Sunday, February 21, 2016

José de la Peña: "Attacks prevention does not justify over monitoring people"

José de la Peña Muñoz. Director of SIC magazine.

José de la Peña says he doesn't want to look like the "cybersecurity"curmudgeon old man (the quotation marks are his). The truth is, more than an old man, he always looks like a gentleman, a gentleman very well connected with the highest levels of the Spanish cybersecurity. People skills and discretion master, with his 56 years. Pepe knows a lot. Really, a lot.

Father of two children, fan of physics and science fiction, passionate guitar artist, Pepe de la Peña is a pure journalist forged in the Universidad Complutense of Madrid.
He runs the SIC magazine since 1992, created with the name of "Seguridad Informática" and he is a national reference in the sector. Every important company in the sector that receives the magazine by subscription. Co-organizes, since 26 years ago, the Secumática congress, associated to SIC and, with the magazine, a referent for companies, universities and administrations of this kingdom of security and computing privacy, where Pepe acts as the perfect chamberlain .

- How a journalist learnt about cybersecurity on 1992?

-I had to analyze the underlying principles of the TIC in an almost self learning way, its practical realization in the beginning of its producing industry and the application made by the "user" organizations. There`re no barriers for the curiosity of a journalist who wants to learn that, also, always wanted -and want- to listen the experts of this topic, wearing ties or woolen caps, being corporate managers or freelancers, engineers or lawyers, auditors or researchers, teachers or students, private or public…

These were mainframe times, the times of the first battles between client-server, the starting use of Internet servers and the starting of he fall of "the computing power" in the companies. The projects stayed in the traditional and provisional contingency plan, with primitive antivirus, SAIs, external storage and the listings robbery. There wasn't a sectoral conscientious about cybersecurity and we had to create it.

A few years later we could see clearly the future lines, dominated by the network relations, the globalization, the use of flexible TIC not thought to produce with reasonable security controls, the need of protecting people's privacy... and I already knew something about the matter. Although you never stop learning.

-What do you think about hackers?

-Without the hacker communication activity we can't understand the TIC security. Like in every heterogeneous movement with an ideological base, there is people of the hard line, of the soft line and of the middle line in between. We'll see how they change their motivations in function of the digital transformation, of the social profitability of their actions and of the legal changes.    

Some of them have exclusive knowledge of technical vulnerabilities, they dominate the lateral knowledge, know how to find human behaviour patterns in an intuitive way and they can act with great agility.These profiles are very demanded today by consulting companies, by the states and by the organized crime.

The most relevant danger of the hackerism is its institutionalization. Different movements like pop and rock in the XX century, for example, have already passed through this.

- A frequent topic in forums is the future regulation of the private security and the creation of the hacker license which nobody would operate without it. What is your opinion?

-The Private Security law provides a regulation development of the so called cybersecurity, which qualifies it as a compatible activity with the Private Security, without taking part of it.

The specialists who can operate in the Private Security sector acquire officially their knowledge in homologous courses by the interior ministry. The knowledge gave in these courses in matters of security risk information managed in technological systems is poor. It's useless.

In our sector, despite there are brilliant experts made by themselves, the majority of them are university graduates with experience in TIC security, which is a discipline not dominated by all the generalist TIC professionals.

The cybersecurity activities will be regulated in the future. But if Spain is still following the pattern of the actual Private Security regulation, we'll stay out of this world.

-In Unite States the encryption and Wassenaar or the conversion of some security programs on weapons whose export is regulated are common issues.

-I'm afraid you can't put metal bars to digital world. The control authorities and the used mechanisms are sick of obsolescence.

The organizations countries are better prepared to put in game advanced technologies and protect them, they will have always the advantage in any front. But the lifetime of these technologies are increasingly smaller.

On the other side, the availability of products on Internet is really complete, and their updating capability is so quick, that I think the regulated exports only helps to make the innovative people leaving their limiting countries to other ones where the functionalities of their creations won't be illegal independently of their purposes.

- In a world where the programs are weapons and there is an unstoppable black market, where the main buyers are the governments... Are you afraid?

-There is information about my personal life that I try to keep private and the less digitalized as possible. But if someone wants to hurt me, he can make it.

-Seriously: are you afraid of being spyed?

-I'm already spied or I am probably being spied on. What I'm afraid of is in some occasion my life could be of the interest of the people who spy me or can spy me.

- I read the other day that someone said more or less: we idolize Snowden but we share our privacy on Facebook. Isn't it to pull our hair out?

-The behaviour of the anchorite is weird. The human being wants to communicate, share, discuss, disagree... The people who use this information to cause damage should obtain, as social answer, not only indifference, but rejection. And if they use it in a sibylline way to place products, the answers should be a gigantic fall on their sales.

To make this happen a new privacy should rule, one which does not belong to my generation, but the generation of the digital natives, younger people who re not influenced by the messages volume and knows how to detect the intention of manipulate on this media. And they exist. I see it in my sons.

-Some people says that AIs will dominate the world and we'll be less more than the people of Matrix. Do you share this apocalyptic vision?

-No, I prefer the Star Trek´s utopia, in which all the energies of the human specie are focused on discovering new worlds and new civilizations, collaborating with Data, a entity created in a hardware with human shape with an algorithm which learn and is suspected it could be self-conscious.

By the moment, the digital transformation is so primitive that massive fraud is still growing the some public services are still running in pedals. Also, some day the Sun will get angry and will fry our satellites.

That's why it's better to keep studying the multiplication table by cramming.

-If you'd be advisor of the Spanish government in matter of cybersecurity. Which three things you'd never recommend to do?

-I would escape of the councils and committees and would name a State secretary who had a plan, budget and command in all the government initiatives on the matter, including these under legal secret; I would create mechanisms to really implement the regulation on the ENS, in parallel to the production of a real digital modernization of Public Administrations (central, autonomics and locals); and I would put in practice a positive discrimination politic to boost the Spanish industry without violating the market laws.

And I stop here because you only asked me three.

-The cybersecurity business is increasing really fast, but I see the best hackers of the country working outside or for the other countries companies. 

-The shadow of the sector´s multinationals is long, and who hire their services are the biggest multinationals, not the SMEs. However, there are a lot of Spanish hackers working in TIC security departments of Spanish origins.

It is also true that the Spanish hackers -many consultants have been and they are still considering  themselves as hackers- are excellent, and it doesn't surprise me that companies try to hire their services.

Who have developed their own technological tools and have wanted to work in Spain left the country, because nobody trusted on them. And also the industrial policy that we practice promotes our freelancers going to the other side of the Atlantic searching investment funds which buy their ideas, and this funds will take the profits of the efforts and money made in Spain. Live to see.

-Do you like the word "cybersecurity"? 

- It's short and sounds enough good to serve the purpose of selling the matter to politics, presidents of administration councils and the general media (with a few exceptions).

I don't surprise if in the digital ecstasy we're living on some daring person wanting to elevate the matter will make a text to elevate, for example, the computing cybersecurity. It would be as fun as reading something about legal law or footballing football.

- Can we finish with a quote?

- The need of preventing attacks shouldn't be used as a justification  for monitoring people indiscriminately.

Texto: Mercè Molist


Post a Comment