McAfee exec on Mandiant, cyberspies and costs
The Internet security firm McAfee takes a traditional view on the question of whether private companies should name names when it comes to responsibility for cyber attacks and espionage. Its answer is no. McAfee describes events in dry, geographic terms, without references to governments. It's a quaint approach compared to that of Mandiant, the U.S. cyber forensics company that earlier this year accused a Chinese “cyber espionage unit” of stealing American intellectual property and blamed China for hacking the New York Times. In an interview with Deep Dive, McAfee’s Tom Gann explains his company's approach to attribution; its support for a public-private partnership with the U.S. government; and its decision to underwrite a cybercrime and espionage cost study by the Center for Strategic and International Studies, a Washington, D.C., think tank.
On the Mandiant Report >>
“When we start thinking about reports of that kind, we really think that those sorts of estimates are best done by governments. To do that kind of work really requires tactical intelligence and also requires human intelligence on the ground, and governments are better suited than companies to drive that kind of research.”
Saying no to attribution >>
“We’re just not in the business of doing country attribution. We’re really in the business of doing technical analysis of attacks and explaining how they occurred and how they can be defended. That’s really our sweet spot. As an organization we felt more comfortable staying in the area of our genuine expertise as compared to trying to pretend we’ve got governmental resources, which we don’t.”
Working with NIST >>
“We signed an MOU with the cybersecurity NIST lab to share our technology, to continue a dialogue with NIST on how the (cybersecurity) framework can be robustly built out. To the degree to which it stays a true public-private partnership, we’re very excited.”
Obama’s cybersecurity executive order >>
“So much of the action is really about implementing the executive order in a way that works for the government, works for the industry.”
Limited legislation >>
“…we’re the most interested in the areas of legislative activity where there’s broad bipartisan agreement, such as FISMA (Federal Information Security Management Act) reform, such as enhanced R&D for cybersecurity, and then over time getting to resolution on information sharing where there’s broad agreement.”
Let the facts lead the way >>
“We underwrote the (CSIS cybercrime, espionage cost) study and partnered with a highly credible think tank that was asked to let the facts go where they go.”
How cybercrime steals jobs >>
“If you look at the companies that lose intellectual property, lose sales, that’s an example… If a company gets hit with significant financial losses and gets shut down, or doesn’t have the funds to expand in a new market, that can produce job loss.”
Measuring the “true” costs >>
“When you add the word true, you’re trying to say, ‘Hey we’ve got some smart economists who tried to apply good methodology here, and not do something that was just kind of a rush job.’”
Other studies inflate damage estimates >>
“Typically in these studies what you do is take a sample of say a hundred companies and you extrapolate those losses….That model of a survey doesn’t do a good job being dynamic. So, one company’s cybersecurity losses and intellectual property may then become the benefit of a competitor of that company domestically, who may get more market share….When you do these valuations and use a very simplistic model you get kind of screwy numbers.”