Chris Kubecka is the CEO and Founder of HypaSec NL, InfoGath UK, and Distinguished Senior Nonresident Fellow for the Middle East Institute. advises the United Nations, multiple governments, militaries, television, and documentary technical advisor as a subject matter expert on cyber warfare national defense.
Author of “Hack The World With OSINT”. USAF military combat veteran, former military aircrew, and USAF Command. She defends critical infrastructure and handles country-level cyber incidents, cyberwarfare, and cyber espionage.
Previous to HypaSec, she reconnected Saudi Aramco international business operations & established digital security after the world’s most devastating cyberwarfare attack. During her time at Unisys, she assisted in preventing the July 2009 second wave cyberwarfare attacks against South Korea.
She lives and breathes IT/IOT/ICS SCADA control systems security. Using her unique technical skills, honed starting age six programming and busted hacking into the DOJ at age 10.
Chris was recently awarded from the 2020 Influential Businesswoman Awards as “Most Influential Woman in Cyberwarfare Security”, for which many congratulations to her from everyone at PureVPN.
Let’s start the interview.
Question 1: How did you get involved in the Saudi Aramco hack?
Chris: They contacted me unsolicited and asked if I would be willing to work for them to implement digital security after they suffered the Shamoon 2012 attack. I told them I was starting a new job, and they said “Don’t say no, just say maybe.” They made me an offer I couldn’t refuse and I was keen on helping to keep the world’s oil markets stable.
I had observed in parts of the world when oil prices drastically increase, it is the poorest who suffer. There was a case in East Africa which always affected me; prices were high, an oil truck broke down at an intersection, people stabbed the truck to steal precious oil and a fire started, they tried to save themselves by jumping into a dangerous canal, and more than 20 people burned to their deaths.
Question 2: Did the incident have an impact on your professional career?
Chris: Yes, a big impact for good and bad. It allowed me to establish digital security from zero to reconnecting international business operations for the (then) world’s most valuable company which provides about 25% of the world’s energy supply.
I was enabled with a great deal of trust to implement digital security, governance, to work with legal to start the UK/EU GDPR program ahead of time, and lead great teams. Feet to fire role done well due to amazing teams and trust I never experienced with any western employer to date.
On the downside, some in the tech community were hypocritical and vocal because I worked for a Saudi company. Hypocritical because oil makes plastic, parts of the computer systems that employ them; as well as, the only experience they had with Saudi was western media, not realizing there are more women than men in Saudi in the technology fields of cyber and programming and ⅓ tech startups in the Middle East are female startups.
This far surpasses the West. I have been going to Saudi for almost 25 years, the view of most who have never been there is highly negatively biased. This bias is something I wish to change using my new role as Distinguished Senior Nonresident Scholar in the Cyber Program for the Middle East Institute.
Question 3: Hacking incidents may be costly for the victims but they are relatively cheap for hire. What are your thoughts on hacking for hire?
Chris: As a person, the Iranian government tried to recruit for such tasks at a 100K Euro a month rate, there are legitimate cases but many illegitimate cases, and security professionals need to be weary.
Question 4: Are you of the opinion that countries themselves are a threat to their national security?
Chris: Some countries can be, due to a lack of skilled talent available. There is a great brain drain from Eastern, Central Europe, Africa, and parts of Asia to the west which has a negative impact on the country’s national and cybersecurity. How can Nigeria keep qualified people when the rate of pay is so much higher in Europe? They have the same problem with medical personnel.
Question 5: Is having a strong password good enough to make your online accounts secure?
Chris: Yes and no. Strong passwords can be recycled and leaked from breaches. Hashes can be used to pass the hash attacks. I prefer string two-factor authentication.
Question 6: What are the dangers of working from home during this pandemic with people connecting to vulnerable networks?
Chris: #BYOD Bring Your Own House means the traditional perimeter is now as strong as your front door lock. Home networks are shared, unsegmented, and rarely do non-European employers provide equipment from proper desks and chairs to network segmentation and firewall equipment.
Question 7: What’s your take on the state of cybersecurity? Is the world headed in the right direction?
Chris: Slowly, I recommended to the UN in a presentation for the United Nations Institute For Disarmament Research that countries retain the CERT function but begin establishing what I call CEPTs Computer Emergency Prevention Teams. There should be more focus on prevention before a major incident occurs.
Question 8: What are some of the products/services people can use to stay safe from online threats? Do you think a VPN can keep you protected from online attacks?
Chris: Encryption, layered cybersecurity, unique passwords, two-factor authentication. VPNs can help but if the VPN gateways haven’t been patched or properly configured they become useless and give a false sense of cybersecurity.
Question 9: A number of people are still unaware of the threats and limitations of online privacy policies. Keeping this in mind, what message would you like to convey to the online community?
Chris: From research with the Global Cyber Alliance on a project I am working with them on: People understand there are threats but security is too hard, or figure they’ve already been hacked or their details out in the open is what I call cybersecurity disenfranchisement.
Security is also expensive, showing true gaps between those who have the knowledge and can afford it vs. those who can’t. How does a family struggling during massive unemployment afford the newest, updateable Android, anti-virus, VPN, etc, much less pay for internet access?
Imagine the conversation between parents who might be out of work: “We have to buy a laptop for our kids for school, plus internet, security services, and new Android phones that are more secure, so no food this month or electricity.” Too many security professionals take their high salaries for granted and don’t realize what it’s like to struggle financially to secure regular people.
Thank you so much for the interview Chris, it was great to have you on our blog and get your views. As for our readers, you can follow Chris on her Twitter: @SecEvangelism where she shares her views about daily life things and the cybersphere.
Our next cybersecurity interview installment will be featuring the Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society. Keep following our blog for all the latest updates related to cybersecurity. Stay safe and take care, everyone!