Former New York City Mayor Rudy Giuliani compares cybersecurity to cancer.
As a prostate cancer survivor, Giuliani says he doubts anyone will ever find a “perfect solution” to the disease, and that cybercrime presents a similar challenge. And for both maladies, detecting them early on can reduce the damage.
After completing his second term as New York’s mayor in 2001, he founded a security consulting company, Giuliani Partners, in 2002. In the years since, he paused business to run for president, and then returned to his company and also joined the law firm Bracewell, which then changed its name to Bracewell & Giuliani. Last week, Giuliani joined Greenberg Traurig to chair its cybersecurity and crisis management practice.
MarketWatch recently sat down with Giuliani to talk cybersecurity. This interview has been edited for length and clarity.
Marketwatch: When did you become interested in cybersecurity?
Giuliani: It goes back to about 2003. I read this report on cybersecurity and it said basically that the FBI was predicting [cybercrime] was going to be a massive crime wave unlike anything we’ve ever seen before. And that secondly — the one that really caught me because this was only two years after Sept. 11 — they said this was a major national security problem. From outside the country without even entering the U.S., sufficiently sophisticated characters could attack our utilities, attack our cities.
MW: I talked to New York City officials recently about cyber threats, and the city wrote guidelines last year as to how it would inform the public, restore systems and coordinate in the event of a cyberattack. Was cybersecurity ever a concern while you were mayor?
RG: It wasn’t as great of an issue then because we weren’t digitized. We got digitized for Y2K. We spent $300 million on Y2K. They told me computers were going to change when the millennium hit. Then we had all these people who said all sorts of crazy things — the subways would stop running, the jails would get emptied, the moon would fall. We basically had to back up all of our systems. Y2K comes, Y2K goes, no problem. For the next year, all I do is harangue them for costing me that $300 million. Then Sept. 11 happened. I said, we should have spent $500 million. We recreated our emergency management center in 2.5 hours after it was destroyed.
MW: Because you had all those back-ups?
RG: Because [the data] was all on computers. And that’s when I started to become technologically very interested, but I could also see how you have to protect it
We have to treat this like we treat other forms of crime where we don’t have a perfect solution. We just have better solutions. We don’t have a perfect solution to cancer, but that doesn’t mean we don’t look for early detection of cancer.
MW: After digitizing for Y2K and having that realization, did you have any conversations about securing those systems?
RG: I must say, after Sept. 11, in the four months that I was in office, the issue was not cyber. There’s this natural instinct to protect against the last attack. We did a lot to protect against air attacks but they’re probably not going to do it that way next time.
The FBI, the police department and me, personally, believed the next area of attack was going to be anthrax, smallpox, sarin gas, maybe even dirty bombs with some nuclear material. We weren’t thinking in the fall of ‘01 too much about cyberattack. Maybe we should have, but we weren’t. But there was also the feeling back then that the Taliban just wasn’t sophisticated enough to offer that kind of challenge. It wasn’t until the mid-2000s era that we started to realize the grid is very vulnerable, utilities are very vulnerable, cities are very vulnerable.
MW: As a former mayor, are you concerned about the cybersecurity of U.S. cities?
RG: I’m concerned as a general matter that the U.S. is behind cyberthieves. American business is behind, and I think that American government is behind.
All you have to do is look at the hacking of the Office of Personnel Management. People’s background checks, that’s really sensitive information.
MW: You compared this to other forms of crime earlier.
RG: It reminds me of the organized crime networks that I went after in the ‘80s. They’re not organized like organized crime was, where they have a meeting every month, or they belong to the same organization. Let’s call it a loosely affiliated kind of mafia.
MW: Tell me more about how Giuliani Partners got into cybersecurity, after you read the FBI report predicting computer crime would grow.
So I read that and had a long talk with Jim Turley, the chairman and chief executive officer for Ernst & Young. Jim said, “Damn it, we should start a business like that. We should figure out what’s the best way to protect these companies.” We came up with attack and penetration: here’s a company, attack ‘em from the outside.
When we went to talk to the CEOs that we knew, they all told us, “We have companies like that but they make us very nervous because they employ lots of ex-hackers.” Granted, most of them may be reformed. I am more than willing to believe in redemption. But I don’t believe in constructing a whole firm based on a bunch of guys who, I’ve got to be 100% right that they were once crooks and now they’re good guys. So Jim and I decided to do it differently. We had contacts in the military. A lot of our intelligence surveillance systems, they’re very well-protected. So we said, why don’t we hire ex-guys who do that? They’re always retiring after 20, 25 years. Why don’t we see if we can put together a cadre. Get them computer equipment, start it. So we did.
MW: So Giuliani Partners began penetration-testing companies — attacking from the outside to find vulnerabilities hackers may exploit — back in 2003?
RG: 2004, 2005 by the time we got started.
MW: How many clients did you have back then?
RG: Maybe 30.
MW: Did you find that anyone cared about cybersecurity back then?
RG: These were all friends of mine, friends of his. They’d give me a nice meeting and they’d look at me, and they’d look at the bill. And the bill was high, but it wasn’t high for them — $10 million, $20 million, something like that. It wasn’t like the kind of money they’re spending now. (laughs)
(Note: J.P. Morgan Chase had a $250 million cybersecurity budget when it was breached in 2014; CEO Jamie Dimon said after the breach that the bank would double cybersecurity spending.)
MW: What kinds of companies were these? Retail? Financial?
RG: The ones you would think would be the most sensitive. Pharmaceutical companies, at the time, were nervous about other pharmaceutical companies hacking them. They weren’t so nervous about China. You had energy companies, you had the utilities, you had newspapers. Some of the universities.
Problem No. 1 was getting past security [employees] who would say, “Don’t worry boss. We’ve got it covered.” Jim and I would circumvent that by going right to the CEO. Still, when we left the office, the security guys would come in and say, “These guys just want to make money.” We didn’t get some clients because they couldn’t see the problems. When it came down to the bottom line, we couldn’t say to them, “you spend $10 million on us and you’ll save $20 million” [by avoiding a breach].
MW: You didn’t have examples like Target and Sony back then.
RG: Right. It was a theoretical problem more than a real one, but it was going on. We came up with a sales pitch: Let us attack your company for a month. If we can’t get in, tell us to go away. I think we won 48 out of 50 of those. Only twice we couldn’t get in.
MW: When you talk to potential clients now, do you still run into some of the problems you faced in 2003? Do people still question whether it’s worth spending on cybersecurity?
RG: It’s beginning to change. There are very surprisingly large companies that take the Band-Aid approach. They have this false sense of security that they’re not going to be [hacked]. Maybe they don’t want to believe it.