Skip links

Ex-CIA security boss predicts coming crackdown on spyware

Black Hat It turns out that ex-CIA chief information security officers don’t spill secrets at bars in Vegas. Or via Zoom, while pretending to be at a Black Hat cocktail party.

Still, Rubrik’s new Chief Information Security Officer Michael Mestrovich, who was previously the CISO of the CIA, knows a thing or two about cyber spies and ransomware gangs, and in an interview with The Register, he weighed in on both hot topics.

Youtube Video

Last month, during a House Intelligence Committee hearing, security researchers and internet rights groups called on Congress to sanction and step up enforcement against surveillanceware makers like NSO Group’s Pegasus spyware.

Protecting individuals’ privacy is something all of us — including elected officials — should be very concerned about, Mestrovich said.

“I would expect, going forward, there will be either executive orders or legislation passed to ensure that the civil liberties and the rights that we all expect to data privacy and privacy of our own activities are kept sacrosanct,” he added.

As a CISO himself, ransomware is top of mind. “Ransomware is a huge threat to just our economic viability,” Mestrovich told us, citing a Cybersecurity Ventures forecast that global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025.

“Clearly, the cyber criminals have monetized the theft of data or depriving an organization use of its data,” Mestrovich said. “Until we can do something to prevent the economic gain that they have from the theft of data or the denial of an organization’s access to his data. This is only going to increase”

What this means for defenders: a better job needs to be done when it comes to protecting data and encrypting it in transit. This extends beyond a corporation’s own walls, he added, noting that security executives need to have these conversations with their partner and customer organizations, too.

“How are we ensuring that the second and third parties that we do business with are taking the same mechanisms to protect the data that we would take to protect the data as an organizational entity?,” Mestrovich asked. “I don’t think I’ve seen those levels of conversations previously, but they’re much more in the forefront now.” ®