Information security practitioners can follow many different paths throughout their careers. After all, every vertical and every type of organization should aspire to good security as a fundamental discipline, whether public sector, private, charity, governmental, or law enforcement.
It is the latter where Neil Campbell, currently group general manager for security at Dimension Data, cut his teeth, joining the Australian Federal Police aged 19.
I met up with Campbell in London to find out more about his life investigating cybercrime and assisting organizations in safeguarding against attacks.
“I worked in the fraud and general crime squad of the Australian Federal Police for a number of years,” he explains. “In 1992 a position came up in the computer crime team, where I then spent six years. I saw it as an apprenticeship in computer security and computer crime.”
Computer crime was a new concept back then, Campbell recalls. Australia had only created legislation to criminalize hacking at the tail-end of the 1980s – and as a consequence, policing this emerging type of criminality was something of an unknown quantity as a career path.
“My colleagues at the time told me I was going to ruin my career,” he laughs. “It was not considered to be ‘real crime’ in those days.”
Time has given Campbell the last laugh, though. Joining the cybercrime unit, as he did, in the early 90s, has given him a unique insight into the evolution of digital felony from its origins to its current status as one of the most significant threats facing organizations and governments.
“Back then,” he recalls, “[cybercrime] wasn’t financially motivated. You did it because you had an interest and you wanted people to see how good you were.”
Throughout the mid-1990s, though, the increasing commercialization of the internet, including the rise of e-commerce, created an escalation in crime. “Website security was, back then, quite woeful. A few enterprising individuals of loose morals decided that this was an opportunity to make some money.”
In contrast to the current black market for financial details, at that time, the theft of credit card details was typically for personal use, he says. “But then we saw the introduction of internet banking, which brought about the rise of phishing. That is really when organized crime got its fingers into the internet.”
Law-Enforcement Headache
The rest, as they say, is history – history that is still being written today, with organized crime groups using the internet in increasingly ingenious ways. These groups pose one of the biggest headaches for law enforcement officials around the world, Campbell reports.
“Organized crime is determined, entrepreneurial and adaptable – there are no business rules, there’s no governance to stop innovation, and there are no morals. As fast as [policing] systems change to try to thwart organized crime groups, they adapt to change their methods.”
Another law enforcement problem that has been made particularly acute by the rise of internet-enabled crime, Campbell explains, is to do with location.
“[Cyber-criminals] are remote from the crime, in a different jurisdiction, which makes it tough for law enforcement. In order to execute a search warrant on infrastructure in another country you have to get the other jurisdiction to issue the search warrant.”
“Organized crime is determined, entrepreneurial and adaptable – there are no business rules… no governance to stop innovation”
That is easier said than done, with international relations posing a complex backdrop for co-operation between law enforcement agencies.
The Encryption Debate
A frequent strand in the ongoing debate about law enforcement’s efforts on cybercrime is collaboration with private industry. What does Campbell make, for instance, of anti-encryption comments made by several senior officials in governments and law enforcement bodies of late?
“We’ve seen smartphone manufacturers introduce encryption by default at device level and that has created some frustration from government. In my day, law enforcement faced encryption. My view was that there are other ways to deal with it. That might be discussing the issue with the suspect and pointing out to them that holding back on passwords is a very unproductive thing to do.”
Regarding the issue of government’s ability to intercept online communications, Campbell is strictly pragmatic: “The GSM mobile phone standard got such approval and global uptake for that very reason – it was crackable by government. A mobile phone is a pretty clear extension of something we’re already aware of. Encrypted internet communications are also a relatively clear extension.”
But surely it is a step too far for David Cameron to suggest that backdoors should be mandatory in all encrypted communication channels? “Personally I’m okay with it provided everyone knows. As an individual you should have all the information you need to make the decision you want to make. At least if you know there’s a backdoor, that they can decrypt it at will, you can make your own decision.”
It is only when interception is carried out en masse that Campbell begins to take issue. “I like to think my privacy is only breached when there is a provable suspicion and that it’s targeted, it’s limited, and that there’s oversight. I think what the Snowden revelations showed us was that none of those things was in place.”
Risk and Reward
Campbell’s background in computer crime set him up well for a career in the information security industry. His current role at Dimension Data – a company he describes as a “full-life-cycle security systems integrator/service provider” – gives him a broad overview of security solutions and operations across multiple industries.
“The business world,” he comments, “is all about risk vs reward. We should be aiming for the right amount of security for a company or government based on their appetite for risk and their willingness to invest in security – typically that means financial expenditure and often an interruption to workflow.”
Campbell comments that, as an industry, security is “finally starting to accept that you will not stop every attack and you have to have a very clear plan as to what you will do when, not if, you have a security compromise.”
But despite this, he says, incident response is still lagging behind as one of the key disciplines that organizations need to implement – and there are some key questions that companies must start asking themselves.
“Have they written policies and procedures? Do they know what their definition of an IT security incident is versus what an operational IT incident is? Do they know who is authorized within their organization to make the decision about switching networks off? Do they know what their plan is to deal with the media as the incident plays out?”
Awareness and Response
But while preparedness for attacks is lagging behind in some organizations, apathy or underestimation of cybersecurity matters is largely becoming a thing of the past, says Campbell. Organizations, particularly across the financial services industry, are fully awake to the threat of cybersecurity incidents. This message has been conveyed effectively through the misfortune of other victim companies.
“Executive teams have, in the past, underestimated the potential fallout of a security incident. Security is often seen as a cost – not an enabling thing. We often see a kind of grudge budget given to security, and security not being built into all processes.”
But failing to give adequate resources to security, Campbell says, represents a deliberate decision to take on more risk and “Executives should be prepared to live with the consequences, which these days tend to be loss at a senior level.”
The way to ensure greater attention from executives is to emphasize IT security’s position in the context of business objectives, Campbell argues. Security teams clearly have a major role to play in this.
“It’s incumbent upon the security team to provide the visibility of the threat landscape to the senior executives, and there are a lot of tools that you can use to do that. Ultimately, at a board level, you should be running something as simple as a dashboard.”
Staying on top of this means that it is also important for security functions to have a firm grasp of what is going on within their own networks – not always the easiest of tasks when faced with the widely-publicized personnel shortages facing the industry.
The difficulty with finding security staff, Campbell suggests, is down to the depth of experience required: “To be a good security professional the breadth of knowledge is significant. You need to understand networking concepts, data center concepts, application development concepts, operating systems front to back, content management systems, web traffic...”
He suggests that outsourcing is one of the ways companies can alleviate this problem. “It makes absolute sense, because it’s hard to maintain the skills in house 24/7. You can also hold them to a service level agreement and there is a clear separation of duties. You don’t have to worry about who’s watching the watchers.”