Ric Longenecker on Cyber Security in UN

LIFARS question and answers session with cyber security experts, Where,who,when,how,why,what

Ric Longenecker on Cyber Security in UN­­­­­­­­­Ric Longenecker is currently the Chief Information Security Officer at the United Nations Office at Geneva (UNOG), Switzerland.  Prior, he worked in Information Security with the UN Secretariat in New York and travelled globally as a Nuclear Fuel Service and Reactor Technology project manager with Westinghouse Electric LLC based in the US and Sweden.

LIFARS: As the ISO at the United Nations in Geneva, what does your role entail, including some of your key responsibilities?

Ric: The UN Office at Geneva is a conferencing Duty Station.  UNOG is home to the UN Human Rights Council, the Economic Commission for Europe, and the Convention for Certain Conventional Weapons.  We also work with or hold conferences for trade, humanitarian assistance, environmental issues, and development.  The Office has been in the media for events like the recent negotiations on Syria which were mostly focused in Geneva.  We like to say we host over 10,000 meetings a year.

I worked for several years in New York under the CISO of the UN Secretariat before moving to Geneva last year, as the Organization established the first long-term dedicated Information Security post here in Europe.  The role entails many factors of information security, starting with development of strategy, communications and policy, infrastructure advisory and direct responsibility for investigations, monitoring, incident response, along with contact with host country authorities.

The job can be quite interesting, as we are exposed in so many different areas, and occasionally interface with some very interesting people.

LIFARS: Can you share some major challenges that you’re addressing in the public sector in cybersecurity today, and how you’re overcoming them?

Ric: A colleague of mine and I were just discussing the recent US House Oversight and Government Reform Committee report on the publicized compromise of the US Office of Personnel Management (OPM).  The report really highlights some of the key issues that may affect many Public Sector Organizations, including the level of focus and understanding of Information Security by Senior Leadership, the level of funding applied to Information Security initiatives, and the emphasis needed to ensure the application of security fundamentals through the Organization’s IT infrastructure.

The UN works at the behest of its 193 member states, and is directed by the Secretary General and the UN Department of Management.  We run a two-year budget cycle, and often find ourselves in competition with many different funds and programs.  As the argument often goes – perhaps a dollar to be spent on the Information Technology or Security budget would be better spent on humanitarian relief.  Global government austerity is also severely affecting the Organization.  In our case, we do our best to develop metrics, report thoroughly, and raise risks.

So let’s focus on the third challenge – that of the application of “Security Fundamentals”.  I think there are two attributes that make the UN unique, (1) staff are a completely multi-national and multi-cultural environment and (2) many view the UN as an organization for the world, and thus have varying views of the meaning of transparency.

Currently, I spend a lot of time focusing on user awareness.  We often find that many users do not know how to properly classify information, of course may have trouble identifying a phishing attack, and sometimes have misguided views of risk or behavior.  In Geneva, we started doing informal lunch seminars and launched our global Security Awareness program in French.  For a seminar, I bring an actual bugged device recovered in the past, or a wifi-pineapple and do a man-in-the-middle demo and run through a series of topics.  Staff tell me later it really leaves a lasting impression.

The OPM report mentions that application of two-factor authentication and other missing basic security controls could have prevented or significantly mitigated the incident.  In our case, we often spend significant time with various Operational groups and Departmental IT working in detail to ensure some level of control deployment.  This is of course a continual work in progress.

LIFARS: The UN is an international organization that is constantly in the public eye. How does this factor play into your information security strategy?

Ric: Several years ago I had the chance to co-write what we call a “GA Report”, or the public report that is presented to the General Assembly providing status and requesting a budget.  Some circumstances led me to sit next to the CIO at the budget committee defense.  The first thing you learn when you go there is that the UN is an internationally-agnostic organization.  We can talk about activity, but do not mention any particular member state.  At the time we had several honeypots set up, and I had prepared results on paper in front of me which we did not disclose.  It made the whole event quite interesting.

So, we are internationally agnostic, and as mentioned before, we have a “unique” environment.  We need to then focus our strategy on general improvement of our security posture that is agreeable to all Member States.  The image of the UN of course is of tremendous importance, but our primary purpose is to serve the needs of the Member States.  These needs are mainly business continuity, protection of data, supporting staff in the field, and supporting assurance into adherence of staff to UN Rules and Regulations.

LIFARS: What do you see coming down the pipe for new information security trends as we approach the new year?

Ric: It seems to me that the industry has been a bit cyclical.  Could be a wrong assumption, but it seems that things have slowed slightly this year and the amount of hard investment in Information Security undergoes a slight correction.  At the same time risk, general media coverage, and public misconception floating around has never been higher.

There seems to be continued growth in endpoint protection and mobile protection products, and it is encouraging to see guys like Tavis Ormandy pushing A/V vendors to tighten up their products.  There will be a continued growth in cloud and data encryption solutions, and an emphasis on Office 365 security, as it seems nobody has really come up with a great data protection solution for this yet.  Oh, and as far as global legislation on Cyber Weapons is concerned, don’t expect much movement.  Member States have yet to agree on a definition of what a cyber or “autonomous” weapon actually is – the first step towards any kind of agreement.

Connect with Ric on LinkedIn.