17 Jan Admiral Rogers: Make It Harder For Cybercriminals
How small businesses can defend themselves
Melbourne, Australia – Aug. 12, 2022
Businesses and government bodies may have improved the way they collaborate to respond to cybersecurity incidents — but as cybercriminals continue to run rings around “ineffective” governments, a retired Navy admiral and former NSA head has warned that actually preventing breaches before the fact will require a different approach.
“There are multiple actors that need to be involved” in stemming the rushing tide of cybercrime, former Navy Admiral Michael Rogers told Cybercrime Magazine, noting that businesses can only expect so much success from government diplomatic pressure.
Noting the concentration of cybercriminals in Russia and Eastern European countries where “ineffective” governments “give them some measure of sanctuary,” Rogers explained, “it’s not by chance that you find threat actors in these places.”
“They go where they think they’re the safest and have the highest probability of not being apprehended,” he continued, noting that the threat to individual businesses had been compounded by the combination of rapid scale, growing nation-state groups, and criminal actors who are “incentivized to use cyber capabilities illegally… they are able to place [targets] at risk, and people are then willing to pay to remove that risk.”
Defending against this upswell of cybercrime is critical for companies to ensure their long-term survival — yet despite surges in spending that will push overall cybersecurity investments to $1.75 trillion by 2025, Rogers said, much of this is concentrated at the top end of town.
Smaller companies struggle to spend anywhere near as much as their larger peers, Rogers said, noting that the problem is compounded by the overall lack of cybersecurity specialists and the limited defenses that most companies are able to afford.
These market dynamics are forcing companies to get more creative in the way they defend themselves.
“The most important thing that we can do as individual companies, or in our own lives,” he said, “is to make the job harder for these criminals. Because as long as there is money to be made, I don’t think cybercriminals are going to go away.”
Making cybercriminals’ jobs harder
With a decades-long military career that included roles as a naval officer, signals-intelligence specialist and cybersecurity specialist, Rogers — whose resumé also includes roles as director of the National Security Agency (NSA), commander of US Cyber Command and chief of the Central Security Service — has experienced the front-line threat first-hand.
His pointed understanding of the threat posed by hostile cybercriminals has given him both perspective on that threat and, now retired, a desire to support private-sector causes that may help companies counter it.
That mission led him to a recent appointment as chairman of the board of advisors of cybersecurity firm Conceal, whose identity-obfuscation technology protects end users from malicious threats by running cloud and desktop applications in cloud-hosted virtual machines — and disguising their locations and identities with patent-pending technology that prevents cybercriminals from using them to trace a path back to the company.
While Fortune 500 companies may be comfortable making massive cybersecurity investments, Conceal’s scalable, cloud-based browser isolation technology offers new options for what Conceal CEO Gordon Lawson calls the “Unfortunate 50,000.”
“Companies have to have business continuity,” he said, “and the big threat with ransomware is that it is affecting that continuity — fundamentally transforming and affecting the way of life of our citizens. Implementing good, cost-effective controls can really help us to defend against this evolving wave [of cybercrime] that we’re seeing.”
“I like the idea of net obfuscation as part of a defense and security strategy,” he explained, “because if I can shield my identity and location, it makes life harder for threat actors.”
“At the NSA we spent a lot of time figuring out how we could shield identity because we knew we were a target,” he continued.
“We knew hackers all over the world, and nation-states, wanted to go after our data — and obfuscation was an important set of capabilities. It won’t solve world hunger, but it can really make a difference in cybersecurity.”
Only part of a broader defense
Tools may improve companies’ ability to protect themselves, but investing in technology alone isn’t enough to substantially change the game.
Skilled staff remain a fundamental part of the cybersecurity defense no matter how many tools are in place, and Rogers believes strongly that companies must continue to develop the pipeline of skilled staff even if they come from unconventional backgrounds.
“Cybersecurity is not a cookie-cutter field and not everybody has to have an undergraduate degree in computer science,” he said, noting his own education in business and political science.
“When I was trying to recruit people within the Navy to go into the cybersecurity arena, I told them that I didn’t need everybody to be a cybersecurity engineer – but I do need people who are comfortable with applying technology against technically focused problem sets, who can work together as a team, and who want to make a difference.”
Finding, hiring and training such staff — many veterans leave the Armed Forces with a great combination of such skills, Lawson noted — would equip companies with the intellectual capabilities to support their fight against cybercriminals.
Yet while broader acknowledgement of the immediacy of cybersecurity threats meant that companies and governments “are moving in the right direction,” Rogers said, “we’ve got to acknowledge the scale and that not one single entity alone can fix this.”
“We’re still not where we need to be in terms of the government and private sector working together in an integrated way 24/7,” he continued. “Although cooperation is great after the event, that always puts you behind the power curve — and it’s a resource-intensive way to do business.”
In the long term, he said, improving the collective cybersecurity posture would demand incentivizing government and businesses to partner more effectively — addressing issues such as liability concerns, incentives to work together, and an openness where cybersecurity attacks are no longer hidden from view or discussion.
“When I was in government, I used to argue that we want the pain of one to lead to the benefit of many,” Rogers explained, noting that this was hard when many companies still refuse to acknowledge when they have been compromised.
“When the one in pain refuses to acknowledge that something has happened, doesn’t share the nature of the attack or of the activities,” he said, “we just learn the same lessons over and over again.”
“There’s a reason why cybercriminals are able to exploit the same vulnerabilities over and over again — and that’s not good for us.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.
With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.
Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.