Mark Testoni, CEO of SAP National Security, which develops software solutions for military and business applications, talks to Harry Lye about the national and cyber security threats facing countries and companies today.

// Image: Mark Testoni, CEO of SAP National Security

// Harry Lye:
Could you tell me a little bit about how you got into the national security business?

// Mark Testoni:

I've been in this business, starting as an enlisted man in the United States Air Force, since 1977. I have spent the last 22 years after I retired from the military in the private sector, both at work at SAP and before I took this position back in 2011. I've seen everything from the Vietnam War onwards in my life. I wasn't around for Korea, but close. I've seen a lot of things happen over the years.

What do you see as the biggest national security concerns that countries and companies are facing in 2019?

If you and I were talking about 20 to 25 years ago, we wouldn't be as concerned with companies in the national security arena; there was always a certain number of them supporting the aerospace and defence contractors. But really, when you look at national security right now, we view it as a much broader place because of the emergence of the internet and cyber threat.

I think the beauty of the internet and the cyber world is really the third Industrial Revolution. Now we're bridging on the fourth there has been unprecedented bringing of wealth to the world. You see this in countries like China and other places. It is fascinating.

On the other hand, it has also become the biggest threat because we are basically all connected now. And it's very difficult not to be connected. So that, I think, is probably the biggest opportunity to disrupt.

Touching on the cyber aspect of national security, where are the biggest cyber security threats originating from?

I think the biggest challenge that we look at in the Western world is the nation state stealing things like intellectual property; it's very obvious and very well publicised. The allegations that have been made, there's been some pretty interesting books written on the subject of Chinese interest in the intellectual property of companies around the world.

You also have other actors, maybe that aren't as quite as powerful, but they know they can, they are in this game too. Actors like North Korea that are not only trying to create menace, but looking for hard currency. There’s been a lot of celebrated cases publicised related to Bitcoin and other cyber currencies. Iran's been another pretty significant actor in this space.

And then of course, we’ve had an awful lot of discussion in this country and abroad about what Russia was up to. And that shouldn’t really be surprising, because the Russians have done a pretty good job of trying to influence elections since 1917, they just have a new platform to do it with in more recent times.

What do you see as being more dangerous: a state or a non-state actor?

When you talk about states, you're talking about resourcing, and often the policy associated with it. They can bring much more, potentially, to bear.

If you look at the cost, and I would have to go back and look, we're losing something like [just in the US] $250 to $300bn a year in intellectual properties, FC, you think about that. To me, state actors are always going to be something important.

And of course, there's a lot of non-state actors who can act like states too. We’ve seen it from a standpoint of use of the internet when you look at the ISIS and other organisations like that. And even what we saw recently [in the US], potential terrorist activities using the internet to exploit and rally people.

So there's an awful lot of different uses but ultimately state actors [are more dangerous], typically because of financing.

Gray visited the Defence College of Technical Training in RAF Cosford for International Women’s Day and met with some of the 45 female apprentices currently studying STEM trades at the college. Image: Crown Copyright / MOD

Do you think more can be done by Western countries to protect their institutions, militaries and companies from cyber threats?

When you look at what happens in those cases, we've done a pretty good job on the technical end, it's just a cat and mouse game that goes back to the caveman. The first caveman decided to protect his cave by rolling a big rock in front of it right, well, then bigger caveman came by and unrolled the rocking and stole stuff. This is always a cat mouse game. But I think we've created a good technical infrastructure on the perimeter.

Spearfishing is still, I think, the number one access point into companies and government agencies. I think we need to do a better job of educating the public of its responsibilities, both as individuals and as employees and companies.

I've always viewed this in the US as something that I don't think we've taken on quite seriously enough yet, I see a little bit more about when I travel to Europe. We really need to drive at education. Not that that's the [only] answer.

I think it's really three things. It is keeping our infrastructures as up to date as possible, starting to leverage and using the tools that allow us to look inside [networks] and look for anomalous behaviour, and then the cultural education of the workforce.

A highly visible cyber security trend has been the ransomware attacks on cities in the US. Do these types of attacks threaten military institutions as well?

A lot of these cities, some states and localities maybe don't have the resources that the federal government has, or big companies have. And they are natural targets. So the cyber criminals, they're looking to see feast, they view this as a place where they can work.

It’s obviously always a threat to the military, but this is where we see the military and the government infrastructures have gotten better. And, some of the large companies have gotten better, it's a little bit harder, but we're all potentially vulnerable to that.

I think that [ransomware attacks] are a feeding ground for the cybercriminal world. I'm not sure that it is an easy problem to solve because there's just so many infrastructures out there.

Air Marshal Gray. Image: Crown Copyright / MOD

As countries and militaries are pushing for more digitalisation of services, is this opening the door to more threats?

I think as we move into what some people call the fourth generation of the Industrial Revolution, the next generation of the internet and 5G, I think security is evolving, it's just reality that it is becoming more important.

I think digitisation is ultimately on balance. It's 98%. Good, but we've got to protect the 2% threat. And that's part of what we got to do. I love these people talking about ‘let's go back to paper and pencils’. We forget all the problems with that.

What’s your outlook on cybersecurity in the near future?

Cyber, no matter whether you're the military, or a commercial entity, or whoever you are, the cyber threat and the cyber opportunity should be at the top of your chain of activities.

I think in security we are seeing cultural change in this area, both from a privacy perspective and from an awareness perspective, which we need to continue that in the West. We need to not only buttress that culture, but we need to know, incentivise and start thinking about security upfront as we roll out the next thing.