Cisco CSO John Stewart on Fending Off Cyber Attacks

Cisco Systems, like nearly every large company, must continually fend off cyber attacks. Cisco Chief Security Officer John N. Stewart recently spoke to me about threats such as the computer worm Stuxnet and what it’s like to protect a corporate network from incessant attacks.

Rachael King: What makes Stuxnet different from other worms and is it potentially more dangerous?

John Stewart: What makes it different is how much news coverage it’s getting. This is the first one, though, that is part of the discussion about whether or not it is actually targeting the way a system is supposed to work rather than trying to exploit a problem that’s already in it. Secondarily, there’s the fear-factor, over who designed it, how it was designed, and its ultimate origin and purpose. This one can disrupt an operation and, in some cases, very critical operations.

RK: This worm was specifically designed to attack so-called SCADA systems, so what does that mean?

JS: SCADA systems were designed many years before the traditional Internet. The purpose of SCADA systems is that they’re small, micro-controlling systems that affect anything from water control valves to oil and gas industry pipelines to street lights or stop lights. There are portions of SCADA systems in almost every critical infrastructure, definitely including the power grid as well. The idea that it can affect critical systems in countries’ infrastructures is one of the fears.

RK: One of the issues in the spread of Stuxnet was employees picking up USB drives and using them when they were just lying around. Do you have policies at Cisco to try and prevent that?

JS: We don’t. Partly the reason we don’t is because people are people. Let’s take the example you just described with USB devices. You’ve got a USB picture-storage device, you’ve got a USB thumb drive, you’ve got a USB keyboard, you’ve got a USB-based iPod, all of which are storage devices of some material type. And you’ve got content that could be stored on them, including the fact that Stuxnet could be sitting on top of it. I would rather design with the idea that the format and delivery under which it would come is not one that I would take down to a hardware device level and instead design an environment that detects if something goes wrong [during data] transfer.

RK: You’ve compared defending Cisco’s corporate network to defending a home’s front door against all kinds of projectiles. Can you describe that?

JS: All kinds of attacks come at you and you don’t necessarily know one from the next. The first could be a simple, silly virus that I would liken to someone egging your house and the next one could be something like Stuxnet and you don’t know who wrote it but it seems sophisticated and it feels like either a very surgical attack from a sniper or a very large artillery shell.

Either way, because there is so much activity on the Internet of this type what you’ve got to do is go repair the front door and fix and clean your windows and harden up and then you’d start all over again tomorrow because the attacks are going to keep on coming.

This is where I think the industry as a whole is getting a little bit weary of this consistent ability for attacks to be launched without the downsides high enough to prevent it. Corporations and governments and law enforcement communities both locally and internationally are working together more diligently in a much more aggressive path because this is just not acceptable.

RK: From Cisco’s perspective, you’re sitting there and you’re defending your home but you don’t have the ability to fight back on your own?

JS: I don’t know that I necessarily want to go to the idea that I would fight back. But we’re getting to the norms and behaviors discussion, which is, what is acceptable behavior on the Internet? I think as a society we’re beginning to discover that things like stealing from my house from a foreign country is probably not acceptable when it comes to a normative behavior. You can defend or you could eliminate the threat and I think both are a relevant strategy. The eliminate part is all around law enforcement and government and the defend side is our obligation.

RK: I think many people may not be aware of the volume and extent that attacks happen, not only on Cisco but on every other company, every day of the week. Can you give me an idea of what we’re talking about?

JS: The categorizations of the attacks are the hardest part; is it egging or is it an artillery shell? It’s safe to say 24 hours a day, 7 days a week, 365 days a year, attacks are happening against companies and in many cases attacks are happening against people who are connected to the Internet.

RK: What’s your advice for companies using cloud computing?

JS: Make sure you’re talking to your cloud-services providers about how they protect your data. Don’t just trust anybody. There’s beginning to be an awareness that says when I buy a cloud-storage service using my credit card, that doesn’t necessarily mean I should be storing corporate information that’s very sensitive in that provider. Start creating normative ways, which say these are the cloud services providers that we, at a company level, should use. Then involve end users in the decisions because they’ve probably got some pretty good ideas.

And last but not least, you have to think through where your data is stored. When talking to your cloud-service providers, literally ask them where they’re going to put your data. The number one way most companies and most people protect themselves is the law — it’s not a technology conversation, it’s a legal one.

Read more at BusinessWeek Tech Beat Blog