Improving Cybersecurity in AsiaHow Microsoft is Helping to Implement Policies
Microsoft's Pierre Noel focuses on helping Asian nations build their cybersecurity infrastructures and policy frameworks - often from the ground up.
The easy part of Noel's job is that he has a standard process by which he approaches client nations to enlist support, assess risks, set up cybersecurity governance and begin the fundamental process of data classification.
The tough part of the job is that no two countries are exactly alike in their cybersecurity needs or capabilities.
"We have to recognize there is no 'one Asia' - Asia is made up of very different types of countries, some of which are extremely sophisticated when it comes to understanding cybersecurity," says Noel, chief security officer and adviser for Microsoft in Asia. "And then you've got emerging countries. ..."
In an interview with Information Security Media Group (transcript below) about Microsoft's efforts to help Asian nations improve cybersecurity policies and protections, Noel discusses:
- The state of cybersecurity among mature and emerging Asian nations;
- Key challenges to protecting critical infrastructure;
- Strategies for developing a new skilled cyber workforce.
Noel is the chief security officer and adviser for Microsoft in Asia. A Belgian citizen living in Asia for the past 22 years, he has more than 27 years of international experience in information security and enterprise risk management. He has designed and built complete security and enterprise risk management environments for governments, finance, transport and large conglomerate industries worldwide.
TOM FIELD: Would you tell us a little bit about yourself and your current role with Microsoft?
PIERRE NOEL: I have been with Microsoft for a little over two years. Basically I'm a French-speaking Belgian guy; I have about 27 years of experience in information security, and I moved to Asia about 22 years ago. I had different roles within different organizations in Asia over the last 20 years.
FIELD: How do you approach helping nations in Asia to build their cybersecurity infrastructure?
NOEL: Approaching this mission of helping nations to build the cybersecurity framework is a major one. First, it requires having some form of commitment at the highest level of the government, so that people do realize there is indeed a need to build a cybersecurity framework. They have to recognize that there is a risk, that there are threats. We see that in many countries. Many countries in Asia are what we would call emerging countries. ... They certainly have very bright people, [but] also very much need external people with other type of expertise to come in and assist them.
So first and foremost, once we have the go-ahead from the senior people of the government, like [a] prime minister or president, the first thing to do is analyze what kind of involvement they have in place. And when I say involvement, I don't necessarily mean technology, because very often when I ask people what kind of involvement [they] have, they tend to answer with technologies. Whereby, what I'm looking at initially is much more framework, governance, policies, people in charge, and very often this is what is missing. Very often they have some technologies here and there, the typical firewall intrusion detection, some form of security operation center, but very seldom [do] these nations, that are trying to build a cybersecurity framework, have proper governance in place.
So I usually start there, working with them, with the culture of the government, looking at what needs to be done for the regulators that are part of the government. I also look at what needs to be done for critical infrastructure organization. We initially start by setting up a governance framework to decide who's going to be in charge, who's going to handle what aspect, and how we're going to escalate whenever some incident occurs or some action needs to be taken. This is usually my first step.
The second step is to come to an agreement on basic data classification. I very fundamentally believe that unless we have proper data classification in place, and [that it's] truly used by all the people who are pushing some sensitive information or whatnot, there won't be any security whatsoever.
State of Cybersecurity
FIELD: What would you say generally is the state of cybersecurity within these nations now?
NOEL: We have to recognize that there is no one Asia. Asia is made of very different types of countries, some of them extremely sophisticated when it comes to understanding cybersecurity. I can easily name places like New Zealand, Australia, Singapore; these people really know what they are doing. And you've got emerging countries, and for these emerging countries it's somewhat different. Some very much believe that they have everything under control, and again and again, almost on a yearly basis on the anniversary date, they get significantly hacked. Some understand that they have issues, but they don't know where to start, they don't know what to do. Some are working closely with us, and these ones are evolving. But it's a long process; we cannot expect everything to be put in place, especially when we are talking at the level of a nation. We cannot expect everything to be put in place within one, two or even three years. It's a staged process that has to take some pace and have renewed commitment if we want to see it succeeding.
FIELD: What do you find to be the biggest challenges in improving cybersecurity?
NOEL: It's a combination, but the emphasis is much more on the people and process. Like I said, very often when I talk about security, people tend to answer "technology," and this is usually the thought, the process and people, that is glaringly missing. People have not been trained ... on security, on the reality of cybersecurity. They have misconceptions and processes are just not there. So they are working on an ad hoc basis. The two simple questions I would ask to people, to government, to ministries, is, "If you detect malware on your computer, who do you call? Do you know who to call?" And if the answer is no, that's already an interesting indication. And the second one is, "Please give me the name of the person who's going to be fired if there is a significant incident in this ministry or in this agency." And if the answer is, "I don't know" or "this is a group of people, it's not like one person," then you have an indication that you have a process issue.
FIELD: How do you find that you're able to help nations overcome these challenges?
NOEL: You have to set up some clear key performance indicators. It's a staged process, like I said. We have to agree first on setting up a team of people who will be in charge for the nation, for everything related to cybersecurity. Sometimes it can be associated with CERT, a central emergency response team in that nation, or sometimes it has to be disassociated from a CERT. That's a first achievement. Once we have a team of people who are responsible at the nation level to handle the cybersecurity aspects, this is already a major achievement.
The second achievement is probably to be able to deploy some baseline policies and make sure that gradually [they] would be, number one, accepted and, number two, put into use across the different departments. Progressively, [they can be] pushed on the critical infrastructure organization and provided to all the organizations, all the businesses in the nation. This to me is the second biggest performance indicator, if you will. Then after that we can go into the more technically complicated one: setting up the security operation center, having a functioning central emergency response team, these kind of things.
