Monday, May 30, 2016

Alberto Hernández: "Our priority must be the protection of children"

Alberto Hernández Moreno. Director de Operaciones de INCIBE

When we asked this interview, we imagined the baggage of Alberto Hernández Moreno, 42, Operation Director of the Spanish Cyber Security National Institute  (INCIBE) was heavy. But, looking closer, it has exceeded all our expectations. Alberto lead all the operative activity of an organization with an annual budget of almost 21 million euros: "The CERTSI, the cyber security services for children, families, professionals, companies, etc., the technological development, the own company systems and all those initiatives we have to support the development of the national industry, the talent promotion and management, the support to national I+D+i and initiatives like CyberCamp".

From Madrid, although he seems from the south because for his wittiness, he live since two years ago in Leon, where he enjoys of the mountain hikes . He seems a quiet man, measure on his words as we'll see in the interview and passionate about his work, as the child you still can see in his eyes if you look the photos. Alberto studied Telecommunication Superior Engineer in the Madrid Technical University. Who could guess that, 24 years after, he would be participating as expert on missions of the American States Organization for cyber security matters, just to put an example.

- How did you get interest in cyber security?

-My first contact was when I finished the University and I started a grant on INDRA, in the 98. I Between the available jobs there were one with the name "cryptography and PKI". On those times it started the boom of "dot com" and many engineers who came out of the University w interested on work in the development of web portals and technologies associated to Internet. In my case, I was more interested on the topic we had barely studied in the engineering school and it was referred to logic security.

- And how did you learn security? 

-I was fortunate of work since the first time on logic security projects and learn of good professionals who were working some years in this field. I remember some projects of public key infrastructure display (PKI), electronic signature and display of security measures on Internet services.

- The most part of your professional life you have been on ISDEFE. 13 years! What they gave you there?

- I went to Isdefe because the company wanted to create a security group to support the Defense Ministry in the developing of their cyber security capabilities, or it would be better to say their INFOSEC (Information Security) capabilities, which is the name for cyber security in those times. The project was beautiful, being part of a team to help to promote the cyber security on Defense with the support of the company direction to propose, innovate, invest and, in the end, increase in capabilities.

- In 13 years you have specialized in some things.

- During the first years my work was associated to consultant on specific technical aspects. I remember prepare some hacking demonstrations with the objective of aware the makers and, specially, I remember one we made in an International conferences of terrorism, where we simulate an infrastructure of energy supply that, using different techniques (traffic analysis, man in the middle, vulnerability exploit, etc), we achieved modify the integrity of service and made a Denial of Service. To do it that, I remember I had to "characterize" myself as the classical hacker of those times to send the message better.

- Haha

- Oven the years the team and capabilities were grow up. We built initially a ethical hacking and classified system audit team and in the last years we designed, developed and initiated a cyber security training platform. In this platform we made during five years the called Army Cyber Defense Exercises, where it could participate simultaneously until forty security teams following attack and defense scenarios. In the first edition we had a platform composed by more than 400 virtual machines and scenarios completely different, something really advanced for these times, considering similar initiatives appeared later on Israel or Estonia.

Oven the years my role was changing, becoming in the last years in the Cyber defense Chief Area on the Isdefe and therefore changing to a manager profile.

- And, as culmination, you were on the team responsible of the creation of the Cyber Defense  Joint Command.

- I consider it the culmination to these thirteen years working from Isdefe for our Armed Forces. A years before the creation of the Joint Command we worked on the Defense Staff, in a constitution project called Computer Network Operation, and it consisted basically in giving to our Armed Forces the defense, exploitation and answer capabilities in the cyber space.

During the elaboration of the National Cyber Security Strategy, Defense analyzed which would be its role and how it would be organized. In this moment we rescued the CNO project and, after improve and evolve it, we designed what today is the Cyber Defense Joint Command. Being part of the team who work in its design and launching it's a proud for me and the best end for a cycle working for Defense.

- Reading the news, it seems now all the critical infrastructures are unsure and we're going to die poisoned by water pollution or something like that. Aren't we overreacting? 

- In this perception there is something very positive and it's the message is reaching to society and the citizen are increasingly educated and he see it's a real problem.

If we see the stats, the number of incidents managed by the Security and Industry CERT in 2015 has reached the number of 134, duplicating the number of 2014. But if we remember, nobody will have the sensation of something terrible has happened to our society or economy. The main conclusion is if we have proper cyber security levels in our operators they make, although it could be attacked, the impact would be minimal. However, we must keep working to keep and improve this level of security.

- The same for the other "trending topic" on cyber security: The Internet of Things. Is that a threat as threatening as it seems?

- It's a reality that we are going towards a fully interconnected world and one of the keys here is that everything we connect must have been designed from the start considering cyber security, something that is not always so. See the more positive side, this issue is already on the table and not only discussed in forums cyber security but is already incorporating the manufacturers, although we still have a lot ahead.

- Personally, I'm worried about to see how governments allocate many resources to cyber war and monitoring of the population, when this money should serve to educate in cyber security to this same unprotected population.

- A few days ago a colleague told me that throughout the history of mankind has always been bad people, able to get the worst of human beings people, and always will be. This makes to ensure our freedoms and therefore we can live in peace with our families and friends, develop as people, etc. we must invest in security.

But besides investing in security is very important to do well in awareness and education, it is an investment not only for the short term but for the future. Here everything is done always be little.

- If you could make a list of priorities for cyber security in Spain, without pressure, just from your cold technical mind... which would be this list?

-The first thing that comes to my mind is everything that has to do with the protection of our children, their awareness, detection of any action that may affect them using new technologies. While we are working intensively in this area we still have a way. After that, the protection that might significantly impact our society, our economy and human lives themselves, ultimately, the protection of our critical infrastructures.

- It seems the governments are lost when they create regulation for the cyber world. Do you think it's normal they want outlaw cryptography and declare 0day as war tool?

-Each country are following their own strategies and although in general we share internationally the same principles, the sociocultural aspects makes that initiatives which are accepted by its society, in other it looks otherwise. I remember a county we visited recently that deny a law project of  data data traffic ISP retention traffic on ISP, because the society see it as a possible intrusion in their privacy. In many occidental countries, as in Spain, we accept this data retention for a while because it give us a benefit when we investigate a cyber crime.

- In a few year we have pass to live in a world that it seems safe to another where banks are robbed with impunity, the people are defraud 10 times more than earlier, steal money to a company is so easy as send an email... It will be always like that?

- I think this always has happened, the only difference now it exist a new way to do it, the cyber space. What happened with cyber space? At the moment with a low invest you can produce great impacts, that is to say, it has an asymmetric character, the time isn't a relevant factor because the actions are immediate and it gives anonymity.

- Last question: the cyber security profession require constant study. How do you improve yourself?

- I'm glad you make this question. The truth is I read a lot, I participate in different forums and also I have a great team of professionals who teach me constantly. But the most important thing is my position of Operation Director and, in this case, what I have to be formed and capable is in lead. And here is where we find many times with big problems, because in my opinion it exists a false belief that dedicate to cyber security is to be a hacker and unfortunately it happen in many cases that professionals who have the responsibility of manage a team what they could do is compete with their technicians to test who knows more.

Whom must be experts, for example in reversing, are the people of my team who have this function. If I'd try to be it I would be completely mistaken. To achieve the projects move forward, me must be more effective and efficient and we must work on team and each one must assume and to be expert in their function. A manager or directive must be that and he must formed for that, no matter you like the technical topics, you must focus on your work.

Text: Mercè Molist


Post a Comment