I was asked once by a journalist: can you come in and show us how ransomware works? We’d like you to come to the studio and show us how you run a ransomware campaign. I said OK, but I’m quite busy; can I send my 11-year-old daughter?

Raj Samani,

McAfee Chief Scientist

He thought I was being facetious, and I do tease people a lot, but I wasn’t being facetious – I was being truthful. My 11-year-old daughter can go on the dark web, and she can run a ransomware campaign. She can buy stolen medical records; stolen credit cards. She can have cocaine delivered to our house. She can even hire a hitman.

We talk about adversaries, and we worry about things like nation states, but honestly, 11-year-old children can go out and run a campaign that can disrupt you. She can launch a DDoS attack against your company for three dollars an hour.

Take the WannaCry incident: 8,000 operations were cancelled. 8,000 people weren’t given medical care because of a malicious piece of software that went out and caused disruption – and we knew how to fix that. It wasn’t new; we knew in March that this is how you could stop this particular vulnerability being exploited.

How do you combine your role as a scientist and industry specialist at the same time?

My job is to help define the technical strategy for McAfee, and that’s very important, but actually we have a role and responsibility in shaping our digital future. For example, there was an email that was opened and an entire country’s power was taken down. So as an industry and as a society, we as security practitioners have a key role in helping safeguard our future.

Whose job it is to protect national assets from hostile attacks, whether it is nation-states or hackers?

Quite frankly, if you want to live in a world in which your insulin pumps, your cardiac equipment, your cars are being held to ransom, then let’s just keep doing what we’re doing.

But if you want to properly protect assets, every single person has a role to play. Companies like McAfee of course have a key role to play: we provide the technologies that go into these solutions, but I think the employees have a responsibility to play. I think the companies themselves need to invest appropriately. Equally, government and regulators have a role to play, as does law enforcement.

Institutions like the IET also have a fundamental role: getting people to understand what the fundamental responsibilities of all of us are; giving people the right training; being open and collaborative; sharing best practice.

We need to stop looking at cybercrime as a separate area of crime. It is the evolution of traditional crime. If you look at what EC3, the European Cybercrime Centre have done, they’ve got established relationships with agencies all across the world. So it needs to be seen as a global issue.

It’s ridiculous that we live in a world in which we had the DDoS extortion attacks, and they went after Bank 1, Bank 2, Bank 3, Bank 4. Why didn’t Bank 1 contact Bank 4 to say that this is happening and please put these protective measures in place? Why do you have to find out later? So every single one of us has a role and responsibility to play.

Who needs to be pro-active – the industry or the regulators?

I think that the regulatory system definitely has a role to play. The market, as well, has a role to play – you read about Sonos for example, stealing your personal data and changing all of their terms of service.

Fundamentally, I think, it starts with us as an industry. I ask this question all the time whenever I speak to an audience, and I’ll say: 'When was the last time you spoke to your CEO?' Generally, there’s one hand that goes up. How many security practitioners do you know that are on the board? How many of them are CEOs, CIOs, CTOs now?

We as an industry have become practitioners that don’t go beyond our discipline. And yet finance and marketing and all these other disciplines are now making the decisions in all aspects of business. So I really want to get to the bottom of why we as an industry are still seen as an IT or technology function.

What more should we be doing to help drive the innovation; to help drive the types of appliances that are going to be keeping us alive, or keep the lights on, or keep the water clean?

Raj Samani will be giving the keynote address at the IET’s Cyber Security for Industrial Control Systems on 7-8 February 2018. Read the full interview at www.theiet.org/cyber-ics