'Internet-obsessed kids can be co-opted to check hackers'

With hackers prowling the internet in various guises as criminals, hacktivists and state-sponsored rogue attackers, it is time for the world to invest more on creating cybersecurity experts, says Richard Marshall, director of global cybersecurity management, Department of Homeland Security of the US government. He spoke to Deccan Herald’s L Subramani on the sidelines of Securitybyte security conference in Bangalore recently. Excerpts:

You have been a vocal advocate of investment in the R&D for cybersecurity. How do you think that will work?

We’re not talking about the Indian problem or the American problem. As we are connected to the central nervous system called the internet, the problems remain global. So far, our response to cyberattacks has been reactionary. We let the adversary pull us before we push.

Hackers constantly think on how to get into the system. Much of the software used in the US has been developed out of here (India) and without security, we would find malware (virus) being injected into them. Internet is also largely without borders and so, it would be easier for criminals to pick on the weakness and attack sitting in a corner of the world where they are unencumbered by laws and justice. So if we were to win this game, it is important for us to take control of the operational environment. This doesn’t mean we must simply stay ahead, but to rest back the whole control and let them react. This is possible if only we have more focus and investment in researching on cybersecurity.

In the US at least, investment on cybersecurity has been less. We have (university) scholarship for those playing certain sports. The sportsperson remains productive for just six or seven years getting into the pro circuit. Investments in science and engineering on the contrary, would keep professionals active for 20 or 30 years, which is what we need if we were to have control on cyber environment.

The talk of cybersecurity in India emanate more from the business side, prompting most of us to think that such talks are motivated by business gains...

This is not unique to India. It is not right for me to comment on what India should do to solve this problem, but it can learn from what other countries are doing. Awareness on a wider level has been an issue, which, I guess, can be tackled if the government takes it up directly.

In the US, for instance, we have launched what is called ‘Cybersecurity Awareness Challenge’, which has generated tremendous awareness among common people. As users of technology, their participation in cybersecurity is more important. We have a problem not just at work place, but from school down to each household. Young children are early adaptors of technology; their parents are not good at understanding the threats either. So a mass awareness campaign should help.

How real is cybercrime in the US?

Oh it is very real. One of the major problems for people in our country is stolen security numbers. The money is very helpful to them when they grow up. However, those who have their numbers stolen realise after growing up that the money has gone and they are left with massive debts instead. Illegal aliens set up false identities, which is a huge national economic problem. If this continues, people would lose faith in economic system.

You talk about talent building. Is there a demand?

Indeed. One of the most ironical pieces of statistics in the US is that when the country’s unemployment rate is 9.6 per cent, there is almost zero per cent unemployment in cybersecurity. We need people; more people with better expertise if we want to tackle this problem effectively.

What other things we should try in order to save the world from disastrous cyberattacks of the future?

I am in favour of learning from each other’s experience. Conferences and other informal forums are probably the best means of exchanging ideas at a people-to-people level. It can’t get any better than a bunch of people who have solutions for different pieces of the problem discussing them sitting across the table.

While we may still produce academic experts, favoured by most security agencies and commercial security solution vendors, there must be an inclusion of the ‘under the basement’ kids, who are 24/7 on the internet and are constantly thinking out of the box.

They are artists and are probably the best counterweights for hackers who, like these kids, have a feel for what they do and are artists in their own rights. Cybersecurity is not a political issue; it is a technology issue and probably needs unconventional approaches.