As you may remember, we recently found out there's a new Sheriff in Hacker Town, and it's the former Mayor of New York City. But before Rudy Giuliani was named Donald Trump's official presidential cybersecurity adviser in January, he made a number of things crystal clear about his intentions toward the cybersecurity industry, if not necessarily his qualifications. He was pretty up front about the fact that he got into cybersec dealmaking for the money. Still, Giuliani was emphatic over many years and at every opportunity that he was going to be the guy to "solve cybersecurity."
Well, today at Google's HQ in Washington, Big Rudy gave us a taste -- in a keynote to the V4 Cybersecurity Conference. As one of the conference's lauded "brilliant minds in policy and cyber security," he had some things to say in his half-hour talk. He started by talking about CompStat, the crime-tracking system the New York Police Department launched in 1995 to map offenses precinct by precinct.
Giuliani said he didn't think about the system's security until 1998 (slightly diverging from the usual story he tells press, which is that he had his "come to Jesus" moment with the cybers in 2003 when he realized how profitable it was).
“I found out how undefended we were,” he said. “My wonderful CompStat program, which I’m in love with, any criminal could have hacked in.”
Yes, his wonderful CompStat program. Which was actually developed and implemented by NYPD police commissioner Bill Bratton and officer Jack Maple. The program that Giuliani takes credit for to this day, apparently. When a flattering New Yorker profile came out about Bratton and the CompStat program in its first year, Giuliani abruptly ordered the dismantling of Bratton's public-information office -- and thirty-five staffers under him were transferred.
Bratton hung on, and when the numbers came out showing CompStat to be successful, it won him the cover of TIME Magazine. Giuliani responded by forcing Bratton out, and police department detectives were made to work overtime to track down every instance of Bratton's name on NYPD's website and essentially erase him.
But Rudy didn't mention any of that -- he probably didn't have time! Next, he told the conference attendees about this big threat they may have heard of, "maybe the most dangerous of all," he said. Ransomware. Even hospitals were falling victim to it, he cautioned, no doubt having just learned of the Hollywood Presbyterian incident that happened a year ago.
This wasn't the big lesson he was at Google to teach, though. Giuliani figured something out that no one else has, and he was ready to drop the big knowledge bomb on the lucky, yet likely trapped and confused audience.
You see, Crazy Rudy has figured out how to cyber-protect a company.
He got out a pen and started to draw.
First he drew a pyramid. With lines to mark levels, a lot like the Food Pyramid, but totally not the Food Pyramid. Then he drew a big, lopsided circle around it. Like the Illuminati, but not really like the Illuminati. More like the shape you see on American money. But I digress.
He said the pyramid was a company or government organization, with all the important people at the top and the slobs you steal ideas from at the bottom (he didn't actually say that last part out loud). The circle, he actually said, was the cybersecurity company surrounding the pyramid to protect it.
But that's not all. The pyramid needs another company inside it to protect it too, not at all like a cyber parasite. "The company on the inside has to be able to be sure that they’re not missing something." Indeed. Missing something would be bad.
This still isn't enough. "I believe you need a third company, which is an attack and penetration company. They are attacking you all the time, as if they are the bad guys." Yes, get the bad guys, Rudy! Let it be known that Giuliani has discovered the concept of pentesting in 2017, but still can't quite decide what it's called.
I'll let Rob Pegorano take the next section, because he managed to describe it with a straight face:
We weren’t done yet, though. Giuliani said this organization will also need “an investigatory company” that can trace an attack back to its authors, whether they’re in China or, as Trump once famously said, somebody’s basement.
This fourth security firm should also monitor what experts call the “dark Web” — the vast expanse of servers unreachable through normal web browsers and apps, though Giuliani kept calling it “the black Web.”
I'm not even going to touch the "black Web" issue. I am walking far, far away from it.
So: Looks like we have forensics, attribution, and threat intel all in the fourth company, which Giuliani drew as a little "4" floating in a circle below the pyramid's big circle. Perhaps this was a deeper reference, indicating the journey of Dante through the concentric circles of suffering in Hell, as guided by the ancient Roman poet Virgil. The thinking man's cybersecutity metaphor. A parable for the audience's experience at that very moment. But, probably not.
The president's cybersecurity coach was almost done providing his valuable services to what was now undoubtedly a room full of corpses. Four companies still wouldn't be enough, he told the long-suffering conference attendees. A fifth company will still be needed. Fifth. Five companies total. A-one-two-three-four-FIF company.
This fifth (5th) company would be to defend individual employees who handle sensitive data. Like the people who work for me, he actually told the audience.
Two levels of Giuliani's pyramid were left blank.
No one will ever know if this was intentional.