The work of Dan Rosendof, Security Division Director at ICZ, is sometimes close to James Bond movies, thanks to hardware encryptors. Although he is an expert in protection of classified information, he can still tell us some interesting details about his work.
The ICZ Group has a wide range of activities – from healthcare IT solutions, secure video conferencing, and command and control systems for the armed and air forces. What is your portfolio when it comes to cybersecurity (from now on, CS)?
We are involved in CS at many levels, starting with the oldest one – network and infrastructure security and network traffic, where we deal with complete perimeter security. But at the same time, we deal with CS down to the operating system and custom application level. So we offer a truly comprehensive solution from endpoint stations through perimeter and server, network, privileged and ordinary account security. Not to forget cloud services, infrastructure monitoring, logging and log analysis. That’s kind of the bottom line, let’s say, and on top of that, we do secure systems design, which I think is really interesting. Often customers want us to secure an existing system, which tends to be more expensive and complex. The ideal situation for us is when they come in at the stage I want a system; I have these requirements for it, how do I build it to be secure? Most of the time, we don’t have that option, but for classified information, for example, that’s often the case.
Your services include, among others, certified information systems designed to process classified information; you hold an NSA certificate for Top Secret. What does all this entail for you – positives and negatives?
I’ll start with the negatives, namely the need for personnel clearances. Everyone in the SICZ subsidiary has some kind of security clearance, from Top Secret to Confidential. It means invasions of privacy and lots of hassle, making it difficult to find people. Not everyone is willing to do it, and most importantly, it takes time before the clearance is issued and one can start working. The other negative is the size of our country and therefore the limited market. While making foreign trade in classified information is quite a lot complicated from a bureaucratic point of view. From my point of view, the big positive is the legal definition of what such security should look like and the tremendous pressure to provide it. We have the Cybersecurity Law, which applies to everybody, but it is incomparable to the pressure that Law 412/2005 on the protection of classified information puts on us. People are taking it seriously because the maximum penalty for leaking classified information is, I think, five years; everybody will think twice. And the risk falls directly on the specific persons who leak such information. Whereas in the normal world, the risks are mainly to the organisation, which is not taken as seriously. This allows us to build systems that are really high quality, secure, and the number of security compromises is significantly lower. In the normal world, functionality and revenue come first; here, it’s real security. After all, someone’s life may depend on it. Another positive is the stability of the market, although it is mostly government, where it is again more complicated in some ways.
You also offer hardware encryptors that you develop yourself. What do you see as the advantages of such a solution?
Hardware is becoming more and more of a security threat. Today, every network card has a bunch of accelerators; it’s another computer in the computer that you often don’t know what it’s actually doing. The mainstream market products are made in Asia, where the firmware is uploaded, there is no certification, and there are minimal or no warranties. Since we have the product in our hands from the very beginning, from the hardware through all the firmware and software, we know what we put in, and we have control over it all. As the security risks get worse, people are becoming more aware. Even commercial companies would like to have assurances that if they are developing something, that information is not leaking to competitors, and they are slowly starting to have requirements previously only standard in the classified world. At the same time, the national pride that we have something of our own, with our own algorithms, is working.
How difficult is it to develop them?
Development is expensive and complex, and many companies don’t do it. You need a large number of very specialised experts, hardware experts, non-standard software experts who can develop at the firmware level, that is, for hardware, for operating system kernels. In addition to security, functionality is also important. Because even in a classified world, if you design something completely safe but unusable, users will find some workarounds despite the risk. They’re willing to endure more, but there’s a breaking point where they’d rather throw the laptop out the window and work on paper.
What timeframe are we talking about in the case of cryptographic development?
It takes about 2-3 years from PCB to a usable product. The next stage is the certification for classified information, and that can take another year. It’s challenging, but you’re basically making stuff for James Bond. Maybe it’s not as pretty, and it doesn’t explode, although we’ve done some tests to see if we can make a card that physically or chemically burns up. But the people who are trying to protect us internationally are then de facto entrusting their lives to it.
And in terms of manufacturing, is it done here or is it done in Asia?
What is possible is produced here. We buy some chips from abroad, from Europe or North America. Some passive elements, capacitors, etc., it’s different there; you can’t get everything locally. For example, one of our projects could no longer be fitted with chips in the Czech Republic. And even in the factory in Germany, which was probably the only one we could get in Europe, they only managed to do it for the third time. It’s quite frightening how much of a problem it is to produce this in Europe when the phone you have in your pocket is two to three orders of magnitude smaller and more complex. Given the geopolitical situation today, this could hurt us a lot. With the impact of the pandemic, I hope that countries will realise that it is good to be able to produce something themselves.
Since your foundation, you have been heavily involved in building and managing network infrastructure. Today, transmission infrastructure outages can result in significant business losses. What are the most common causes of outages, and how do you prevent them?
Natural disasters aside, the most common causes are hardware and software failures, administrator errors and security incidents. The risk can never be reduced to zero, but we try to mitigate it for our customers through monitoring, pre-deployment software testing and upgrades, central management of network segments, etc. When it comes to targeted attacks, here you need to be ready to react as quickly as possible and engage all options from the most basic ones like next-generation firewalls, sandboxes, antiviruses, EDR to SOC, SIEM… And we must not forget to educate the users, who are still the weakest link in the system. Still, one of the most common vectors is email; when a message arrives saying that we should have invoiced someone for something, there is a threat of a fine, and the stressed-out invoice clerk immediately downloads all the attachments, and the trouble is born. You need to have a robust system so that one mistake by the invoice clerk doesn’t mean that half your infrastructure goes away, and keep educating. And like I said, build systems from the ground up with an emphasis on security.
Do you work with universities? Do you offer any internships or junior programmes for young people interested in cybersecurity?
We are working with the University of South Bohemia, where there is a CS programme, and we are preparing internships for them right now. In addition, we read lectures at the Faculty of mathematics and physics, at the Faculty of information technology, and I hope there will be more in the future. At the same time, we support various educational activities for young people, including the Cyber Contest and ECSC. As for the specific internships we offer, we are continuously trying to develop them to make it interesting for young people and at the same time to make it more transparent what exactly they can learn with us.
Thank you for the interview