Diana Kelley leads IBM in the Fight Against the Dark Web

Diana Kelley breezes into the room, petite and affable.  Yet the fight that she engages in is no dainty matter.  Consider the daunting statistics.  Findings from IBM X-Force study show that nearly 20 million financial records were breached in 2015.  The impact of these data breaches in finance is significant, costing financial institutions an average of USD215 per stolen record.  In August 2015, personal data stolen from the adultery website, Ashley Madison, has been posted on the Dark Web, exposing names and personal details of most of its 37 million members.  Ethical considerations aside, the 10 gigabytes of compressed data dumped onto the dark web is a colossal data breach.  Just before Christmas 2015, the BBC was knocked offline by a 602Gbps attack.  The dark web has created USD445 billion in illegal profits gained over the last year.

Diana Kelley

The sophistication of cyber attacks has escalated and 80-percent of these advanced attacks now come from collaborators on the dark web, nefarious “gangs” if you must call them, as opposed to rouge individual attackers.  As they have gotten more organised, so must the force that unites to counteract their rise.

Enter Kelley.  Kelley is the Executive Security Advisor of IBM Security in the IBM Group.  IBM Security took root a little over three years ago.  In cognisance of the rising threat, in 2012, IBM Group has set up IBM Security System division and IBM Security Services division when Kelley was recruited into the IBM-fold.  Under her guidance, the divisions were merged in 2015.  Today, there are 7500 employees in IBM Security internationally.

It is a sizeable pool of resources, data, knowledge base and skill-sets.  Kelley is perfectly placed to lead this group and provide guidance to CISOs (Chief Information Security Officers) and security professionals worldwide with 25 years of cybersecurity experience under her belt.  Prior to joining IBM, she founded her own consulting firm, SecurityCurve, in 2003 to provide risk-focused advisory services to enterprises and deliver strategic knowledge to security software vendors.  In the 1990s, she served as a Manager creating secure architectural solutions, in KPMG’s Financial Services Consulting practice.

Lady at the top

It may seem incongruous that a lady is at the forefront of this field of work.  Yet how Kelley started on this career path was no accident.  It stemmed from her keen interest in programmes and digital devices.  Her father, a research professor, brought a programmable calculator home when she was just nine.  She tinkered with it and become hooked, instead of her brother.  Never did her parents once colour her views by pointing out the “unusual” gender leaning of her interest.  After her education, her continued interest saw her start work in the information technology industry.  One of her first jobs was as a network administrator.  When the server under her care got hacked into, she knew it was imperative to look at not just network security but also applications security.

With each career progression, she took on jobs with increasing cybersecurity responsibilities.  In many meetings, she may be one among ten male colleagues in this industry, but she never felt that her voice carried less weight.

Kelley has her work cut out for her.  It is a mean task as attacks are happening at every level.  Financial institutions have rolled out the EMV (which are chip-enabled cards, i.e. Europay, MasterCard and Visa cards) and PIN (personal identification number) technology and from 1 October 2015, liability will shift to U.S vendors to adopt the EMV chip and PIN payment compatible terminals.

However, despite the liability shift deadline, most small vendors and retailers have not invested in chip and PIN enabled equipment.  In Malaysia, PIN usage will be mandatory for all POS (point-of-sale) transactions effective 1 January 2017.  The extent and boom in connectivity of everyday items, including household white goods and wearable technology in today’s “Internet of Things” environment will further add complexities and challenges in cybersecurity.  Even a car connected to the internet, has been hacked already!  As a result, Fiat Chrysler had to recall 1.4 million vehicles to patch the breach.

Kelley opines that data breaches in the healthcare sector will largely continue to be a target due to the high value of medical records that can be commanded on the black market.  For example, personal details like your blood type, your medical history, your allergies, your surgeries, your mother’s maiden name, your date of birth, among others.  Politicians, military personnel, foreign operatives, celebrities and their families are particular magnets for such breaches.  In the U.S, a Mivast malware from the Black Vine group was discovered in February 2015 where a record-breaking 80 million healthcare records were breached!

In her visit to the Southeast Asia region, she notes that while Malaysia’s network security has matured, our application security still falls short.  There are insufficient skill-sets at this level and she hopes to raise awareness for organisations to also invest in protecting their applications.  Both layers must be given rapt attention.  Imagine the “network layer” being a fence to guard your compound but the “application layer”, a door to guard entry into your home.  Women can be a huge resource to tap into to meet this skill-set gap.

The MOE (Ministry of Education) has signed up with University Kebangsaan Malaysia in 2014 to train students in the field of cybersecurity.  Kelley herself has met ten women CEOs in Malaysia to raise awareness and communicate the impact of data breaches and the need to train employees regularly to address these palpable risks.  Employees can inadvertently be the source of data breaches but more sinisterly, employees can sometimes be the insider in intentional breaches.  Systems must therefore, be designed to be able to trail and monitor.

Creating awareness

In the region, IBM is collaborating with and mentoring 300 higher education institutions and universities to encourage students in the study of cybersecurity.  The job opportunities are surprisingly vast: researchers of the dark web, analysts of  malware systems, consultants and implementers of securities systems, writers to raise awareness, developers of cybersecurity software, even hackers or penetration testers to see if specific cybersecurity stands up to mark.

In short, IBM is on a mission to build up a force of “good guys” to fight the “bad guys”.  IBM is ready to share its resources with other organisations to build a community that is aware and ready to face this fight together.  IBM has a security intelligence blog and a shared platform which alerts people on the latest cybersecurity issues and educates people on how to handle malware and ransom-ware issues.  This community can access database from the last 20 years up to current real time threats to observe the trends of attacks over the years.  This acts as fuel for the community to share and leverage information.  Simply put, designing and re-designing a secure architecture that is strong and resilient against the ever-evolving deep dark web requires community collaboration to stay ahead.