06 January 2020

INTERVIEW with Ramsés Gallego, cyber-security expert: No security program on the planet will work without these three pillars: technology, process and your people | VIDEO

Andreea Soare

Ramsés Gallego talked, in an interview for the Defence and Security Monitor and MEDIAFAX, asked what should Romania do to become cyber resilient, that the three pillars that no security program will even work without are: technology, processes and people.

Ramsés Gallego, Cybersecurity Strategist, vice-president Quantum World Association and Ambassador for ISACA Barcelona Chapter, talked, in an interview for the Defence and Security Monitor and MEDIAFAX, about the 5G technology, EU member states’ cyber-vulnerabilities or the elements Romania needs to become cyber-resilient.

Reporter: Mr. Gallego, good Morning! First of all welcome and thank you for accepting the interview. It is both a pleasure and an honor to have you here. We will be talking today about security, cyber-security, the cyber-space, vulnerabilities, threats and risks. I would like to start by asking you what are the main cyber security threats for the EU member states?

Ramsés Gallego: It is an honor to be here and to discuss and articulate messages of value on cyber security, cyber assurance, governances etc. I think that the biggest threat, Andreea, is not understanding what’s at stake. The biggest threat, they say, there is nothing worse than the fall sense of security, thinking that everything is ok, everything will be right. So, the biggest threat, apart from the typical threat on, you know, cyber-jacking, crypto-jacking, business email compromise, we analyst, strategists, vendors, we give a name basically to every attack. But, as a whole, as a country, as a region of the planet, we need to understand what’s at stake. And we are talking about people here. This is not a technology thing, this is about people, citizens, it’s about critical data, about protecting the “soul of a nation” if I may call it like that. So, the biggest threat, apart from the technological aspects like clouds, mobility and the internet of things. This is an era, Andreea, where everything is progressively connected. We call it the Internet of Things or the Internet of Everything. It is important to understand, again as a country, as a region, as a community that the threat is that there may be a nation interested in our data. But there also may be a company interested in our data. So, it is sort of a mess. We are in a cyber-war sort of thing. The biggest threat is thinking that nothing will happen, who is interested in me, especially Romania, you guys are situated, geographically, in a very special place. So, someone may be interested in attacking you to attack other people. To use your infrastructure, and I am talking about public companies and private companies. To use you as a bridge to attack others. Actually the name of that is False Flag Attack: attack someone to attack other one. So, the biggest threat, going back to your question, that I appreciate and, again, it is truly an honor to be here, is thinking that nothing will happen. Every attack, Andreea, is at three clicks of distance. You can be attacked or hacked from another part of the world. And actually, the one thing that I always say on stage and on sessions or interviews like this one is: how do you prosecute that? From a legal perspective? How do you challenge and go after a threat that it is on the other side of the world? In which court of law you go, if you can demonstrate that first, because in the physical space, if I steal your purse or your bag that’s pretty obvious, because that’s a physical asset and the asset is no longer with you, I’ll have it. But, in the digital space, I can steal your data bases, your intellectual property, your nuclear codes and you will have them, but I will have them too. The biggest threat, going back to our summarized sort of answer is thinking that everything will be ok and in this world not everything will be ok. Someone is interested in you as a country, you as a region, you as an entity you as a bridge to attack others.

Reporter: So, we should always be prepared?

Ramsés Gallego: Absolutely! Preparedness and readiness are a must. I am here invited- and again I truly appreciate the invitation- by the CERT, in Romania, tomorrow I will be delivering not just one, but two sessions on the NIS Directive- which is actually three or four years old, so I has been here, but it talks cooperation, it talks about how we, “the good guys”, betting together against the “bad guys”, because the “bad guys” are together and they are sharing information. That’s a must, Andreea, preparation, cooperation, awareness. We need to let them know that we know, we customers, public and private companies. We need to let them know that we care.

Reporter: Therefore, it is necessary to come with a common approach for the EU member states or the EU-NATO member states?

