Geopolitical Instability Is CISOs' Latest ChallengeKPN Telecom's Jaya Baloo on Technology, Politics and Software Vendor Bans
The latest challenge to face chief information security officers: Keeping their organizations secure while at the same time navigating geopolitical instability.
Take the recent push by the U.S. and some European countries - including the Netherlands and U.K. - to ensure that no Russian-built software gets used in government networks or for critical infrastructure (see EU Claims Kaspersky Lab Software 'Confirmed as Malicious').
For the private organizations that run the majority of such infrastructure, the accompanying lack of detail isn't ideal, says Jaya Baloo, CISO of KPN Telecom, a Dutch landline and mobile telecommunications company.
"We don't have any smoking guns; there are no real facts," about the ban on Kaspersky Lab wares, she says.
Missing: 'Information Sharing'
Ideally, Baloo says, the discussion wouldn't start and end with a blanket edict to avoid a vendor's wares, especially from EU member states that are believed to have hacked other EU member states. For example, the U.K.'s GCHQ has been tied to hacks of both Belgian telecommunications provider Belgacom and the European Parliament (see GCHQ Seeks 'Responsible' Hackers).
"If there are allegations, fine. But come with the data to actually allow us to make an informed, second opinion about what's actually going on," she says. "Also come with an alternative, because that hasn't been presented either: It's not 'don't use this, use this'; it's just 'don't use this.'"
Supply Chain Management
Indeed, Baloo notes that from a purely technological perspective, such bans may not make sense.
"For every single vendor, not just Kaspersky, unrelated to which country they originate from, we absolutely do a full-blown pen test before we apply it in our network, and with every major release we vet and verify, we also do supplier assurance and supply chain management, so we're doing all of these efforts to verify source code, do pen tests, never to take anything as face value," she says.
In addition, the risk posed by Russian-built endpoint security software - such software hooks directly into the kernel - also apply to endpoint security software built by vendors in other countries (see Anti-Virus Conspiracy Theories Cut Both Ways).
"There hasn't been a lot of account taken of the actual technical setup, the architecture of how you can use an anti-virus product," she says. "You could theoretically use a detection of an AV vendor without having to send information back to them, whether or not you detected something that they may have observed, and there's ways to configure your setup, that you can verify that in practice."
"What I feel is, we can figure this out technically," she says. "But it's not a technical issue, it's a political issue."
In a video interview at the 2018 Infosecurity Europe conference in London, at which Baloo delivered a keynote speech, she discusses:
- Information security best practices for using any software or hardware in any enterprise;
- Supply chain assurance and management;
- Dealing with complexity and unpredictability in the political landscape.
Baloo the CISO of KPN Telecom in the Netherlands. She has more than 18 years of information security experience, and has worked for such global telecommunications companies as Verizon and France Telecom. She is a frequent speaker at security conferences on subjects around lawful interception, mass surveillance and cryptography.