NSS Labs CEO: U.S. has unilaterally disarmed in cyberspace

In a recent interview, NSS Labs CEO Vikram Phatak discussed a range of topics, including Apple vs. FBI and the lack of operational experience among U.S. government hackers.

Vikram Phatak

NSS Labs' Vikram Phatak said the government's fundamental misunderstanding of cybersecurity hampers its ability to fight adversaries in cyberspace.

The United States is fighting adversaries in cyberspace with one hand tied behind its back, according to the CEO of NSS Labs, an IT security testing firm.

"Unilateral disarmament is a folly, and that's effectively what [the United States has] done," Vikram Phatak told FCW in a recent interview. "We've taken anybody who knows how to operate a [cyber weapon] and thrown them in jail.

The U.S. government is worse off for keeping hackers with operational knowledge at arm's length, he added.

By contrast, the Russian government has reportedly had close ties to organized cybercrime. Although U.S. military and intelligence agencies have talented personnel, Phatak said, they don't have "the kind of operational experience that the Russian mob has or the Chinese mob has."

National Security Agency Director Adm. Michael Rogers has said he wants to make it easier to recruit private-sector talent and rotate NSA personnel in and out of the private sector.

"I think, fundamentally, there's a misunderstanding of cyber in Washington," Phatak said. He later added that "either you're working for the government or you're a bad guy...and it's very much a law enforcement-centric view as opposed to a national security view."

Phatak was one of the thousands of IT security professionals who descended on San Francisco in early March for the RSA Conference. His Austin, Texas-based firm tests cybersecurity products for a range of purposes, including endpoint security and distributed denial-of-service attacks.

Phatak believes that NSS Labs' reputation as a testing firm positions him well to dispense impartial analysis to lawmakers. "When we go to the Hill, we don't go to sell anything," he said. "My customers are everyone from Disney to JPMorgan Chase, and if government policy goes sideways, then they're all affected."

Tribal vs. institutional knowledge

A federal court order to compel Apple to help the FBI unlock the iPhone of one of the San Bernardino, Calif., shooters cast a pall over the RSA Conference.

Phatak, a former CTO at cybersecurity firm Trustwave, called the FBI's pressure on Apple "ham-fisted" and expressed concern that mandating backdoors into U.S. products would undercut the country's economic interests.

Encryption is math, after all, and he asked what sense it made to stop people from doing math.

The RSA Conference offers IT industry gurus a chance to strut their stuff, but there might be an over-reliance on such gurus in the public and private sectors, according to Phatak. "You've got tribal knowledge or institutional knowledge, and right now you've got a lot of tribal knowledge when it comes to cybersecurity," he said.

One way to create a baseline understanding of government IT assets and their vulnerabilities is through the Continuous Diagnostics and Mitigation program run by the Department of Homeland Security and the General Services Administration.

Phatak praised CDM for its proactive approach to detecting vulnerabilities. The government's recognition of the need to continuously evaluate IT assets is a good thing, he said.