Last week, BBC.co.uk ran a great interview with Dimension Data General Manager of Security, Neil Campbell. Starting his career with the Australian federal police, Neil has certainly come a long way…
Interview by Leo Kelion, BBC Technology Reporter
Neil Campbell sounds tired. It could be jet lag from from working on three continents in the space of one week. More likely it is because it is the end of another diary-packed day with clients, business colleagues and others having all sought his expertise.
Hardly a day goes by without news of another cyber-attack, whether it is a credit card data breach, an assault by self-styled hacktivists or suspected industrial espionage – and the reports are just the tip of the iceberg.
Mr Campbell is Dimension Data’s General Manager, Security, Global. “It’s a mouthful,” he says.
The job puts him in charge of a team of around 600 staff and makes him responsible for more than 6,000 clients across 51 countries, including many of the world’s biggest companies.
Managed security services is a crowded market. The South African firm’s bigger rivals include IBM, Symantec, BT, Hewlett-Packard and Dell Secureworks. Further down the scale, players including Claranet and Integralis also compete for business.
So perhaps it is no surprise Mr Campbell is coy about discussing his customers, but he speaks with passion about his work and at times is surprisingly frank.
Mr Campbell started his career with the Australian federal police in 1989, working in the general crime division for a few years before the opportunity arose to specialise in cybercrime.
“What was interesting about that was that out of the whole southern region – about 400 people – I was the only person to volunteer for the computer crime team,” he says. “It was seen as a bad move by my peers. And I think they have been shown to be wrong.”
The experience proved instructive, offering a lesson that he says still holds true.
“In my time in law enforcement investigating computer crime you are kind of like a computer crime ambulance driver,” he says. “You turn up at the scene and that’s your job to determine what went wrong. Not necessarily to bring the patient back to life, but to determine what went wrong. And almost without exception what goes wrong is that somebody doesn’t do something that they should have, or somebody does something that they shouldn’t have.”
He says much of his work at the time was chasing hackers whose main aim was to gain notoriety, which made them easy to track.
“It made people very easy to catch because they would always leave a name,” he says. “All we had to do was match their pseudonym to their real name and we could find out who did it.”
After six years with the division he left in 1998 to join the accountants Arthur Andersen before they came unstuck over the Enron scandal. He found the transition to the private sector relatively easy to deal with.
“When you join an auditing firm you go and put a person in a room, you ask them a number of questions hoping that they will trip up and tell you something they didn’t want to tell you – and then they’re in trouble,” he says. “So it was a very smooth transition as my relationship with my client didn’t really change.”
In 2000 Mr Campbell joined a small security services company where one of his first jobs was to carry out a penetration test at an Australian bank.
“What we were testing was their new internet banking environment, which was due to go live in two weeks and this is something that is not uncommon,” he says. “We see security being considered at the last minute rather than being engineered into the project from day one.”
The tests revealed it was possible for hackers to manoeuvre themselves between a customer and the lender’s infrastructure without triggering certificate warnings or other alerts that the transactions were not secure.
Mr Campbell and his team flagged this up to the bank, advising it to delay the rollout. The lender’s decision to press ahead proved such matters are not black and white.
“They looked at the possibility of someone doing this versus the reality of the revenue, reputation and share price damage that would be caused by delaying the launch of the service. And that was a nice illustration that it’s about managing your risk,” he says. “It’s not my job to decide what the appropriate level of risk is for my client. It’s the client’s job, and… if they’re doing their job right they are making well informed decisions about risk and then they are living with the consequences good or bad. For me that was quite instructive.”
He says as far as he is aware the gamble paid off.
Since 2002 Mr Campbell has worked for Dimension Data, initially as a security consultant before working his way up the ranks. During that time he tracked the rise of organised crime.
Initially this involved groups working together to steal electronic funds. These would often be wired to Eastern Europe and converted into cash. But more recently things have taken a more sinister turn.
Mr Campbell suspects governments have sanctioned some of the recent hacking attacks.
“What we have seen – and this has been inevitable and inexorable – is a trend for governments [to be] heavily involved in espionage, as best as I can tell,” he says. “And certainly if it is not governments, it is large groups of very well organised people looking… to gain an advantage by stealing intellectual property and information relating to ongoing trade negotiations or contractual negotiations between companies.
“The two countries we see most of this activity from are China and Russia.”
These attacks are often highly targeted, using personal information about the victim or the company they work for. To make matters worse the groups often use “zero day attacks” – the term for exploits that have never been seen in the wild before.
Educating his customers about risk factors is part of the solution, but Mr Campbell admits this only goes so far.
“Ultimately we have to assume that people will fail because we can’t predict the behaviour of human beings, so you have to anticipate the worst,” he says. “And the worst is that they will fail in their role of protecting themselves, therefore we have to put other controls in place to make up for it.”
These controls can include firewalls to prevent certain types of data getting in and out, whitelists to restrict which applications are allowed to launch and software that detects external email pretending to come from inside the target’s network.
However, Mr Campbell is set against one practice used by some other firms – hiring ex-hackers to catch active ones.
“You are talking to an ex-policeman now,” he says. “Being a hacker is more of a life philosophy than anything else. So I would have trouble being convinced that they had changed completely. And I would be very uncomfortable putting that person in front of my clients and saying, ‘Please trust this person because they have changed’. I know there is an argument that these guys are fantastic and they know lots of stuff, but so do ethical people and I’d rather stick with them.”