Photo by Chris TaggartTen years ago, Fordham and the FBI committed to bringing together the world’s best and brightest experts on law enforcement and computer science.
Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22 to 25, concluded with remarks by FBI Director Christopher Wray.
Anthony Ferrante, FCRH ‘01, GSAS ‘04, a former FBI agent who was director of cyber incident response for the National Security Council from 2015 to 2017 and is currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel “The Tipping Point: Cyber Risks to Election Systems.” Fordham News caught up with him during a break in the action.
Full transcription below:
Anthony Ferrante It’s happening. It’s happening today. The question is, is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?
Patrick Verel: Ten years ago Fordham and the FBI committed to bringing together the world’s best and brightest experts on law enforcement and computer science. Every 18 months, the International Conference on Cyber Security, or ICCS as it’s known, has convened leaders from academia, the private sector, and government to the University’s Lincoln Center Campus. Past conferences have featured the heads of the CIA and the NSA, and this year’s gathering, which took place from July 22nd to July 25th, concluded with remarks by FBI Director Christopher Wray.
Anthony Ferrante, a former FBI agent who was director of Cyber Incident Response for the National Security Council from 2015 to 2017 and currently global head of cybersecurity and senior managing director at FTI Consulting, participated in this year’s panel, The Tipping Point: Cyber Risks to Election Systems. Fordham News caught up with him during a break in the action.
Let’s talk about 2008. How and why did Fordham, which is your alma mater and the FBI, which you joined in 2005, team up to tackle cybersecurity?
AF: So the FBI and Fordham roots grow much deeper than cybersecurity. Believe it or not, when I was in the FBI in the New York field office in 2005 through 2013, there was always a consistent large, large consistent group of Fordham alumni in the field office. And when I say a large group, I would say anywhere from 50 to 100 Fordham alumni working in the New York field office, which is a large amount of alumni for a single field office. Myself, being a former alumni, studying computer science, always maintained excellent relationships with the faculty in the computer science department, and then of course in the university’s administration.
It was late 2007 when myself and a good friend Clavius Distinguished Professor of Computer Science, Frank Hsu—we’d regularly met for dinner right around that period of time, and we talked about the global implications of secure cyber networks, and how it’s more than just the responsibility of governments or private industry or academia. It’s actually in order to be successful in this space, we need a partnership between the three.
PV: I’m intrigued by this notion of bringing together the three different entities, that it’s not just about law enforcement. It’s not just about education. It’s not just about the private sector. It’s about all three working together. Is there something you can point to say like, this is, especially when you were with the FBI, that you could say having worked with somebody from an educational institution or a private sector at the time that you got out of the conference, like a contact that you made that you wouldn’t have made if the conference never had happened?
AF: Oh, absolutely. I mean, I could talk for hours about various cases, FBI cases that were enhanced just because of this event where representatives from Eurasia would come to this event and meet with their counterparts in Europe or the United States and they would break off and have meetings in private rooms where they would broker advancements in various investigations that they were working on. And it’s actually stories like that, that make me most proud of this event.
PV: You came here to talk about cyber risks in the election systems, which are obviously going to be on people’s minds next November. What’s your current take on the state of affairs now?
AF: I think it is definitely something significant that the entire country should set up and take notice. This is something we’re staring at as we enter into the election cycle, and risks to the electoral infrastructure should not be ignored. Not only should states and government officials be aware of the risks that they’re facing, but they should be equipped to handle those risks because in the world we live in today, there’s no way to avoid it. We have to confront it head on or suffer the repercussions.
PV: Scale of 1 to 10, 1 we’re completely unprepared, or 10 things are great, we’re doing in good shape. Where would you put us right now?
AF: I would say anywhere from four to six. I think that there are a lot of really important skilled people focused on the issue, but I also think there’s a lot of talk and not a lot of action, and I do think that the government today is spending a lot of time and making a lot of investments to prepare the states to confront this threat head on. But I also always think there’s room for improvement.
PV: It’s kind of crazy, right? I mean you’re talking about a system that relies upon 50 different states, all managing their own elections.
AF: Fifty different states and numerous different counties. I remember when I was at the White House actually doing preparedness and response in preparation for the 2016 presidential election, we learned some states actually conducted their voting hundreds of different ways throughout the state. So there was no single cookie-cutter solution for that single state, nevermind, as you just said, 49 other states. So it is a very complex issue, but the complexities of the issue actually give the United States a little bit of security just knowing that it is such diverse and distributed system, that there is no single point of failure per se, but there are many different little points of failure that the country needs to be aware of.
PV: If you learn to hack one system, you’re not going to be able to hack them all basically.
AF: It’s not going to be that easy. Right? And when I was working for the Obama Administration, we went to great lengths to study this and to look into this. And to hack an electoral system and actually manipulate votes without it being noticed is extremely hard, if not impossible. That is just one example of some of the built-in redundancies and securities of the system. However, like I said, there were just so many different systems and different ways to do, different ways for Americans to cast their vote that there are vulnerabilities throughout.
PV: Now for as long as I’ve been covering ICCS for Fordham, the Internet of things has been an area of concern with all sorts of devices being sold to the public that can easily be hacked. Have you seen any improvement in this area?
AF: No, absolutely not. Unfortunately, people ask me all the time, what is the greatest risk that you see or the biggest threat that you see, and you, some people will be, well some people say, “Oh goodness, the greatest risk I see is an attack on the electrical grid.” Don’t get me wrong, an attack in the electrical grid will have serious consequences, but that’s not the greatest risk.
