CETIN a.s. (from now on referred to as CETIN) operates and owns the largest telecommunications network in the Czech Republic, to which 99.6% of the population has access. It is not only cyber security here that cannot do without Pavel Rivola, who serves as Chief Security Officer.
Could you describe what you are responsible for at CETIN?
Our Security department sets the overall security policy, develops it and monitors compliance with it. We are in charge of information and cybersecurity, including the protection of classified information. At the same time, we are responsible for protecting people and property, including our data centres. We communicate with, for example, the National Cyber and Information Security Agency (NÚKIB), the National Security Authority (NSA), the Ministry of Industry and Trade of the Czech Republic, the Army of the Czech Republic, specialized departments of the Police of the Czech Republic and other essential state entities. And we have also implemented several corporate measures related to the Covid-19 pandemic since March 2020.
It is probably not popular among colleagues from other departments that you often give them more work. On the other hand, isn’t it sometimes a thankless position, being the Director of Security?
Unfortunately, Security always makes life difficult for my colleagues. For example, they have to log in more often with a strong password and enter a code outside the CETIN building – just like in a bank. In addition, they have to comply with all sorts of security rules that sometimes hold them back in their work. But there is a reason and a purpose for everything. We simply keep people and technology safe, even at the cost of setting up an extra duty. So, yes, it’s kind of a thankless job sometimes. But when there’s a flop, everyone’s glad they have functional security.
What do you enjoy most about your job?
That it’s a vast and exciting field. Cybersecurity encompasses cyber, physical, information security, and maybe foreign security geopolitics as it relates to our international society. For example, US foreign policy and sanctions against China affect the supply of chips that are needed for technology in the telecommunications sector. This in turn, may jeopardize the supply of some of the necessary technologies and consequently threaten the smooth operation of telecom operators. And since I’ve long been interested in foreign policy, this part of our work – looking at the context – is something I particularly enjoy. But most of all, I appreciate the opportunity to work with real specialists at CETIN who have incredibly deep knowledge in their respective fields, whether they are from security, the Network, IT or other areas. It makes working on projects rewarding.
Security at CETIN is quite unique in that it combines IT Security and Network Security, with Network being the majority. What do you most often encounter when working together to implement security measures in such an environment?
The need for constant and mutual communication between the Network community, the IT community and the Security community. I use the word community deliberately because even within a company, there are communities that differ in mentality and how they deal with things. This is natural because everyone looks at various solutions and architecture of new projects from the perspective of their community (i.e. processes, managed technologies, knowledge and experience). That’s why I say that communication is essential because it avoids many misunderstandings and always helps find a suitable solution in continuing on joint projects.
You advocate not only a defensive but also an offensive approach to cybersecurity. How do you implement it, or how to better imagine such approaches?
First of all, before we start talking about the different approaches, we need to understand what the term cybersecurity includes in its content. I sometimes come across a misunderstanding of this concept in practice. Some believe that cybersecurity is only about IT or Network Security. However, cybersecurity, and not only for us at CETIN, but is also physical security, more precisely total security, which includes people, technology and processes.
And within this global concept, we have people at CETIN who have roles that fall under the BLUE team, which records, analyses and resolves various security events, and the RED team, which in turn simulates various attacks, whether through ethical hacking, vulnerability scanning, penetration testing, social engineering or physically overcoming obstacles to prevent uncontrolled physical access to our key technologies. The goal is always clear for Security, to find weaknesses in our critical information infrastructure systems and processes before outside hackers do and to keep the operators of those systems on constant alert. The BLUE team’s area falls under the aforementioned defensive security, and the RED team’s area falls under offensive security.
In general, however, the development of the offensive approach is underestimated, and there is a focus on the defensive approach only. At the same time, people from each area have a different mentality, and it does not harm a member of the blue team to occasionally have a short practice with people from the red team and vice versa. It will broaden one’s peripheral vision considerably. Personally, I am offensively oriented because all my experiences have shaped me that way. That’s why I sometimes walk around data centres, looking for where I would attack if I were an offensive player. Which way would I go in, where would I connect, and then through that lens, I look to see if there’s any security, camera, IT blocking, or a network tool that would allow me to control that movement. I apply the same perspective in IT Security or Network Security.
Suppose we want to maintain and develop the right security in our companies. In that case, we need to support both approaches because that’s the only way we can move forward, and that’s the only way we can have a comprehensive view of the state of security in our company and not blindly go around in circles. Metaphorically, this could be compared to a racing rowing boat with two oars – a blue oar and a red oar. If we want to go forward and don’t want to run in circles, we have to row with both oars.
