Because then I could have pretended that the cybersecurity discussion was just a couple of excited pensioners at a neighboring table who had good intentions but not a lot of clue: “my son is good at the computers“; “it’s probably those dastardly Russians!”
It would have fit right into the atmosphere and been almost charming. It would not have been what it actually was: alarming.
The computer genius 10-year-old aside (is he available for an internship? we are hiring!), the reality of security that companies need to care about is neither basement-dwelling thrill hackers nor state actors. This is a false dichotomy that insults and misleads everyone in order to sell expensive security shovelware toolkits that address non-existent issues. Yes, I’m afraid that I have bad news: your Splunk instance is not really going to stop GCHQ.
The problem that enterprises face is not #anonymous nor nefarious state actors from former superpowers eager to steal consumer data, it’s people with a profit motive who are taking advantage of decades of bad and ineffective approaches to security driven by the CIO Career Plan: leverage risky moves that hypothetically cut costs and sound good on LinkedIn or at conferences for their next job before the inevitable results start appearing.
Look, it is fun to pretend that Russia or North Korea or the good old NSA is out to get you, but the reality is that if state actors are your problem, then you already know it, for real, because you meet with the FBI twice a year. And whether you do or not, if that is your adversary you are doomed. Their budget is bigger than your revenue. They have better people doing this full time for their entire careers. To quote James Mickens, they have helicopters and drones and might kidnap you. They intercept packages in transit and insert hardware subversion devices. It’s not worth talking about.
So let’s talk about something that does matter – your company. Defacement and thrill hacking has mostly died off at this point. Why?
Anyone who is even tangentially part of the community, IRC or any other viewpoint noticed an interesting trend among their friends in the mid 2000s and that was this: the conversation started to change.
At first it was pretty innocuous: “LOL, I put naked guys on this bank website.”
Then: “I found some issues on this site, do you think they’d pay me to fix them?”
Then: “You remember those vulnerabilities I found … do you think anyone would pay me to know about them?”
People really don’t appreciate how dramatically this conversation changed or why. Ransomware did not come out of nowhere. It was created by you because, and not to put too fine a point on it, when companies were approached by these guys the typical reaction to “hey, you have this problem” was to threaten to sue. That set the stage.
Then something else that was interesting happened. What was once a carding subculture started to arrive at a generalized monetization of certain kinds of hacking: identity theft, credit cards, health records theft, etc. No state actor is stealing your credit card number and they don’t care about your diagnosis. At first this was shared files but bitcoin is there. You know what’s limiting bitcoin base ransomware? It’s hard to buy and hard to take cash out. These are not intrinsic. Chinese and Russian hackers will solve this problem.
State actors and thrill hackers are the public face of the problem because security vendors and politicians love to talk about them. They are exciting! They are high-drama. They are the All Caps We Are All Going To Die Ebola Outbreak of the security press. But in reality, in terms of monetary damage, thrill hackers are minor and state agents only tangentially care. Just as you are more likely to die in a car accident today than you are to get some exotic new disease, the person most likely to bite you is a hacker or one of your own rogue employees who wants to make ends meet or buy a new iPhone 7.
You know what should keep you up at night? Not North Koreans turning your Amazon cluster into an evil bitcoin stealing botnet. The concern you should have is that these people figure out how to monetize what’s really valuable: your intellectual property, source code, signing keys, stock trading strategies, acquisition plans, phase III clinical results, investment portfolios, tax paperwork, lawsuit discovery content, etc. All of these are worth far, far more to you than some poor consumer’s social security number. Once they figure that out, and once they apply their cleverness to how to monetize it, you are done. There will be an onslaught of thefts, blackmail and ransomware that will make your head spin.
Which of those, if held hostage with cryptoware, sold to specific people instead of bulk buyers, were released to the public or were quietly tampered and then used would not create huge problems for you?
Sorry, when you have to restate earnings, ask customers to disable devices you’ve sold them, have to recall a drug due to fudged trial data, find your next generation product being cranked out in knockoff factories, … there will be no more bulk-buying cheap credit reporting for the saps that got screwed by a lack of attention to security. Instead we are talking existential threat: the cyber-facilitated corporate death penalty.
There are only two things stopping this today: the people involved don’t know and they don’t have a path to monetization. They don’t know what companies actually value because they are mostly young, naive, foreign, and inexperienced. They’re doing the equivalent of a smash-and-grab: snatching the laptop on the table or the television instead of walking off with your brokerage account passwords – because they don’t know how to value the rest because they can’t sell it.
You know what the best firewall is today? “Every thief knows that you don’t steal what you can’t fence.”
There’s no fence right now for Pratt & Whitney’s new engine designs, no easy way to get paid to insert stealth, submarine malware into the next internal application rollout by abusing your incredibly vulnerable Jenkins install (No auth? wunderbar!) and no point in exploiting the tens of thousands of unprotected MongoDB instances that enterprises exploring the new NoSQL world have left open to the internet on ec2. Would you even notice one of your servers started uploading your next generation product plans to Dropbox when your whole company is constantly using it?
It all comes back to: if you can’t sell it you don’t steal it. This can change in an instant.
State actors? You aren’t going to beat state actors but it doesn’t matter. Thrill hackers? At this point they’re an almost-admirable check-balance on sloppiness (I ❤ them).
Both of them are a distraction to stop you from the boring work of dotting i’s and crossing t’s. The boring but real issue today is people who want ROI on their effort to supplement their income. The not boring at all but real issue tomorrow is they’ll figure out what you actually care about and how to sell it. Their long term potential is much, much worse.
Founder, Chief Architect