Greg Garcia, former Cyber Security and Identity Management Partnership Executive at Bank of America and our nation’s first Assistant Secretary for Cyber Security at the U.S. Department of Homeland Security (DHS), sat down with WashingtonExec for a candid interview about mobile security. We asked Garcia to discuss the evolution of cyber security threats, how the mobile frontier is impacting cyber warfare, as well as what work still needs to be done in the government contracting community to limit cyber breaches.
WashingtonExec: Please tell us a little about your background and what you are doing now.
Greg Garcia: I recently left Bank of America as their Partnership Executive for Cyber Security and Identity Management responsible for cultivating the Bank’s external partnerships in the financial sector, technology sector and the government to collectively improve our cyber security posture. Before that I was the nation’s first Assistant Secretary for Cyber Security and Communications at the Department of Homeland Security from 2006 to 2008. I am now in independent consulting for various activities around cyber security. From here on I’m just looking for interesting new opportunities in the start-up world around cyber security.
WashingtonExec: What do you think of the government’s implementation of BYOD (Bring Your Own Device)?
Greg Garcia: BYOD is the wave of the future particularly as the younger generation workforce comes into the mainstream government workforce and private sector. Our personal devices are increasingly becoming our business devices and business devices becoming personal devices – the lines are blurring. It will continue to be an efficient way of doing business. It will be a cost effective way of doing business that many companies and enterprises and government agencies will be spending less on devices because those devices will be owned by their employees. The tough nut to crack is how we balance convenience and security.
“Many of us in this business have come to the conclusion that we missed the bus when it came to security in our computing infrastructure, in our Internet infrastructure. We ought not be making the same mistake for mobile infrastructure.”
WashingtonExec: Where do you see the role of mobility in the history of technological innovation?
Greg Garcia: Many of us in this business have come to the conclusion that we missed the bus when it came to security in our computing infrastructure, in our Internet infrastructure. We ought not be making the same mistake for mobile infrastructure. We are in the early stages of the mobile phone being now our computing platform. The software and application developers really need to ensure that the linkages between the carrier infrastructure are secure and that we don’t introduce more vulnerabilities. We have to some extent evolve from the world wild web mode of thinking that everybody is an island unto themselves and rather we need to get as organized as the cyber adversaries are out there.
WashingtonExec: How do you think the cyber threat has changed in the last three or four years? How has it evolved?
Greg Garcia: The cyber threat evolves with technology. Particularly in mobile devices we don’t have a way of evaluating what we are getting when we download that app. In the computer desktop world we possibly have a better view of how the threats are evolving but in a mobile world the number of applications is much more ubiquitous and it’s just going to be harder to monitor that as cyber criminals find more and more innovative ways to exploit personal IDs, user names and passwords. It’s definitely evolving and it isn’t going to go away so if someone says ‘when are you going to solve cyber security’ I’ll ask them ‘when are you going to stop crime’.
“The use of cyber exploitation to create physical damage then that will be the next frontier of cyber war.”
WashingtonExec: How has the profile of a cyber criminal changed over the last decade?
Greg Garcia: There are different motivations. We are moving beyond the teenager in his bedroom hacking away. Cyber crime has become big business. There are nation state motivations where it is the online equivalent of spying, cyber espionage using sophisticated techniques to tap into government networks or large multinational company networks to steal secrets, intellectual property, plans, negotiating strategies, etc. Then there are the less prominent but increasingly worrisome groups that may use cyber means to effect physical consequences. The use of cyber exploitation to create physical damage then that will be the next frontier of cyber war. Then you have the hacktivist whether it is anonymous or wiki leaks who are using cyber means to expose wrongdoing or personal characteristics of public figures or to embarrass government or that sort of thing.
WashingtonExec: I also asked this question to Teri Takai, CIO of the Department of Defense- What keeps you up at night?
Greg Garcia: What keeps me up at night is that there are cyber attack techniques that can create physical damage. In 2007 when I was with the Department of Homeland a video was leaked to CNN that showed a test of a cyber attack on an electric generator on the power grid. The generator was not ON the power grid, it was segregated but our team was able to change the instructions on the control system that regulated electricity flow through the generator and regulated the rotation of the generator. What it ended up doing by changing that setting – we created the equivalent of driving down the highway at 80 mph with a manual transmission and throwing it into reverse. We destroyed a generator. It went up in smoke. This was a test to prove that it could be done and that infrastructure owners and operators that are managing critical functions like electricity generation, water purification, chemical manufacturing, transportation services. Then you would have threats to public safety and homeland security. That’s what keeps me up at night – where that may evolve to be the new warfare of the 21st century.
WashingtonExec: What is something you think the government contracting community has not fully grasped about cybersecurity?
Greg Garcia: If you are a large company you realize that a large cyber attack will have effects with shareholders who because of the damage that you have suffered, the reputational damage, and your share price might go down. Your Chief Investment Officer, investor relations person is going to be concerned. The brand reputation goes down so the Chief Marketing Officer is now going to be concerned. The costs either from law suits will bring in the legal department, the general counsel and the Chief Financial Officer. Suddenly you have the entire Executive Team having to deal with this crisis when previously they just thought this was for the IT guy to handle. If every large enterprise takes it to a personal level per executive, everyone is going to be involved one way or another. It’s in their interest and the interest of the company and the interest of the government to provide the resources necessary to shore up the security of their infrastructure.
WashingtonExec: You don’t think all companies have done that yet?
Greg Garcia: No, absolutely not. I would say that the broad awareness of the problem is improving but I don’t think we are anywhere near where we need to be. Many companies consider it the cost of doing business, ‘we might get hacked and we’ll pay the cost but the cost of mitigation perhaps is less than the cost of installing new security systems so we will take that risk’. What they are failing to understand is that we are all interconnected. If one company goes down it could have rippling effects across the ecosystem.
WashingtonExec: What is something that most people might not know about you?
Greg Garcia: I have been in three plays in community theatre. I play classical guitar. I bicycle race. I have a black belt in tae kwon do and I am a golfer.
WashingtonExec: Do you have a favorite application or a favorite device?
Greg Garcia: My favorite application – I would say I am pretty enamored of my Windows phone, speaking of mobility. I would say that is one of my favorite devices.