It may not sound like the most straightforward avenue into cybersecurity, but Abraxas’ chief scientist and cyber expert Lance Cottrell began his career as an astronomer. Pursuing graduate studies in astrophysics in San Diego in the early 1990s, Cottrell had direct access to the Internet, the web, and high-speed backbones at a time where no one outside the scientific community did. This kind of exposure provided him with an awareness of the security issues and concerns surrounding the use of the Internet, and the amount of information that was visible to anyone running services on it. While working on his Ph.D, Cottrell become involved in building cryptography, and security and privacy tools for the open source community. In 1995, he realized his work was taking off as thousands of users were using the tools he had built. Choosing between his passions, he put his research on hold and started a company — Anonymizer, Inc. Initially focused on the consumer space and building privacy tools for individuals, the company realized over the years there was a lot of need coming out of the commercial and government sectors. Subsequently, Anonymizer refocused its business around providing enterprise class, high-end capabilities. About two years ago, the company was acquired by Abraxas Corporation, who chose to keep Cottrell on in the role of chief scientist “as most of the things we build are my brainchild,” Cottrell said.
TheNewNewInternet: What are some of the challenges you have met in your current role?
Lance Cottrell: We have always provided tools that are sort of outside of the mainstream. I have never been involved in providing the typical set of security solutions, like firewalls, anti-virus systems, or just another VPN. We like to be focused in areas that are solving really hard problems that other people aren't looking at. So, a lot of the issues surround educating and making people aware. In many cases, especially a few years back, there was no widespread awareness that the kind of issues that we solve even existed. So, we spent a lot of time just trying to make people aware of the risks that they were taking online. People were going out on the Internet all over the place with .gov on their address and exposing themselves to all types of risks and retaliations. It's a very fast evolving environment, so trying to keep up with managing the kinds of Internet security that we focus on when everyone is putting stuff up on Facebook and other social networking sites was a big task. There are so many more ways in which information is put out there, and people are, more and more, freely providing it without thinking of the repercussions; it's a much more complex environment to work in.
TNNI: Can you mention some other examples, other than social networking, where people are sharing information?
Cottrell: For example, location tracking is a big issue that we are chasing down right now where mobile devices, as well as many of the browsers on your computer will actually tell the websites where you are going, and where you are located within about 20 meters based solely on the network environment, particularly the Wi-Fi network you are in.
TNNI: How are you trying to solve this concern?
Cottrell: Maybe we should take a step back. Most of my career has been focused around “˜how do you operate anonymously or in alias or in a stealthy mode on the Internet?' A lot of people think of the Internet as a fairly private thing because they are sitting at home in a secure environment where no one is watching them. Inversely, they feel when they are walking down the street, anyone can see them and they're exposed. But it actually turns out that kind of the opposite is true. If you go into a store and have a face-to-face encounter, pay in cash, and walk out, fundamentally there is no record of this anywhere. It is very hard for that kind of data to get centralized, correlated and collected. Whereas, on the Internet, everything you do is tracked. Every web page you go to is logged, noted, archived, and database analyzed. How long you were there, what pages you looked at, what did you read, which links did you click, what did you order, have you been here before, how much did you pay for things, where do you live, what kind of computer you have“”they are all being gathered all the time. The Internet is more inherently surveillance enabled for everyone, not just the government. Everyone who is running a service on the Internet can see all of this information about everyone who visits him or her. What we are trying to do with most of our activities is rebalance that. How do we make it so you can go out and use that public Internet and not be negatively affected? Because it is that kind of playing field now“”the bad guys are using it, normal people are using it, businesses are using it. How can corporations, people, and government engage on the Internet without opening themselves up to this laundry list of vulnerabilities that go with being identified, tracked, monitored, and attacked based on who they are and what they are doing. Things like geographic location are a big problem. If you are working at company and the website you are going to can locate you into your corporate headquarters, well, then the game is kind of up. They know who you are and they know where you are coming from. It can be difficult to do competitive research or things like that. In fact, a lot of companies will intentionally feed misinformation to their competitors. If you are coming from a competitor, you don't even see the same information that some random home user would see when you are using the website. All of the usual security concerns that you have out there kind of apply to the solutions and scenarios that we have, but they all get subdued under the main focus of what we are trying to provide which is how do we enable people to operate on the Internet securely. I think philosophically what we have seen is the U.S. government fundamentally invented the Internet. Over time, the Internet has evolved and expanded, but as it has become more publicly available, with more and people using it, the bad guys showed up on the scene. As this has happened, in large part, the reaction of institutions (the U.S. government, large corporations) was to start retreating. So they built firewalls and intrusion detection, intrusion prevention, file-scanning systems and layers and layers of walls and fortifications around their network. And this is fine if you are only talking to each other, but an awful lot of what they need to be doing, or should be doing is out there on the public Internet, outside of corporate walls, so the question then becomes how do you effectively engage in the public arena? So, the goal is to create a system whereby you can freely and effectively use the Internet without repercussions.
