Former New York City Mayor Rudy Giuliani brought a marker to a cybersecurity conference Tuesday. The occasional advisor to President Trump had a few things to say to attendees of the V4 Cybersecurity Conference, and he needed a visual aid to get those points across.
Giuliani was a late addition to the agenda of this half-day gathering put on by the Visegrád Group, which represents the shared interests of the Czech Republic, Hungary, Poland, and Slovakia. He did not get into the same level of technical detail as other V4 speakers, but his half-hour talk did yield some insights into his cybersecurity priorities and those of the president who passed on appointing him as Secretary of State.
We didn’t see this coming
Giuliani, now chair of the cybersecurity, privacy and crisis-management practice at Greenberg Traurig, LLP, led off his talk at the Washington offices of Google (GOOG) with a cybersecurity confession most of us could make: “We spent too little time talking about it in the past.”
He cited CompStat, the crime-tracking system the New York Police Department launched in 1995 to map offenses precinct by precinct.
“It wasn’t until 1997 or 1998 that I thought about defending it,” Giuliani said. But the city’s effort to prevent “Y2K” calamities caused by code assuming all years start with “19” led to a new awareness of its computing weaknesses.
“I found out how undefended we were,” he said. “My wonderful CompStat program, which I’m in love with, any criminal could have hacked in.”
But just as companies and governments have begun taking cybersecurity seriously, attackers have been working harder to thwart their efforts. Giuliani cited today’s epidemic of ransomware attacks, in which malware encrypts data and demands the victim pay a ransom in Bitcoin to regain access to it, as “maybe the most dangerous of all.”
He noted that many hospitals have been hit with ransomware and defended their practice of keeping “quite quiet” about it. Security experts do not agree, saying that silence about an attack only leaves other potential victims unaware of weaknesses they should fix.
The five kinds of security companies you need
That’s when Giuliani turned to the board he’d brought to the stage, and things became complicated.
First he sketched out a pyramid, representing the hierarchy of a company or government office from C-suite executives down. Then he drew a circle around that, saying this organization “needs a company that surrounds it” to defend its computers.
That company can’t just maintain a firewall but needs to study attack techniques and attackers. “You do profiling, based on who’s coming after you,” Giuliani said.
This organization will next need a second security firm to monitor activity from the inside. “The company on the inside has to be able to be sure that they’re not missing something.”
That, however, isn’t enough either. “I believe you need a third company, which is an attack and penetration company. They are attacking you all the time, as if they are the bad guys.”
Security pros would generally agree with that — hacking-resistant organizations stay that way by having “red teams” try to defeat their own defenses.
We weren’t done yet, though. Giuliani said this organization will also need “an investigatory company” that can trace an attack back to its authors, whether they’re in China or, as Trump once famously said, somebody’s basement.
This fourth security firm should also monitor what experts call the “dark Web” — the vast expanse of servers unreachable through normal web browsers and apps, though Giuliani kept calling it “the black Web.”
Giuliani finally endorsed putting a fifth company to work defending individual employees with sensitive data. He cited his own circumstances, saying “you don’t have to hack me.” Instead, hacking his assistants would yield the former mayor’s passwords, contacts and schedule.
This cybersecurity-coaching part of the talk included a useful caveat: “In each one of these areas there are completely phony companies who don’t know what they’re doing.” This is true.
It is not so apparent whether this full-employment policy for cybersecurity types will make an organization more secure or result in a lot of managerial overhead. Giuliani himself noted that many companies get by with just the first three companies on his list.
What Trump thinks
Giuliani, however, noted that he doesn’t keep his meetings with President Trump on any list. He didn’t get into much other detail about his own security practices, either. For people who have struggled to get a sense of Trump’s tech-policy goals, the most useful parts of Giuliani’s talk were his characterizations of the president’s cybersecurity priorities.
The former mayor said Trump has a holistic view of security, in that a vulnerable private sector will wind up infecting the government and vice versa: “You have to solve this problem for the whole country.”
But while there’s “no Republican or Democratic solution to this,” Trump does expect that the best answers won’t come from the public sector. “He has a prejudice that this is going to be better solved in the private sector than the government.”
More from Rob:
- What you should and shouldn’t worry about in Android security
- 3 ‘unlocked’ phones that might make your carrier unhappy
- The FCC just gave you a reason to hold off on buying a 4K TV
- Broadband companies can’t build out networks, and it’s hurting consumers
- Wireless carriers are fighting for your cash, and that’s good news
- How Verizon’s new ‘unlimited’ plan compares to the competition
- Study finds most people are scarred of being hacked, but don’t do much about it