FIELD: How about the training component?
NOEL: This is one of the major elements in building a successful cybersecurity framework. We've got to build a pyramid of training. We have to identify that some people will have to have major responsibility in the handling of the cybersecurity for the nation, and these people need to have the top cyber training. ... In many of these emerging countries, people have way more smart phones than they have computers. We have to train them. We have to organize cybersecurity links so that gradually they understand the risks and learn the basic behavior. So like I said, we have a pyramid of education that needs to be put in place in order to address all of the different layers of responsibilities across the nation.
FIELD: How do you measure your success in this job?
NOEL: Measuring my success in this job is difficult. You cannot really say, "Ok, once I have achieved that, this is success." It varies on a country-by-country basis. My major accomplishment so far is one country in Southeast Asia that is a very big country, I won't be able to give the name, and their perception toward what Microsoft could do to a system was not that positive initially. They thought that, Microsoft only wanted to sell [them] more software. So it took us some time, not only from my side, but also people living in that country working for Microsoft set up relationships and gradually explain, "We are here to help you to get better." This [evolved] into a signing of several memorandums of understanding with the different ministries and the CERT, and now we are very actively working with this country. Like I said, [they] initially did not necessarily have a strong perception that a software house could help them with deploying cybersecurity.
The second one is an emerging country, where the prime minister realized that, indeed, there was no cybersecurity. I was very fortunate to meet up with the ministers at the right moment just when some attacks took place in other countries, and they realized the need to build something. So I [was] given carte blanche, if you will, and now we are building their facility from scratch. This is an empty table; there is nothing, absolutely nothing, and we are building everything, which is a fantastic opportunity for that country because they don't have history. ... We start from scratch, and are giving the opportunity for that nation to really leapfrog and put in place a cybersecurity framework that would not look at the old stuff, but would really be focused into the reality of cybersecurity nowadays. ...
Global Security Threats
FIELD: What are the global security threats that cause you the greatest amount of concern?
NOEL: We have two types of threats, and I'm certainly not teaching you anything new here. You've got the basic malware, and this is fascinating to see, especially in Asia; the level of infiltration of malware in certain countries is staggeringly high. Some countries have got nearly 50 percent of all the computers infected with malware. If you look at this malware, these are old. These are not zero day type of attacks; this is stuff that has been around for four, five, six years, for which we older people have produced patches. That makes me realize that there is a lot of education that needs to be done, and we need to address this very basic stuff first. It always makes me smile when I have people talking to me about zero day attacks for certain countries, and I look at them and say, "Yes, OK, zero day exists, but from a percentage point of view, that's zero to 5 percent of the attacks. Let's try to fix this 99.5 percent first." That's one element, and we can fix that by way of proper education. It's not rocket science, but it has to be done in a consistent way.
The second aspect are the APTs, the advanced persistent threats. Some of the countries in my region are very much subject to APT type of attacks, and I don't need to name them; you probably know which ones they are. This is a very different type of situation, because when you have in front of you a very determined adversary who really wants to penetrate your environment, you have to have a different stance. You have to look at it from a different angle. You have to think in terms of building a resilient infrastructure, much more than just building a secure infrastructure. This is a real challenge, but only for some countries. I would not say that at this stage of development of all the countries in Asia, that this is something we encounter everywhere; but this is a very clear and present danger as well.
FIELD: What do you see as being the key strategies and solutions that are going to help nations to mitigate these threats?
NOEL: Number one, government; we have to put ourselves in the shoes of government leaders. They have to handle a flurry of different problems. They have to handle poverty, education, and they've got to associate priority to all of these. So I realize that sometimes when they look at cybersecurity they think, "Should I really spend any time when I've got people dying because of malaria?" So we have to realize the reality of this. But the first thing is for government to understand that cybersecurity has a very real impact on the development of the country, especially when we are talking about emerging countries. We have to realize that if we do not address that, it will be a major issue for the development of the country, and of the people in that country. So making them realize the reality of cybersecurity and the need to allocate proper priority and budget to the cybersecurity activities is one major challenge.
The second one is to follow up, because to some extent, it's easy for some government people to say, "Yes, this is a high priority, I sign, and then I move on and I do something else." Well, we've got to do the follow-up, the legwork, and make sure that things get implemented. When we are talking at the nation level, like a country ... that is so large that it takes a few hours to fly from one place to another, it's not an easy task. It has to be done in a consistent way by convincing people everywhere at every level of the organization, every level of the government, the local government, the city government. ...
FIELD: Where do you tend to find your champions who can help you within a nation and within an organization to be successful?
NOEL: My champions are the influencers to whom we can explain the reality of cybersecurity in laymen's or business terms. I mean we have plenty of potential influencers - that's usually not the problem. The problem, to me, especially in cybersecurity, is the ability for the cybersecurity people to elevate the message, to represent the reality of cybersecurity in a language that would be understood by non-security people. When I talk to a prime minister, he does not understand cybersecurity, or he heard a little bit about it, but he's got no clue what it means in terms of impact to the nation, to his people. So we've got to look at the message and make it relevant to him. It's not a matter of finding the right decision-maker; it's much more a matter of presenting the message in a way that resonates with them.
FIELD: How are these nations challenged by traditional communications infrastructure and cybersecurity?
NOEL: It's not entirely new, but very often it's considered as a pesky little thing. It's only when they have a significant attack or when we present the statistics in front of them and they realize that they have missed great business or nation opportunities, because all their systems are infected, people cannot deploy on the Internet the way they want, and these kinds of things - only at that moment that they realize cybersecurity has an impact.