You mentioned working with classified information. What does that involve?
CETIN holds a business certificate for the “SECRET” classification level, which on the one hand means fulfilling and ensuring a number of obligations arising from the law, but on the other hand, it allows us to participate in public administration contracts. Several dozen employees currently have access to classified information in the company, and I am the responsible person. So I have to ensure that all the conditions laid down by law are met, including training for those few dozen ‘chosen ones’. For example, we also dealt with the creation of a classified information workplace, which the NSA approved for operation. Now we are preparing for recertification of the information system for processing classified documents for the Secret and Confidential levels. This is, therefore, a rather large, sensitive and professionally specific agenda.
Your job is to ensure maximum safety. So do you balance it with some adrenaline in your personal life, or do you instead relax?
I like to spend my free time with my family and friends – preferably actively, of course. It’s a classic: bike, ski, hiking and water – sea or river. I also like to travel around the world. I’ve visited many countries; I enjoy seeing how people live in other cultures, what food they eat, how they deal with daily worries; I’m also interested in local history and architecture. It always enriches me somehow, no matter if it’s Uzbekistan, China or the USA. I do a lot of reading as well. And when I’m at my worst, and I need to really and literally unload, I go to the gym or the ring with my friends.
Your interests also include cosmology, which deals with the origin and evolution of the universe. This year’s ECSC finals story has a cosmic theme. What would you personally recommend to future space travellers in terms of cybersecurity? Should they pack warm socks if someone remotely hacks their heater, or would they instead just fly offline in aeroplane mode?
Being offline all the time is neither optimal nor safe for a space station or shuttle because the crew might not learn about potential threats that have been detected by the control centre. Warm socks, which are pleasing in winter on planet Earth, would not help anyone much if there was a heating shutdown in space, where the temperature is roughly -270° C. However, I’d still pack them for the trip, because as our grandmothers used to say, it’s good to keep your feet warm. However, with a bit of exaggeration, I would say that a little better than packing socks would be to bring a towel, as anyone who has studied The Hitchhiker’s Guide to the Galaxy will attest. However, I would certainly point out a very good piece of advice given in that book that participants should follow in a spaceflight – DON’T PANIC.
This advice is matched by the advice given by instructors to, for example, military fighter pilots, Special Forces members, or intelligence officers in the event of a panic condition that may threaten their mission, health, or life. That advice is: Don’t panic, keep a positive attitude and stay calm. Fear, panic, and despair over the unfathomable forces of fate may be stirred in some situations and other guesses of developments. It is not good to be too afraid. Fear stresses one out, binds one, leads to panic, and brings out the worst qualities in one that affect the most precious thing, our relationships with loved ones. What one needs is the courage to keep hope, be cautious, and take seriously one’s struggle with the situation one is experiencing. Interestingly, the call to “Fear not” is said to appear as many as 365 times in the Bible. That is, this exhortation applies to every new morning, all year long. Even if a person can do nothing, it is still up to him or her to decide how to approach the situation and react.
But the main thing is to maintain safety precautions from the beginning to the end of the flight. In all spaceflight, safety always comes first, literally. The main thing is that the safety of all persons is always assured and that the space station can safely continue on its standard flight path and perform its assigned tasks. That requires good overall cyber and physical security.
You’ve been a lecturer at Charles University for 15 years. Have you seen any change in students in that time, either in relation to digital technologies or in general?
Of course. Students are very good and almost natural with modern communication technologies. However, the main transformation is in the way they present themselves and their work. Today’s students are much more confident in communication, have more courage to present their ideas and are not afraid to enter more into discussions with the lecturer. When I first started lecturing, students were much more careful in their discussions and presentations and used paper more than modern telecommunication technology to take notes.
Why would you recommend working at CETIN to young people interested in the field of cybersecurity?
Personally, I would recommend CETIN to all young people interested in working in telecommunications with a focus on the Network and IT. As I already mentioned, young people will get very good experience here and, most importantly, the opportunity to work with real specialists who have incredibly deep knowledge in their fields, regardless of whether they are from security, Network, IT or other areas. It makes working on projects really rewarding. And no matter what area they work in, they will always be involved in security as well because the quality and secure services are the foundation of every technology business and industry. Not just spaceflight.
Thank you for the interview.