TNNI: How do you think the Cyber Command will affect the government-contracting field?
Cottrell: It is going to be really interesting to see. I still think we are in the early days. It is really hard to know. The idea is that this is going to try and concentrate and centralize things, but our experience is that an awful lot of groups have such specialized requirements that they end up being unable to use the big broad solutions that these centralized organizations tend to deploy. We think, in a lot of cases, they may deploy some large baseline capabilities, but a lot of the specialized security requirements are still going to end up getting directly contracted by individual operating units because there is no way to tie them under some big type of umbrella.
TNNI: What do you think about the confirmation of Gen. Keith Alexander?
Cottrell: I don't have a strong position on this. We are probably in an unusual situation. I think most companies that are dealing with the government in the cyber environment are doing large RFP contracting type scenarios. Interestingly, we almost always are working in a specialized sole source kind of environment. My guess is that we will have very little contact with him. I am very pleased to hear that they've got someone in charge, so that they can start rolling because it has been something that they have talked about. I think a lot of important projects have been hanging fire while everyone is waiting to see what happens there and what shakes out.
TNNI: What are some of the most recent cyber projects that you have been working on?
Cottrell: I think a real focus for us has been how do you work an alias on the Internet? It is equivalent to working undercover in the real world, but in those scenarios, most of your identity-based stuff can be taken care of with identity papers. You get yourself a Social Security number, you get a credit card, you get a driver's license, and the government has ways of obtaining these things for cover organizations. You become fairly established, where someone can go and look. But online, you leave a huge trail. Everything you have ever put on a website is retrievable, there are archives of almost the entire Internet on a regular basis. Google keeps every search that has ever been run on their search engine since their company was founded. So creating believable personas with the Internet on short notice that don't look like someone who was just created last week is a really interesting problem and something that we have been focusing on a lot lately.
TNNI: What other major threats have you seen lately?
Cottrell: Malware is really becoming one of the biggest issues. Especially what I describe as spear phishing type malware attacks where this is not some virus or Trojan that is sort of generally running around on the Internet, but zero-day threats that have been typically built and then targeted at a very select, small audiences. The security systems we have in place now are almost all signature based; a really novel, new attack vector, or a new piece of software isn't going to show up, and if it is only ever delivered to a small handful of people, it won't get picked up by any of the conventional mechanisms that are used to discover these kinds of things. We are seeing a lot of issues with highly targeted, highly crafted phishing attacks. If you know you are only going after one person, you can do enough research to almost guarantee that they will open your attachment even if they are a smart, careful, paranoid person. It's ‘Dear bank member, you need to update your password at such and such website,’ or ‘Hey Fred, I saw you at this conference last week. You asked about our new product literature when you came by our booth ““ Here it is.’ And if he actually was at that place, it is the kind of thing he would be looking at and it’s appropriate to him. You can get extremely highly likelihoods of people actually making use of this.
TNNI: To protect people from falling prey to this kind of attack, what should they do? Is education the solution?
