By Claudia Zuidema
Two months ago a mister Mao Zhang sent me an email. “This is your bad luck. I hacked your password ***** and I know all your secrets.” If I didn’t transfer 3000 bitcoins to Mr. Zhang within a week, he threatened to send all kind of files and photos to my business relations.
When Jaya Baloo1, KPN’s Chief Information Security Officer (CISO), states that cybersecurity is a daily issue, she’s right. I met with KPN’s leading lady of cybersecurity at the Security Operations Center (SOC) in Hilversum while she was in the middle of a RED Team meeting.
My first, a little bit corny question, you are a well-known CISO in the World’s Top 100 Chief Information Security Officers list, what’s your biggest professional challenge?
‘KPN is a very large company and that means that there are many challenges. We have to be up to date and up to speed continuously. We also must ensure that the company and my own teams understand what we are doing and why. Keep everybody informed. Some priorities and incidents come directly from the outside without sufficient awareness of the associated risks involved. Doing things differently in the company is really a big challenge. We have to prioritize all the time. Adapt and keep our focus. Learn. Everything is changing so fast. That is not always easy. You can easily drift apart and lose your focus as a company or a team.’
Is that what you call “riding the cybersecurity rollercoaster”?
‘I have said that CISO’s must get off of that rollercoaster. We should not go from incident to incident. That is quite difficult. So what happens, if I can describe it briefly, there is an incident and you get a budget to solve it. Then you go up as CISO with the rollercoaster, in respect, prestige, in people, in money. At a certain moment that stops. The company loses interest in the incident, there are other things to do, people think, damn all those complicated security people who always say ‘no’ to all those cool innovations. What do you mean security? Is the business not much more important? As soon as you are seen as a complicated security department, you will slowly go down again with the rollercoaster. You are waiting for the next hack. Then you can go up again. In my view, that is not what you should do as a CISO.
The truth is, you must keep your focus all the time on the right priorities and keep your eye on what is really important. Determine together what that is and then act on that. Don’t ride the rollercoaster. And that’s bloody difficult. I can tell you.’
One of your goals is security awareness. How did you get that message in everyone’s DNA?
‘Well I don’t think it’s in everybody’s DNA yet, but we are getting there. We have a great strategy and policy team, who are working very hard in keeping everybody focused and sharp on security. We do some phishing actions ourselves, but nowadays people also come to us with questions if they don’t trust an email or something.
So not everybody is yet infected with the security virus and has their CISO’s logo tattooed on their skin, but we are getting there.’
I’ve read that you are evaluating your security policy all the time?
‘It’s more evolving than evaluating. We evolve the policy on a regular basis and adapt the policy. That means change. We are not a static security system. Most of the policy’s framework is static and not able to evolve with the ever-changing threats. In my view, you have to be able to evolve all the time and fast.
We meet once a year from the strategy and policy team for a major adjustment. When we meet, it is not only the security department but also with stakeholders such as legal and privacy along with the businesses. In this way, we know what is important. From a security view it is very clear why we want the business to apply certain measures and how this should be done. So a big adjustment is made once a year and then there are three small reviews during the year. We now have a very flexible architecture and a flexible policy so we can cope with all kinds of new attacks that we encounter.’
You are very open about your cybersecurity policy
‘Yes, we have put that completely open source on the internet. (There is KPN’s free app KPN CISO, which everyone can download freely)’
How’s that in other industries?
‘Clearly, some sectors are more closed about it. Keep it a secret? Why? The question is what is a policy for? It is not just to convince your own business, but it’s mainly for the parties you work with. So, if it’s already there to be shared with those third parties, why not just be open about it?’
With the coming of the Internet of Things (IoT) and smart devices, you have said that cybersecurity risks become much bigger. How do you see that developing in the coming years?
‘What I am most concerned about is that we are dealing with people who buy all kinds of inexpensive devices. They look on beslist.nl or whatever and then they just buy a webcam or smartwatch from some Chinese marketplace. That device can be connected with so many things and you do not know what kind of dangers that entails. There is no testing framework. There is no certification framework. This is what the EU’s cybersecurity organization wants. A certification track for all IoT devices otherwise the product cannot be sold in Europe. I wonder whether this is beneficial for consumers and will not only result in profit for the companies that have to provide those certifications. Our challenge is to identify the IoT devices from the network and to protect users as much as possible.’
I have a question from society perspective. Where do you think society is going in the next 3 to 5 years in terms of data, cybersecurity and privacy? What is the next development?
‘Well something that we are all already working on, but between now and 2024 a new standard comes out, we hope, for cryptography and how we will encrypt information.’
You mean the development of Quantum Computing?
‘Exactly. KPN will continue to further investigate and develop the possibilities of quantum computing-resistant encryption in the coming years. My biggest concern is that we are not fast enough to keep up with developments in Quantum Computing. That we lag behind in implementing security measures in the hardware and software landscape that we have throughout the world.’
And why is that?
‘Because hardware and software vendors are not so fast anyway and because there is no actual incentive for them. We do not have enough time to test all that new cryptography and encryption in the field, and, also, even if you have a great standard, implementation from a standard can deviate depending on who has implemented it.
So, I only foresee pain, trouble and misery and that is why KPN has already started to test certain encryption possibilities on products. And we are working hard on bringing these possibilities to a higher level of maturity.’
And do you do that alone or with cooperation partners?