PV: It’s Alexa, isn’t it? Alexa is going to take us all down, right?
AF: No. Alexa is a great tool, but it is an Internet of things tool. I will say my fear, the greatest risk when people ask me that question is I say is the Internet of things. You’re talking about 5.5 million devices coming online per day. I think the latest number I read was by 2025 there will be 50 billion devices, Internet of things devices online, on the public internet. Those can all be taken over and turned into armies of robots to conduct different adversarial activities.
I don’t even know where you’d begin regulating space like that, just given the fact that these technologies are designed and developed all over the globe, and sometimes it just comes that consumers look and they want to buy the cheapest device they can buy. And when you do that and you take that device home and you plug that into the global internet, you actually put a small computer online. And that small computer can be compromised and then turned into a robot that can be used to conduct any number of activities from conducting a denial-of-service against a major financial institution to exploiting a major vulnerability in a small tech company.
Don’t get me wrong, Internet of things devices are extremely convenient. They add certain comforts to one’s life. But what I always tell people, cybersecurity is risk management. You can’t properly manage risk if you don’t know the risk. So what I do is I get out and I speak to people about what the risks are. Once you know the risk, then it’s up to individuals to make the decision on their own. And believe it or not, when it comes to Internet of things devices, Americans today probably use two to three Internet of things devices and they don’t even know it. It’s-
PV: Give me an example. What would be something that people might be using and not even realize that is connected to the internet?
AF: If they subscribe to a major cable company and have cable at home and have a digital video recorder, a DVR.
PV: That would be me.
AF: That is an Internet of things device. A mobile phone is an Internet of things device, a smart watch, a Nest thermostat, an IP camera.
PV: The thing that seems the most frustrating is that the onus is on consumers to sort of be on top of the game when it comes to the security of these things. But most of us don’t have that kind of background, nor do we have the time to kind of look into these things. What are we supposed to do? Or how do you know exactly whether these things are secure?
AF: Yeah, I mean that’s a really fair question and it’s a question I’m asked all the time. For an average consumer, there is no one-stop shopping to know. Purchasing a certain device comes with these risks versus another one. It all depends on how the manufacturer markets their device and how easy they make it. And candidly, most consumers don’t care right now. I think that is the bigger question, is why don’t they care?
I’ve worked cybersecurity and cyber crime going on 20 years now and I’ve met with some of the biggest organizations on the planet to talk to them about significant cyber incidents that they were facing at that given moment. And they would work with me to help mitigate that risk and overcome it. But they really didn’t sit up and take notice until they realized that it was personally affecting them. It could be their personal machine or their personal safety or their bank accounts, their personal financial situation. And that’s something that I think, I think a lot of people, including our government is still grappling with today.
I can’t tell you how many times I heard in Washington that we just have not yet had a cyber 9/11 which is appalling for me to hear for two reasons. One is because I lived and worked in New York City on 9/11, and to even use that in a political statement of why we should not invest or take cybersecurity seriously is just appalling to me. But in another sense, I would say that we had a foreign entity partake in a massive campaign to affect the way the American people thought about certain issues in an attempt to influence their vote on Election Day, to literally undermine one of our bedrock principles, which is the right to conduct free and open elections, that so many of our forefathers and ancestors died for that right.
PV: If that’s not your 9/11 of cyber, what is exactly? I guess you have to shut down somebody’s electrical grid to get their attention.
AF: And that’s happened twice. It happened in Ukraine.
PV: That’s right overseas, yeah.
AF: Two days before Christmas, twice, two years in a row. So it’s happening. It’s happening today. The question is at what point do we all sit up and take notice and take steps to really get in front of these threats and to make it a top priority?
PV: What’s the greatest cybersecurity threat that Americans face that they’re not aware of, but they should be?
AF: The first two we’ve already heard about that. The third one I want to dig into a little bit. The first one is the Internet of things. They’re just coming online at exorbitant speeds. The second one we’ve also touched upon, which is the weaponizing of information. I think our adversaries have seen how this can have such a large scale effect on the way, the American way of life. The third and equally significant risk that people should be aware of is data.
Data is much more than just an asset. It can also be a huge liability. And data is being generated every single second. So much data is being generated by our smart devices, by our usage of a computer, by our searches on a computer, by our interactions with various Internet of things devices. And as we interact with these platforms, data is being generated. Whether it’s data on us, our habits, our family.
I’m not talking just data of documents and words in documents. I’m talking about the tone of our voice, the health of our voice, the different questions that we may be searching for on our devices or asking our smart devices for responses. All that is data that is being collected and harvested somewhere. And I think it’s important for people to understand the risks associated with that data.
I would say a fourth threat that definitely has me concerned is the threat of the insider. What is the insider threat? For different organizations it means different things. But the reality is, is the insider threat is someone living and working within your organization every single day, somebody who has an access ID, somebody who has a login to your network infrastructure, and someone who in theory has access to your data and in some cases your most sensitive data.
The insider threat has always been a threat, but now that I am in private practice, I am seeing more and more cases of insider threats crossing my desk, where organizations need help identifying rogue employees that are stealing information and potentially selling it to competitors, selling it to nation states, or conducting activities on their network to sabotage infrastructure.
PV: You know, what’s really funny? I think about data. This is weirdly enough, this is a question I thought of just this morning as kind of a joke, but I think it actually ties into what you were just saying.
PV: Should I be using FaceApp?
AF: No comment.