 Hi Marcus, welcome to Qatar. It's a pleasure to have you with us today. As a well-renowned expert on security system designs, what do you think is the future of security? I think it's going to be pretty much the same as the past has been. We don't seem to really know how to make software that's reliable enough and we don't seem to do a good job of designing our software well enough. And I don't see any trends that indicate that we're going to get better at that. So I think we're just going to have more of the same. Systems will continue to be bad, systems will continue to be broken into. A tremendous amount of time and energy will be wasted, but that's the alternative. So I know you sort of identified all the challenges already, but how do you think we can tackle these challenges? Is there a way out? The costs of doing everything right are probably unbearably high. So I think what we have to do is we're going to wind up evolving systems that are very complex in some areas and very simple in others. And I think what's going to happen is that that's going to be an evolutionary process. So you'll have security for handheld devices may become a problem and that will trigger responses and I don't even know what the problem might be and I don't even know what the response might be, but it will have to be because either people will stop using them or an effective response will be developed. So imagine that online banking, attacks against online banking just begin to cost the banks too much and they begin to cost people too much. Well, then either people will stop using online banking or the banks will come up with a way that you can do it that reduces the risk and then they'll push people into a new approach. I do think though that it's very sad that we spend a lot of money on technology and we spend it badly. We buy things and we build things that we know we're going to have to throw away and build again and again and again. And I think security as an aspect of reliability is something that really should be taken into account a little bit more than it is. Okay, since you're here in Qatar, can I sort of ask you what are your thoughts about the state of security in Qatar? Okay, well there's actually some useful things I can say about that. You have some important advantages. You don't have a hugely entrenched infrastructure the size of the United States, for example. So you have the advantage that you may be able to reassess certain things and you may be able to make better decisions in some cases by looking at the places that maybe have done things better or done things sooner and maybe not worked as well. So for example, I see all of these new buildings that are being constructed. I'm willing to guess that all of those have got fiber pulled through them already. They've got cable runs that are designed to make it easier to do data network upgrades and stuff like that. Whereas a country that's full of buildings that are 200 years old, you can't do that. And that's a very significant, a very significant thing. Also, you have a government structure where you have some ministries that it sounds like have some say in how things are done. So you have the possibility that you can develop relevant standards. So the communications agency may be able to say, no, such and such is a bad idea or this is good or this is bad. So there's a good side that goes with government regulation where it can sometimes be much more efficient than a free market because sometimes the free market will favor doing things quick and dirty because that's more profitable. So I think Qatar has a very good opportunity because you have a new infrastructure and you're not afraid to invest. And as long as you keep your eye on building systems that are reliable and future safe, that's really the main thing. As long as you think about your systems in terms of making them as reliable as possible, security is a subset of reliability and manageability. And so as long as you're focused on reliability and manageability, you're in pretty good shape. You're definitely aware of the challenges that Stuxnet posed to the Middle East. I know Qatar was not as affected as some of the other countries, but in your view, did we handle it well and what could we have done better if we have something like that? That's a really complex question. The simple, stupid answer would be, of course you could do better. You could have not gotten it at all. But is that even really a meaningful answer because you have these existing systems and I'm certain that whoever it was who sold and installed the SCADA systems didn't say, you know, we want to install these and they suck and they're easy for somebody to put a back door in. And they're easy to suborn and take over and make unreliable. So the problem that happens with all of these systems is that you wind up getting a very complex interaction between this stuff that you have no control over and then you have to try to make good decisions with this limited amount of information about something that you have basically no control over. Once it's already been fielded, I don't know when your SCADA systems were fielded, but I'm guessing that most of them are 10 years old or 5 or 10 years old. So the only way that we can meaningfully say that you can do better is to go back in time and not make a mistake 5 years ago. Well, that's not an option. So I think that the fact that you've got an emergency response capability and that you've got, obviously you've got support from the government, you've got support from industry, those are the ingredients that you need in order to be successful. So that's all good. Okay, as a man behind the concept of firewall, I'd like to ask you as a government agency, how can ICT Qatar sort of warn and promote the use of firewall to all of our consumers in Qatar? You mean to home user consumers? Industry, home, you know. Well, maybe we can talk about industry as such. Well, for industry, the obvious thing is that there's going to be some sort of standards. And so you must have a notion of critical infrastructure. And the obvious place to start is to come up with some rough guidelines for organizations that are defined as critical infrastructure and say, you know, if you're dealing with nuclear materials, then you have to meet these standards at a minimum. And that's the way to always increase the safety of any system is you identify what are the minimum reasonable standards and you expect everybody to adhere to them. And then once you've got everybody in line with that, then you can tighten the standards up and adjust them as you need to. Now, for home users, it's more difficult, but you have the same basic approaches. That's really all you can do. For home users, governments is left in the position of either mandating things or basically begging. You have to say, no, please, please do this. Neither of those is a particularly great option. And ultimately, the