Ramsés Gallego: Absolutely! To have a simplified and unified framework. I am a proponent and I am travelling, literally, all over the world, I go 25 different countries every year. I have been to this beautiful country before. But I come from Bogota-Medellin-Kuala Lumpur- Manila, so I am literally traveling the world telling governments: you need a unified and simplified framework. You need that PPP- Public and Private Partnership. You public companies need to engage with private companies- by the way, in Romania there are massive fantastic companies, that they have amazing technology- use them, because the bad guys are going to use other technologies to attack you. So, going back to your question, it is a must to have a unified and simplified framework. We can use COBIT 5 as a framework, we could use the NIS Directive- we should use the NIS Directive- we could use ITIL or the ISO27000, but use something. What will not work, and It comes from my experience- I am a world observer, If y may call myself like that- but what will not work is to work in silence, alone. That will not work. Romania has to be “inspired”, we as a country, as a community, as a region of the world. That’s a must, otherwise it will not work.

Reporter: As we are surrounded by threats and risks, do you think that there is a risk for a shutdown of critical infrastructure in crisis situations?

Ramsés Gallego: I am sorry to say a big YES. Not only yes because it could happen, but yes because it has already happened. It has already happened. When you connect an energy supply- let’s say, not a nuclear power plant, which is probably the typical example- but an energy supply, a windmill farm, that produces energy, water supply, transportation that are critical infrastructure that actually seats on regular technology. I mean, at the end of the day, there is a computer managing water distribution for Bucharest. At the end of the day there is one computer or some computers deciding which sort of energy goes where. So, going back to my first answer, if I am a nation or if I am an attacker and I want to create disruption and harm I will certainly try to challenge you airports, I will certainly try to challenge your energy supply. But again, your question was very pointed: it can happen? Yes, but it has already happened, that’s what I am saying. And tomorrow, with the NIS Directive, it talks about critical infrastructures, it talks about the critical companies, the critical sectors and that includes banking that includes transportation that includes energy supply, water supply. For the good or the bad, all those infrastructures run on technologies, windowses, linuxes, main frames and cloud aspects, which is very important, as we are moving to clouds very heavily. So, it could happen, it has already happen, but let me tell something very clear to your readers and to our viewers, it will happen again. Long story short, Andreea: a city like Baltimore, the whole city of Baltimore in the US has been “kidnapped”. Not just one company, not just one hospital, not just one school but the whole city has been kidnapped by a ransomware attack and the whole digital process of the city like paying the taxes or all of the things, all of the procedures and the digital aspects of Baltimore city were for six months closed. They needed to go back to pen and paper because someone decided to create some disruption. But while we were surprised by what happened, it happened to Atlanta, in the US, in August 2016. So, my answer to your question is: Yes, it can happen, it has already happen and it will happen again.

Reporter: There were any talks lately about the 5G technology and its disadvantages, its advantages. So, what will be the greatest threats for Romania after the large scale implementation of 5G technology?

Ramsés Gallego: Ok, let me say 5G it’s fantastic. The promises of 5G are amazing. It promises a maximum peek of 10GB/sec, that’s ten times what we have today with 4G. So, it’s massive. Ten times of speed, ten times bandwidth, maximum speed.  So, no doubt that the technology is amazing. The question was, what about the threats and that sort of question that I am being asked all around the world, again and again. You need to trust your vendor, not just with 5G, actually this is a sentence that serves any other element but especially to 5G, because we are talking about data centers government owned, servers and infrastructures that is about people connecting to critical infrastructure. So, we need to trust the vendor, and I especially like, Andreea, the word “trust”, because trust is earned. I mean, you are not trustable because you say so, you are trustable because others say that you are trustable. You earn the trust of your customers or, in this case, of the citizens. So in the case of 5G, again, fantastic technology, my answer would be: you need to trust your vendor, trust but verify. President Ronald Reagan used to say: “Trust, but verify”. This is very applicable with 5G now. Trust your vendor, whether it is the Asian vendor, the German vendor – the two big suppliers of 5G. Trust, but verify, because in my country, Spain, they are deploying 5G now, and I have been a proponent and I have been involved in this. Ok, but he question is: do you run your own destiny, in the routers, switching or the infrastructure they are proposing? If the answer is “no”, you are doing something wrong. If the answer is “yes” then I need to celebrate that, to applaud that because you trust, but then you verify. You run your own destiny. Is there any back door in the infrastructure? You need to check if someone is using that very critical infrastructure to spy. So, 5G again, I celebrated it, I have been involved in projects of 5G but I always say: Chapter one- Trust, but verify. Otherwise, threats are massive because 10GB/s is a unique opportunity to spy, to get information, critical information from critical infrastructure, energy supply. And we cannot afford that, not just Romania, but the whole world, we the “good guys”. Trust, but verify. That’s my answer.

