Four Questions For: Ben Rothke

What do you consider to be the biggest challenges facing cybersecurity today?

Some of the challenges are: not enough information security staff.  This is compounded in part by firms being unwilling to pay information security professionals market rates.

Solutions are being rolled out before adequate security review.  Think IoT.

Complexity of systems combined with interconnectivity of many systems leads to myriad avenues for attack. Remember, an attacked only has to find one opening. The owner of the system has to protect every opening.

Will hackers eventually shut down hospitals, break into our medical devices and inflict physical harm on people?

 Eventually? Actually, this is old news. In the last few months Hollywood, CA Presbyterian Medical Center paid $17,000 in bitcoin to ransomware hackers, MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore, and Methodist Hospital and Prime Healthcare both had phishing-based ransomware attacks. There are many reasons why hospitals are the perfect targets for ransomware and other types of attacks. Hospitals have long build applications with an emphasis on speed an available, as opposed to security. That makes sense, as an emergency room physician shouldn’t have to search for their SecurID token to use the defibrillator.  The downside to that is the easy access approach to defibrillators often translates into easy access to master patient databases.  For a large medical center, that means that millions of records are at risk due to lax information security controls.

Balancing ease of use and strong security controls is a challenge, but acutely so in the medical field.

As to medical devices, some of the manufacturers thought their information security people were as smart as their pharmaceutical engineers. The reality was at times not like that and medical devices were produced without effective security controls.

The following horror story is not atypical: when I was at British Telecom Professional Services, we had proposed a large project to assist a cardiac device manufacturer with their product. Bruce Schneier was with BT at the time and was in a speaking tour of Europe. We arranged that Bruce would stop there and give them an hour-long briefing on the importance of medical device security. They completely misunderstood his message and thought they could do it on their own.

Considering all of the hacks into our governments’ and political organizations’ servers, how likely is it that we will see our voting systems successfully hacked?

I wrote a piece in 2001 titled: Don’t Stop The Handcount; A Few Problems With Internet Voting.

The same problems that existed then, exists now. Considering we can’t keep guns and drugs out of maximum security prisons, it’s ridiculous to think the US Government could deploy a voting system that isn’t highly vulnerable to attack.

It is actually a difficult task, to create a voting system to support hundreds of millions of users, in tens of thousands of physical locations, managed by people who often have little to no technical background. It’s not that a tamper resistant voting system can’t be developed. It’s just that we won’t see it for at least a decade

What is there to be positive about (in regards to cybersecurity) in the face of security threats, cyber warfare and government hacks?

In the past, security was all about fear, uncertainty and doubt.  Now, hardly a day goes by without a story in the Wall Street Journal or Financial Times about information security. That makes the job of selling security much easier.

Many more universities are offer computer security training for computer science graduates, so the book of that with computer security training is much greater.

Security awareness is also required for standards and requirements like ISO/IEC 27001 and PCI DSS, so the trickledown effect means that the information security awareness level is going up for the rank and file employees.



Ben Rothke, CISSP, PCI QSA is a Principal Security Consultant with Nettitude, Ltd.  He has over 15 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design & implementation of systems security, encryption, cryptography and security policy development, with a specialization in the financial services and aviation sectors.

Ben is the author of Computer Security – 20 Things Every Employee Should Know (McGraw-Hill), and is also a frequent speaker at industry conferences, such as RSA and MISTI.