only thing that really seems to work is to construct an appeal to people's self-interest. And that's not so bad. So what you could do is you could say, you know, are you tired of reinstalling windows every year? And if you're tired of that, maybe you should consider buying a Mac. No, you can't do that. But well, actually, that's not a good example because they have problems, too. So you could say, are you tired of occasionally losing your data, having your credit card stolen? Are you tired of having to reinstall your operating system? Are you tired of your bandwidth getting eaten up by people who are doing file sharing using your computer? If these things annoy you, instead of spending hours doing cleanup, you could spend minutes doing an install and configuration of a firewall. Do that right. And then you're not going to have to worry about all this stuff. And I think in terms of appealing to people's desire not to have their time wasted, that usually works fairly well. You know, I've done that in a couple of corporate contexts where you basically say, look, you can spend five minutes now or five hours later. That's a pretty good breakup. I've usually found that this isn't based on any real science. But I like to say it's about 10 to 1. The cost of cleaning something up is about 10 times more expensive than just not having the problem in the first place. You mentioned Windows 5 All. I just wanted to ask you, is it powerful enough to protect any new attacks on your computer? If you configure it correctly, yeah. I mean, the main thing you're trying to do is just keep systems that you don't know or that you're not doing business with from coming in. But most of the security problems that we're up against now are not at the firewall level. And the reason for that is because a lot of people have them. Your home internet may have come with a cable modem that has a firewall built into it and your home access point. So you may have multiple levels of firewalls that you don't even see. And it may not be that they're very good, but the fact that they're there means that the attackers now are going to go after you at a browser level or something like that. So are you saying that it is safe to disable your Windows 5 All if you have a stronger and more updated anti-virus system? I would say yes, if you're reasonably comfortable with your other system. For example, my home internet gateway, I've got a fairly nice commercial firewall on it. And I'm pretty sure it's better than what comes with Windows. So I just turn the Windows one off just because that way it's not going to annoy me. But that's because I've got something else that I trust more. So, you know, in the recent sort of Intel acquisition of McAfee, is anti-virus as software really dead and future will be hardware enabled by anti-virus? I don't know if the future will be hardware enabled anti-virus. The whole anti-virus topic is one that really perplexes me a great deal. The idea of anti-virus has obviously been stupid for a long time. It's a bad idea. It's always been a bad idea. I've always been a proponent of using application whitelisting. And now some of the anti-virus guys are acting like they invented application whitelisting. When in fact it's the exact opposite of what they've been selling for a very long time. I don't understand why people don't just run application whitelisting on everything. But people seem to think that it's difficult, which, you know, again, it makes no sense to me at all. With the whitelisting approach, when you first try to run an application, it says, you know, hey, you're trying to run Adobe Photoshop. Do you want to run this? Yes? Yes? No? Always yes, always no. How hard is that, right? It takes you five minutes to set it up and then once you're done, you're done. You never mess with it. You don't have to worry about downloading or you don't have to reboot with a new virus engine. It's very simple. And I don't understand why people feel that that's more difficult than the alternative, which is obviously much more difficult and doesn't work very well. I don't understand it. I don't think that the hardware anti-virus isn't going to be the answer. It's interesting to me. I can't wait to see what Intel does. The obvious play would be to use the trusted processor module in the Intel processors to put some of that in the hardware. But if that's what they want to do, why did they buy McAfee? Because if you're actually doing signing and if they were checking it, then they should be doing that as part of a collaboration with Microsoft or something like that. So I have no idea why Intel did what they did. What is trying to move towards open source? Do you think this kind of trend of running a business from product originally developed on an open source will continue? And if yes, are there any limitations? I think it's going to continue because the open source model is kind of nice. And I'm torn because sometimes something that's free can be the enemy of something that's good. Ever since Linux came along, now you've seen the operating system landscape has kind of collapsed into all these different flavors of free operating systems. But there's really not any market niche left for somebody to produce a commercial operating system that somebody might buy and pay good money for. Windows has already set a low price point. So anybody who is going to sell a new operating system will pitch themselves between free and what Microsoft charges. And so the market has kind of gotten crushed from the top and crushed from the bottom. So I think the open source stuff is good because in a way it helps keep the vendors honest. But in a way it's also bad because it sucks the oxygen out of the market and makes it a little bit difficult for somebody who wants to innovate with a commercial product to actually produce something that would be new and good. I mean, I'm not happy personally about the way that the free versions of open source operating systems have really killed operating system research. There's no point in doing it now. What's your take on cloud computing security? That is the short question. Is it really like possible to secure the cloud? It is certainly possible to secure the cloud. The thing is you have to know what you're trying to do. And when I'm talking to executives who are looking at the cloud what I tell them is treated as an opportunity to reinvent your ID processes completely because that's what you're going to have to do anyway. If your idea is that you're going to move to the cloud and save a lot of money, the only way that you're going to save a lot of money is if you change how you're doing your computing. You're not going to be able to do things exactly the same way. So reassess everything, put everything on the table, and maybe you'll save that money and maybe you won't. The thing is if somebody says how much money you're going to save, why do you believe them? That's