‘No, we have a lot of cooperation partners. We do a lot ourselves, but there are several things in this field. For instance, the post-quantum photography that we do is with the University of Eindhoven, but, we also have someone who has been promoted there developing special tooling that we use. We also have someone who is promoted from Delft in quantum information systems and there we are looking to see if we can build a whole new form of internet, the quantum safe internet.’
That is really a whole new development. How do you see that internationally? Are there developments already under way?
‘Certainly. The whole world is working on this. But you know what the funny thing is? Quantum is one thing, but it is certainly not the only thing. What I also see is that we are working more and more together when it comes to sharing information about threats. In the past, we already had some ad hoc cooperation, things we did together. We have a Computer Emergency Response Team within KPN and they share information with other CERTs. But this cooperation is very often informal and human-based. There is no automated sharing process and what I expect in the future is that we will be much more automated and faster to share information to recognize the real big threats faster and stop them. The spreading goes so fast and sometimes from such unexpected angles that we simply must act together to be effective.’
‘But just for the record, the bad guys have known all this for a long time; they already work very well together. Only the good guys don’t get it and are not up to the speed that the bad guys work. So I think it’s just a simple game of time and speed.’
Are we talking about the real cybercriminals?
‘Yes, the cybercriminals. What we see, for example, is that they learn faster from each other. The tools that cyber criminals use adapt more quickly than the possibilities we have for the defense systems.’
What should the government do?
‘The government should start with organizing itself, then we would be much wiser in the Netherlands. In the Netherlands, cybersecurity really needs more collaboration. It is too fragmented.’
‘Look at the example of England. In England, they have put all cybersecurity units together in a way that they are much more connected and in cooperation. In the Netherlands, we have a national cybersecurity center for the government and vital companies. But you also have the Digital Trust Centre for small and medium enterprises which cause a split in expertise and know-how that does not seem necessary.’
Talking about safety, when you receive requests from the police or investigation services. Are you under obligation to answer?
‘We have certain obligations, of course, and all of these are mandated by law. For example, wire-tapping, which is mandatory for us to do when we are provided with proper documentation from the police. Telecom law states what we have to do. So if we get a notice and takedown order, we have to act on that within a certain time.’
Does that happen often? A notice and takedown order?
‘That depends. It can arise because it is a real criminal thing, but it can also arise because there is abuse from a particular site, or that someone is really spamming, or doing other horrible things that they are not allowed to do so. But I think you have to be careful as a citizen or as a company when you are asking for things to be done that are not clearly described by law. We have a very decent government in the Netherlands and a very decent police force, they do not act very quickly and they just obey the law and we do too. So no, we do nothing more than what has already been explicitly mandated. What we try to do is to report abuse proactively to the authorities.’
What about threat intelligence?
‘You mean actual information about threats? You see, we have different types of threats. You have to imagine that most of the threats we get are threats that are to the masses. I do not think that is so important. I think that threat intelligence is only important when it’s actually about devices or software or protocols that we use within KPN. You have to look first if that threat intelligence is related to my company or does it concern companies like us. For example, the things that happen to Telefonica or German Telekom, we look very explicitly because these companies have a similar threat model as ours. So those threats that are a threat to them today would be a threat to us tomorrow. We also try to learn from that. How should we do things differently? And then, the third thing is we look at everybody else. But very often now in threat intelligence land they start with everybody else. We do not.
The AIVD does not do so much directly with us for threat intelligence. But we work closely with other operators in the Netherlands, for example, to share threat intelligence with Vodafone, Ziggy, Tele2 and also the National Cyber Security Centre.
About the privacy and security combination. You have your own Privacy Officer?
‘Yes and she’s great. Rachel Marbus is the former NS Privacy Officer, a diehard specialist and it’s great working together.’
Because I wondered, has that cooperation increased since the GDPR is in force?
‘GDPR is actually a giant compliance exercise. What we mainly see is that it entails a lot of administrative work and I think that once we have worked out all the teething problems and first pain points of the GDPR, that the framework will lead to real improvements for the future.’
Because which subjects touch each other the most, security and privacy?
‘Everything and in every way! We always say: ‘you can have security without privacy, but you cannot have privacy without security.’ So if you want to give or guarantee privacy, you have to take security measures. Because in security, we have a number of objectives that we always pursue in parallel: confidentiality, integrity, and availability. Availability may be a lesser concern regarding privacy, but the confidentiality and the integrity of data, that must be 100 percent realized if you want privacy.’
I have one final question: what is your biggest concern for the future? In your TED talk you say: ‘cybersecurity is something for everybody, every day.’
‘Now you have to know we are a group that keeps the rest of KPN sharp when it comes to cybersecurity awareness. But you need the rest of KPN to actually implement to make it safer. And cybersecurity risks are present every day in the Netherlands, Europe, and the World, but they are not visible or happen in a central location. So my biggest concern is that you do not have enough people and critical mass to actually reach the scale you need to really improve and stay secure.’
‘Actually, listen, have you also heard of the Greek myth of Kassandra? That is still a bigger problem for a CISO. Kassandra was that Greek goddess who knew what would happen in the future, but no one believed her. So you may know it all, but nobody believes you. And I think that is the fate of most security people, that you know what’s going to happen, but nobody is listening….’
About the author
Claudia Zuidema is editor in chief of DCSP and managing director of deLex Media. She has over 25 years of experience in the publishing industry.