Seán McGurk is Director of the National Cyber Security and Communications Integration Center with the US Department of Homeland Security (NCCIC)
Deutsche Welle: In relation to transatlantic cyber security, I´ve read that you said that Stuxnet was a game changer. Can you explain why?
Seàn McGurk: The reason I use that terminology because what we´ve seen demonstrated with stuxnet was capabilities that were up to their point had only been loosely applied into enterprise or information networks. We´ve not seen a piece of malicious code that was packaged in such a way with multiple capabilities that was specifically targeting an industrial control process. So from that standpoint to see network penetration, network migration, obfuscation techniques, incryption techniques and data extraction techniques all packaged in a piece of malicious code and than using that to specifically target an industrial controled network was something up to this point none of our partners or ourselves had actually indentified such a capability.
And the specific target was obviously the Iranian nuclear facilities?
No, actually that´s not obvious. Because the manufacturer of those types of equipment, the hardware and software are actually used in many industries throughout the world, including the United States -Siemens-products are used in the United States. So, for someone to say with assurance, that it targeted a particular facility, is very difficult and I think, there is a lot of speculation as far as the intended target is concerned.
But nevertheless it was a wake up-call to the international community.
Oh, absolutely. Because - as your readers know - there are no such things as boundaries in cyber space. There are no international borders and there is no oceans to cross. Cyber space is limitless when it comes to its reach. And fortunately - or unfortunately, depending on how you look at it - many of the critical processes that we operate in our day-to-day-lives are now computer-based. So, from power-generation to water-purification to financial services - much of that occurs over the internet and over publicly available networks. So the risks are now there in the physical world.
Talking about transatlantic cooperation with regard to cyber security - was it also a wake up-call for the European Union and the United States to cooperate closer, to step up their cooperation?
Actually we´ve got a very close-working relationship with the EU as well as many partner nations in an information sharing and exchange process - that we have established even prior to Stuxnet. We also have a coordination group which is referred to as the international watch and warning network, which is made up of 15 partner nations. Several European nations are involved - Germany, France, Spain, the UK, just to name a few.
We´ve been doing joint exercises, such as cyberstorm for the past couple of years with these organizations, as well as sharing information products and actually developing joint products for cyber security and risk mitigation.
What you´re describing now seems as if the transatlantic community is very well-prepared against cyber attacks. Experts on the other hand are more pessimistic or skeptical about that.
I think because they focus on cyber attacks. That assumes there is a passive approach and we´re not doing anything until the attack actually occurs. So, really what we are looking to do is to prevent and then predict and prepare for those types of events. We´re actually aggressively conducting risk mitigation and risk evaluation by doing vulnerability analysis at our laboratories. So that when we´re testing products and looking at equipment to see if there is vulnerability associated with them. The minute we have that data we share that with the international community, so we can mitigate the risk. If the point or the perspective is, you know: how prepared are we against the attacks, than we are relying on the ingenuity of the attacker and not actually focusing on defense and depth approach which is what we prefer to take.
How much of a difficulty is it that the European Union consists of so many nations, so many different laws. Are you actually on a sort of a dual track with the European Commission and single nation states?
Absolutely, actually in early January the secretary of homeland security met with the European Commission´s Vice-President and the digital agenda commissioner, Neelie Kroes, to discuss ways in which the EU and the Department of Homeland Security can strengthen our information sharing and our partnership with the EU.
And we also have agreements with individual countries, so from larger government organizations to the private sector to our international partners - we have a variety of agreements where we can share information. With some countries we have agreements so we share classified information for instance. It varies, and what we´re trying to do is to make sure that we capture each of those partnerships in a way we can share the most relevant information across a large spectrum.
Now you said you´ve had joint exercises with European countries. What was the idea behind it?
Our last national cyber exercise which we refer to as "cyberstorm III" involved several of our international partners. It involved the international watch and warning network which are those 15 countries that I had mentioned earlier. And there were threads and vulnerabilities that were exploited and networks here in the United States simulated obviously, and also in Europe as well as in Asia, South-East-Asia. It´s a multi-dimensional exercise that involves the scope of cyber that really requires participation by our international partners, because again it´s not something the US can address alone.
Where does a major threat come from? Is it nation states, is it terrorists, is it hackers?
Focusing only on threats is only part of the challenge. In the department we take an all-hazard approach, we refer to our approaches as risked-based analysis. Because what we look at is threats, vulnerabilities and consequences. And the reason you can´t divorce threats from vulnerabilities and consequences is you could have a highly-motivated threat actor, but if there are no vulnerabilities to exploit or limited consequences, than really you don´t have to dedicate a lot of resources.
Conversely, if you have the vulnerability, which is easily exploited, by even the most common hacker, and it has significant consequences, than we need to focus our resources there. I would offer that focusing only on threats and where the threats come from is important but it´s not the sum total of what we need to be looking at in cyber security. We really need to be looking at the total risk profile, from our standpoint.
Interview: Christina Bergmann, DW Washington
Editor: Rob Mudge