what always surprises me. I've talked to a lot of executives and they say, oh, we're going to go to the cloud. We're going to save all this money. Who told you you're going to save a lot of money? What makes you think you're actually going to save a lot of money? You do mention about cyber war and cyber terrorism and you have a different take on that from what is commonly perceived and how media portrays this. Would you like to share that with us? I think the issue is that we keep trying to treat cyber whatever as if it's something new and different just because it's being done on a computer. Cyber music isn't any different from plain old music that's made by banging instruments together. Cyber warfare isn't the rules of logistics and the notion of having a strategy versus tactics is the same whether you're talking about military operations in cyberspace or whether you're talking about military operations in the physical world. That's one of my issues with the people who talk about cyber warfare like it's somehow easy. They tend to ignore logistics. They tend to ignore the fact that you've got intelligence problems in cyberspace as well. And I'm just pretty disappointed with how people approach cyber warfare because I just think that what they're talking about is very naive. It's extremely optimistic. They watch live free or die hard and they thought it was a documentary instead of just entertainment. And really if you were trying to be a mature and ask what would it take to fight a cyber war? What would it take to knock a government down to the point where it was incapable of operating? You need a lot more logistics than I think many people realize. You need a lot more intelligence about how the networks were laid out. This is not something you could just do instantly and turn on the dime. And so I'm afraid that it's being oversold by a tremendous amount. In your presentation you mentioned WikiLeaks as a first instance of cyber terrorism. If we talk about, if I ask you, what would be the next cyber war? I mean what could it be possibly? Well, I would say that the real issue is cyber insurgency if you want to cyberize things. I mean the thing that we do see is that individuals who want to take on the government actually can do that with some degree of success. That's why I think that what WikiLeaks is doing is so interesting. You've basically got a small number of individuals who have demonstrated that they are more powerful than the government in ways that matter very much to them, to us and to the government. That's one of the reasons I think it's so delightful to watch because what they've done is they've demonstrated in a lot of ways that there's tremendous incompetence and unawareness of how to deal with modern media at all levels of the government, places which should be much more technology savvy than they are. So I like seeing this kind of stuff and I do think that that's going to blaze a trail in the future. I'm a little bit unhappy with the responses that I'm seeing where you'll see civil unrest being coordinated through Facebook and Twitter and then the government's response is to try to figure out how to shut down or to control Facebook and Twitter. That also seems to me, again, to be naive. The real question is if you have a problem with civil unrest, how do you engage with the people who are doing the civil unrest and diffuse their problem or address it rather than just try to figure out how to shut them up? When you were talking about how to combat cyber war or cyber terrorism and cyber espionage, you mentioned something about counterintelligence. How does that work? Could you explain it a little bit? The problem is that the tools that are available for us to fight cyber criminals or whatever are commercial internet security tools, firewalls, antivirus, intrusion detection, malware detection, and log analysis. All of the tools that we've had for a very long time, there is no magic super secret something else that anybody has got that somebody is going to be able to suddenly pull out of their back pocket and start to use to fight against state-sponsored computer intrusions. So what's left? Well, what's left is to actually work from inside counterintelligence, which is how states would do it because they're well enough funded and they can get the people and also they can write the laws in their favor. So if I were concerned about a rival government that was trying to penetrate my systems, I would be trying to penetrate the organization of theirs that's trying to penetrate my systems. And this is exactly what we saw during the Cold War, where you had the CIA and the KGB, and we see now as the history of the Cold War has become a little bit more clear that the Soviets did a tremendous job of penetrating our intelligence apparatus, essentially making huge amounts of things that we tried to do and turned them into a complete joke. And so I think that would be the way to deal with the whole cyber warfare, cyber espionage problem, to treat it as just another intelligence counterintelligence problem and then you've got all the tricks available to you that you would have in counterintelligence operations and give somebody huge amounts of information that is very difficult to distinguish from correct information and that may in fact be correct information. Just give them a lot of stuff and let them sort through it. I mean, one of the fascinating things you could imagine would be, imagine if WikiLeaks had said, well, we have 100 gigabytes of State Department documents that we're going to publish. If the State Department's response had been, would you like another terabyte of, would you like 10 terabytes of State Department documents to publish too? You're welcome to have them. Now the question is, do you know if they're any good or not? How do you know the other ones are any good or not? And who's going to look through 10 terabytes of stuff and figure out what's accurate and what's not accurate? And so actually just by virtue of the way that the government responded to WikiLeaks, they really made themselves obviously weak and vulnerable. And I think it's sad when I see that kind of thing happening. I'm torn because part of me is really happy because I really like, I'm not entirely anti-government, but I don't think that governments are always the best way we should spend our time. And it's my observation that it's governments that cause wars, not people. Intelligent people don't just go, you know, I'm going to go travel across the planet and go kill somebody. This is not an intelligent and rational activity. It takes a government to come up with a stupid idea like that. So I like the idea of exposing this kind of thing. I like the idea of amateur counterintelligence applied against governments because I think that one of the things that we've seen is that when governments are able to act in secret, they do really dumb things. Thank you, Marcus.