The former CTO of America's Central Intelligence Agency, Bob Flores, has said the gravest cyber security threat facing the world is the lack of protection for critical infrastructure and the internet of things – and that it's worth challenging narratives about attacks from nation states that get repeated without criticism.

Bob Flores spent 31 years at the CIA in various roles – holding positions in the Directorate of Intelligence, Directorate of Support, and the National Clandestine Service. He held the CTO role for three years then left to become CEO at consultancy Applicology Incorporated, before founding Cognitio.

Aerial view of the Central Intelligence Agency headquarters, Langley, Virginia. Image credit: Carol M. Highsmith
Aerial view of the Central Intelligence Agency headquarters, Langley, Virginia. Image credit: Carol M. Highsmith

Critical infrastructure

"I worry a lot about critical infrastructure," said Flores, speaking with Techworld at a cybersecurity event in London.

"We haven't seen a lot happen there – because where's the money in it? But could we get to the point where somebody might go after a power grid somewhere, and say: I'll turn the power grid back on for a billion dollars? I'm not sure such a thing would be realistic today but it might be in the future."

He described Cognitio as a "small organisation with its roots in US government" which advises businesses on how to market into the federal government, plus conducting cyber risk assessment and "subject matter expert" work within government.

According to Flores, the rush towards connectivity we are seeing with the internet of things has parallels with the early days of the internet itself.

The Internet of Things

"I worry a lot about the internet of things," Flores said. "This is the same problem all over again. It began back in the late 60s when the internet was first being promulgated, that it was all about connectivity and not about security. That's the same thing we're seeing with the internet of things."

"Even the companies that are saying ‘my device is secure' – so I have a device that's secure, and you have a device that's secure, but now they want to talk to each other. Who's securing that conversation? The answer is nobody, today."

"I do worry about that. It's going to be a very interconnected world, and all these devices are going to blur."

"The worst possible scenario is critical infrastructure – if you look at the industrial world, Europe, the US, and so on, what really matters to the people? And can I attack what really matters to them? Whether that's the water system, the power grid, the supply chain around groceries, any of those things – if I can hold those things hostage is there a chance for me to make money out of that."


Flores went on to say that as far as state actors are concerned, these kinds of attacks are extremely rare – and that it's "always reasonable to cast doubt on assertions".

"Assertions are one thing, and proof is something else entirely," Flores said. "Just as it's very easy to exploit things that are out there today, it's also very easy to spoof. It's very easy for me to launch an attack that makes it look like I'm from North Korea."

"And so you can look at a bunch of things and say, well, the preponderance of evidence says ‘this is coming from North Korea' – OK, but that's not proof. Whether it's North Korea or the Russian Business Network or China or whoever, it doesn't really matter."

"You have to say: OK, well let's say it was North Korea – what was the point? Are they trying to say look what we're capable of? That's a real scenario... but does that mean they would ever do it again? I think we have seen from the Sony attack, that some of the information that got breached in the attack has shown up in the wild, in a price per credential kind of way, so somebody is making money off of that."

"You have to follow the money, and figure out who is making that money."