Cottrell: Education helps. We are moving toward the idea that you effectively need to have a separate and isolated operating environment for everything that touches the public Internet. So, you kind of need to be working in a couple of worlds and not trusting those systems that are public facing. When you are going to click on an email or open the attachment or visit that website, we think that you almost need to treat that those activities as compromised, and build systems that enable you to do the operations that you need even though you know that malware will be taking over these machines. That could be through virtualization, it could be through reimaging systems, there are a lot of different kinds of technologies that will apply to that. I saw a statistic that somewhere between 30 to 60 percent of all Windows machines on the Internet are part of a botnet, and have been compromised by hackers. So, the entire security module changes in that world where you can no longer assume that the device that you are talking to in the end is secure against outside intruders or middlemen. You almost have to start assuming, “˜Oh, it is compromised, now what do we do about that and how do we operate and how do we try to manage our environment given that these Internet-connected devices are going to be lost.'
TNNI: So cyber crime doesn't have any borders. What measures should be implemented to work toward more international collaboration to fight it?
Cottrell: It's a really hard problem. Certainly, there are many governments that don't seem to be very interested in fighting this, and have, for the most part, become havens for the bad guys. Until we get this ‘secure compromised desktop machines-problem solved, the people are going to look like they are coming from anywhere. I could be sitting in Indonesia, but route my traffic through the home computer of some grandmother in Peoria and everything is going to come from there. I see a lot of proposals around trying to create Internet driver's licenses or some commonality around data retention or large-scale Internet surveillance. My take on this is that I expect it to have substantial civil-liberty impacts while having almost no benefit from the security side because the actual dangerous people, the real hackers who are doing damage can trivially bypass all of this. The arms race is very much in their favor if we approach this from that direction. So clearly, getting laws on the books, and making sure that all countries have anti-hacking statutes that make it possible to have international cooperation when going after offenders is going to be critical. But I really think it is going to come down to old-fashioned policing. The way you are going to shut down this international crime is getting inside these organizations, doing undercover work, penetrating their networks. It is going to look a lot like the old-fashioned way of going after what's fundamentally a new version of organized crime. Internet hacking and Internet crime is no longer the teenage kid at home breaking into a couple of systems. It's now big money with organized crime behind it, and that's the way we need to treat it when we are going after it.
TNNI: What is one thing most people would be surprised to hear about you?
Cottrell: Given the amount of time I have spent with computers, the sophistication of the technologies we use to build, and the amount of software that I have personally written, the fact that I haven't actually taken a class in computer science or programming of software since I was in high school would be surprising. I had to write software in high school, in college, in grad school, and in business, and I've worked with smart people and been self-taught.
TNNI: Is astrophysics something you would want return to, or are you happier in the cybersecurity field?
Cottrell: I love what I am doing. Astronomy and astrophysics are fascinating topics, and I still pursue them and read about it from an amateur perspective. But it is one of those things that requires a huge amount of effort to stay in and stay current. It would probably take me most of the decade to be able to get back to the level that I was at with all of the new technologies, new telescopes, all of the new discoveries, and literature. I have really found that my passion is more toward security, because it has real-world impact. When I do something in astronomy, there are a handful of other astronomers that are interested. On the privacy side, I effectively created the entire idea of commercial-privacy solutions. I started the first company in the world to ever sell privacy tools and that's an impact that I would never have on the other side.
TNNI: What makes a good cybersecurity professional?
Cottrell: When I think about the people that I have known, the one's who have been really effective cybersecurity guys, the first characteristic is they tend to have a devious mind. They are able to put themselves in the shoes of the attacker and look at the network as the enemy would look at the network and then think about how to protect it. But they also have a realistic view of things. I think it is very easy to get caught up in moving your TV plot kinds of scenarios of super hackers doing all kinds of crazy stuff. There's a lot of effort and resources in the really exotic threats. Make sure you stop the 90 percent before you worry about the 10 percent. Finally, it is about finding a holistic view of security. I've seen a lot of people who have a huge amount of training in very tight areas, and even if you are specialized, it's important that you have an awareness of a broad area; you want to be thinking about human factors, physical security and infrastructure security.