Reporter: Now, focusing on Romania, what should Romania do to become cyber-resilient?

Ramsés Gallego: Well, thank you for the question, because I especially like the word. “Resiliency”, if I recall correctly, the dictionary says, is the capacity to endure. It is not just business continuity or disaster recovery. Resiliency is the capacity to survive, to endure whatever happens. Then, your question was “cyber-resilient”, so, you just need to be resilient o the physical aspects of the ongoing aspects of any country or company, public or private, but you need to be cyber-resilient, understanding the clouds, the different business applications, mobility. All of those things require control and visibility. So, going back to your question - what does Romania have to do to become cyber-resilient- is understanding. Ask the right questions, to the right people at the right time. Us the right technology. Understand what’s at stake, understand all of the vectors, all of the angles, all of the dimensions in a very cyber époque that is all about those dimensions.  So Romania has to first use a framework, whatever you want to use, or a combination of frameworks: COBIT 5, ITIL, ISO38500, ISO27000. Use the right frameworks and best practices out there. Because the book has been written, Andreea, you do not have to invent anything, you have to use what’s already out there. So first, from a procedural point of view, you have to use the best practices and framework, from a technological point of view, you need to use the right technology. I mean Romania has fantastic technology or international technology. And then on the people aspect, which is very important, so you need to use processes, technology and people. You do things with people, train your people. What I am going to do tomorrow and also on this interview is going to be sort of a training- peel for who is listening. Look at the people’s life and say: we need to protect and defend. This is a must. Going back to the origins. Romania has the unique opportunity, I mean you guys have good talent I have been in universities in this beautiful country and I said “wow, these guys rock!”. Young people, on their 20’s, fantastic developers, good hackers. And because you are geographically positioned in very special place and you have support from very important countries, you have the unique opportunity to do the right things rightly. Doing not just the right things, but rightly. Awareness training, education, that’s a must. No security program on the planet will work without these three pillars: technology, process and your people. Your young people in the universities, because it have travelled the world and I have seen very few countries with the talent that I have seen in your universities.

Reporter: You said education and that’s very interesting, so we also have to train citizens to protect themselves?

Ramsés Gallego: Yes. I am suggesting, as I did in Spain, that the government have sort of a program, let the people know, let fathers like me and families what is at stake. Train the people on using the mobile. The mobile is a platform in itself. I have a daughter, 17 years old, she does no live home, she lives on the phone. So, we need to let them know what is at stake: private information- and I am not talking about pictures, of Facebook, Twitter, Instagram, but the thing as a whole. I have my credit card information on my mobile and actually I have my health, I am a runner, I train, so I have my health information on my mobile. Suddenly, I have my everything on my mobile. So, you need to train citizens, somehow, make a program, an awareness training, some educational peels, interviews like this one. But, do something as a country, for your country, with your country, through your country.  I may be very romantic when I say this but, again, I am an absolute believer of that. Behave with your country, through your country, for your country. Let them know. Let millions of Romanians what’s at stake in here, because we are talking about protecting and defending citizens, people, governments, private companies, critical infrastructure. That’s a must, otherwise, it will not work.

Reporter: Mr. Gallego, thank you so much. It was a pleasure and an honor!

Ramsés Gallego: Pleasure was all mine. Thank you for having me!