Trump picked Giuliani for his cybersecurity expertise — but many industry members haven't heard of his work

Few in cybersecurity know much about former New York City mayor or his consulting company

Image | BlackBerry and Giuliani Partners Join Forces

Caption: Little is known about the cybersecurity work of a consulting company run by former New York City mayor Rudy Giuliani, centre, though a partnership with BlackBerry — whose CEO John Chen is pictured here — was announced earlier this month. (The Associated Press)

U.S. president-elect Donald Trump announced Thursday that former New York City mayor Rudy Giuliani would lend his expertise to the government on issues related to cybersecurity.
But many in the cybersecurity industry aren't familiar with Giuliani's work in that area, or his company, Giuliani Partners — leading some to conclude(external link) he may not have the expertise the Trump team believes he does.
Giuliani has run a consulting business since 2003, claims to offer cybersecurity services to its clients and is chairman of global law firm Greenberg Traurig's cybersecurity practice.
"I have been working in cybersecurity for 17 years and been all over the world. I have yet to encounter anyone who has had any interaction with Giuliani Partners," said John Bambenek(external link), who manages threat intelligence systems at Fidelis Security and teaches cybersecurity at the University of Illinois.
"I don't know him or the firm," echoed Boris Segalis(external link), a New York City-based lawyer who co-chairs the Data Protection, Privacy & Cybersecurity practice of law firm Norton Rose Fulbright. "They are certainly not huge in this space."
If you've ever worked with Rudy Giuliani on cybersecurity issues, or have any information on Giuliani Partners and its clients, you can contact CBC securely and anonymously using SecureDrop(external link). You can also email matthew.braga@cbc.ca directly (PGP key here(external link)).
In an interview with MarketWatch(external link) a year ago, Giuliani said he entered the cybersecurity business after reading a 2003 FBI report that forecast a rise in cybercrime and national security risks.
By 2005, Giuliani said the company had begun offering penetration testing to clients, evaluating their security with attempts at breaking into their networks from the outside, and as recently as this month(external link) claimed "deep experience" in cybersecurity.
Otherwise, little else is known about the services the company offers and the clients it serves.

'I've never heard of it'

Cybersecurity companies often demonstrate their expertise by publishing research and reports on new and emerging threats, appearing at conferences, providing expert commentary to media, and participating in legal and policy discussions on security matters.
But for 13 years, Giuliani Partners and its subsidiary, Giuliani Security and Safety, has remained all but silent on cybersecurity — to the extent that many in the industry were unaware of the firm's existence.
"I don't know anything [about] his company or what they do," said HD Moore(external link), computer security researcher who created a widely used piece of software called Metasploit.
"I've never heard of it," said Mikko Hypponen(external link), another computer security expert who is the chief research officer of Finnish cybersecurity firm F-Secure.
"I had no idea that it existed until you just said, but my bet is that it's probably congruent to the DNC or the Hillary campaigns defensive capability," said Dan Tentler(external link), founder of the computer security company Phobos Group.
Indeed, security researchers spent much of Thursday on Twitter posting information about the security vulnerabilities they had found on the Giuliani Security and Safety website — ironic, some said, for a person who had just been chosen for his purported expertise on cybersecurity issues.

Embed | Twitter

Open Full Embed in New Tab (external link)Loading external pages may require significantly more data usage.

Not a technical play

Marcus Carey, the founder of cybersecurity company vThreat(external link), and a former researcher at Rapid7 and U.S. navy cryptologist, believes "the company clearly isn't a 'technical' cybersecurity play."
Rather, Carey thinks that "Guiliani's business is focused on corporate governance, compliance, and legal issues related to companies being breached."
Reporting by Motherboard's Jason Koebler and Lorenzo Franceschi-Bicchierai (external link)supports this view. An anonymous cybersecurity executive, who claimed to have experience with Giuliani Security and Safety, told Motherboard, "If you hired them on a cyber engagement, they are going to tell you what your legal obligations are and how to manage the legal risk related to cyber,"
The company also announced earlier this month that it is teaming up with BlackBerry (external link)to "to assess infrastructures, identify potential cybersecurity vulnerabilities, address gaps and secure endpoints," further suggesting that it may not have those skills in-house.
BlackBerry's chief security officer, David Kleidermacher, declined to comment, referring CBC News to Giuliani Partners' media contact, who has yet to respond to a request for an interview.
"We have seen a lot of politicians and military leaders use their personal brand to launch cybersecurity firms, especially based off 9/11," said Carey.
"I think that people are conflating homeland security with cybersecurity. Just because you have made a reputation in the government related to homeland security doesn't mean that transfers to the cyber realm."