But the city’s effort to prevent “Y2K” calamities caused by code assuming all years start with “19” led to a new awareness of its computing weaknesses.
“I found out how undefended we were,” he said. “My wonderful CompStat program, which I’m in love with, any criminal could have hacked in.”
But just as companies & governments have begun taking cybersecurity seriously, attackers have been working harder to thwart their efforts. Giuliani cited today’s epidemic of ransomware attacks, in which malware encrypts data & demands the victim pay a ransom in Bitcoin to regain access to it, as “maybe the most dangerous of all.”
He noted that many hospitals have been hit with ransomware & defended their practice of keeping “quite quiet” approximately it. Security experts do not agree, saying that silence approximately an attack only leaves other potential victims unaware of weaknesses they should fix.
The five kinds of security companies you need
That’s when Giuliani turned to the board he’d brought to the stage, & things became complicated.
First he sketched out a pyramid, representing the hierarchy of a company or government office from C-suite executives down. Then he drew a circle around that, saying this organization “needs a company that surrounds it” to defend its computers.
That company can’t just maintain a firewall yet needs to study attack techniques & attackers. “You do profiling, based on who’s coming after you,” Giuliani said.
.Giuliani sketched out what he believes a company needs to stay safe from cyberattacks.
This organization will next need a second security firm to monitor activity from the inside. “The company on the inside has to be able to be sure that they’re not missing something.”
That, however, isn’t enough either. “I believe you need a third company, which is an attack & penetration company. They are attacking you all the time, as if they are the offensive guys.”
Security pros would generally agree with that — hacking-resistant organizations stay that way by having “red teams” try to defeat their own defenses.
We weren’t done yet, though. Giuliani said this organization will moreover need “an investigatory company” that can trace an attack back to its authors, whether they’re in China or, as Trump once famously said, somebody’s basement.
This fourth security firm should moreover monitor what experts call the “dark Web” — the vast expanse of servers unreachable through normal web browsers & apps, though Giuliani kept calling it “the black Web.”
Giuliani finally endorsed putting a fifth company to work defending individual employees with sensitive data. He cited his own circumstances, saying “you don’t have to hack me.” Instead, hacking his assistants would yield the former mayor’s passwords, contacts & schedule.
This cybersecurity-coaching part of the talk included a useful caveat: “In each one of these areas there are completely phony companies who don’t know what they’re doing.” This is true.
It is not so apparent whether this full-employment policy for cybersecurity types will make an organization more secure or result in a lot of managerial overhead. Giuliani himself noted that many companies obtain by with just the first three companies on his list.
What Trump thinks
Giuliani, however, noted that he doesn’t keep his meetings with President Trump on any list. He didn’t obtain into much other detail approximately his own security practices, either. For people who have struggled to obtain a sense of Trump’s tech-policy goals, the most useful parts of Giuliani’s talk were his characterizations of the president’s cybersecurity priorities.
The former mayor said Trump has a holistic view of security, in that a vulnerable private sector will wind up infecting the government & vice versa: “You have to solve this problem for the whole country.”
But while there’s “no Republican or Democratic solution to this,” Trump does expect that the best answers won’t come from the public sector. “He has a prejudice that this is going to be better solved in the private sector than the government.”
More from Rob:
What you should & shouldn’t worry approximately in Android security 3 ‘unlocked’ phones that might make your carrier unhappy The FCC just gave you a reason to hold off on buying a 4K TV Broadband companies can’t build out networks, & it’s hurting consumers Wireless carriers are fighting for your cash, & that’s satisfactory news How Verizon’s new ‘unlimited’ plan compares to the competition Study finds most people are scarred of being hacked, yet don’t do much approximately it
Email Rob at firstname.lastname@example.org; follow him on Twitter at @robpegoraro.
Politics & GovernmentInternet & Networking TechnologyRudy GiulianiCybersecurity