Bruno, you're CISO of the Republic and Canton of Jura in Switzerland. Could you tell us a bit about your job and what a typical day involves?
Sure. As Chief Security Officer for cybersecurity I’m involved in ensuring security of the state. That means we have mostly 100 locations and 400 applications, for example schools, healthcare industry, roads, taxes, police and so on. So the perimeter I have to secure is quite broad. The problem we have is that I have to check all the risks involving this perimeter and also understand the needs of the business, because every business has different needs. So we have to match guidelines also from the Swiss Confederation, and ISO 27001 standards, to define policies and roles. So that’s my main job and that takes a lot of time because we have to be compliant.You also work with the Swiss National Security Network. What does that involve?
The Swiss National Security Network is aiming for coordination between Swiss cantons and the federal services, in case of attacks for example. It’s not related to the war state, it’s just during peace time, but we’re trying to coordinate all the cyberattacks and cyberdefence, to understand how to better improve our responsiveness for that.
How do you find the coordination aspect? Is it very challenging?
It’s very challenging because we have a mixed environment involving private companies, like for example energy providers, and also public companies, transportation and so on. And the coordination has to be made for global response, so that’s interesting.
For my part, my challenge is to try to learn German! Because all the talks are in German.
Last point as well: we have yearly exercises, and simulations of attacks, and so on. So that’s important. Last autumn we had some exercises with simulation of cyberattacks on the power plants, linked to a big flu epidemic, so that was very complex. It also involved hospitals and… well, everybody. It was complex.
There's been a lot of discussion at DFRWS about law enforcement working together with academics and corporate to combat cybercrime. Do you think this is important, and if so, how do you think we can encourage it?
Yes it’s very important to have academic research in this area, because cybercriminals are always improving their methods, and most governments don’t have time to investigate new ways of fighting cybercrime and conducting investigations. We also have new technologies coming, like smart TVs and everything, that improves month after month. The issue we have is starting to be able to understand those new technologies. So definitely, if research is going further, that’s important for us.
As well as all of your other jobs, you lecture in IT security. What are some of the most common misconceptions you see from new students?
Most of the time IT security is not very well-known, because they mostly just focus on the high-level parts, and you have to think about global issues. For example most people I teach are developers, so they don’t think about all the political issues that we have when we do our policies. And that’s important, we have to take that into account. Security must be safe, must be good, strong, but we cannot prevent a user from working. So we have to make some decisions like that, and that’s the most important misconception about this.
The second one is to be able to understand all the implications in terms of low-level. For example when you think about e-voting, that’s a concept, a mathematical concept, you can just decline that using software, but you have to think about using all the low-level implications, that you could fake the hardware, for example. And most students also don’t know this, because they were not taught about that.
Do you think that teaching of IT in schools is in need of improvement?
The problem is that there are two levels; you have to teach IT for everybody, every citizen, but that’s not very simple. And then when you focus on IT students, I guess there’s a lack of teaching in some specific fields, like understanding exactly how a computer is working, for example. That’s important in terms of digital forensics. Because forensics is low-level most of the time. So if you don’t understand how the system is working – the inner workings – that’s bad, because you can just miss understanding how the problem is set up.
In your opinion, what is the “next big thing” in digital forensics?
I guess it will be big data. I don’t like the term, I hate the term in fact. It’s all marketing, you know. But big data for me is important, because now we are able to use statistics and predictive analyses, which is very useful also in terms of forensics. For example, now if we want to have a case and to seize hard drives, the problem is that it could be virtual systems using maybe tens of thousands of hard drives, so it’s just impossible to copy them. The only way to check that is using big data and statistical methods. So yes, that’s the next step, I guess. But personally, I don’t like that.
Finally, you're part of the Club des Vigilants. Could you tell us a bit about this?
Sure. That’s not IT-related, that’s a French think tank. We are discussing global things about how to enhance society for the benefit of everybody.
Bruno Kerouanton is CISO of the Republic and Canton of Jura in Switzerland, directing the IT security strategy and operations for the region. He is also an Honorary Consul of France, a teacher of IT security and a volunteer fireman. Bruno is also part of the Club des Vigilants, a French think tank about global security.
Forensic Focus interviewed Bruno at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.