As 2014 came to a close, we got a front row seat to the horror show that was the Sony hack.As if we needed a case study to show us, we saw, with vivid clarity, what can happen when hackers run amok inside servers and start sharing confidential business content with the world — and we learned it gets ugly in a hurry.
We’re less than a week into the new year and already we’ve seen a major Bitcoin attack. You know that it’s only a matter of time before we hear about the next catastrophic system assault. It’s a bit like cybersecurity roulette. We keep spinning the wheel to find out who the next victim is.
The question is, why are we still so vulnerable, and why is the industry not banding together to solve this once and for all? Security matters to everyone from governments to finance to private sector companies of all sorts. Nobody wants to be the next JP Morgan, Home Depot or Sony. Yet everybody seems equally vulnerable. That’s why we must work together and put the best minds to bear on the problem to figure this out. The trouble is these are dreadfully difficult problems or we would have solved them by now.
If Security Were Easy, We Wouldn’t Be Having This Discussion
David Cowan, a partner with the venture capital firm Bessemer Ventures has been working with security companies since the 1990s and says the problem for most organizations is that they’re just not in the security business. “Sony has a technology business, but they are not Google or Amazon. They make movies and they hire people who are great at making movies. That’s what they think about. They don’t think about data, trust and security,” Cowan told me.
Andre Durand, CEO at Ping Identity says another aspect of the problem is that the security industry as a whole tends to be reactive, rather than proactive.
“An attack happens, and they plug it. They don’t invest proactively to stop a class of threats in a fundamental manner. It’s not like they don’t try to aggregate threats and think ahead, they do, but by and large, they respond like an immune system. Nothing happens until a virus comes in and they address it,” he explained.
Sony has a technology business, but they are not Google or Amazon. They make movies and they hire people who are great at making movies. That’s what they think about. They don’t think about data, trust and security David Cowan
Cowan points out that there is a basic security disconnect in most enterprises, and given the number of highly publicized incidents, he says, we might finally be reaching the point where organizations have to take this more seriously.
“Up until this year, most businesses and people had the attitude that cyber-crime and warfare were things that happened to other people. Everyone had the idea, ‘I’m not that interesting. Nobody wants to read my email.'” Cowan says people realize now that just about anyone can be interesting, and if a nation-state or organized hacking collective is hell bent on getting into your servers, there’s not a lot you can do about it.
“I can assure you if Russia or China, or the US or Israel, or North Korea or Iran — if one of those players wants information, [they] will get it,” Cowan told me.
Sharing Is Caring
Against that cheery backdrop, governments, companies and individuals alike must face the grim reality they are always vulnerable and there is always some element of risk, unless they plan on shutting down the internet. And even if they did, let’s not forget that Edward Snowden didn’t perform some elaborate hack. He simply walked out the building with some incriminating files on a thumb drive.
That’s why this isn’t FUD as some might suggest, it’s just the stark reality of computing in the modern age. Cowan says that’s why after each breach, we desperately look for a simple answer so we can feel better about our own situation, but he says there just aren’t any easy answers.
“If it’s because so and so didn’t patch their system, now we know how they got in. Now we aren’t vulnerable. People are desperate to feel in control,” he explained. But he says, security is a complex set of problems and there is no one answer to solve it.
He likens it to a border fence, that’s just riddled with holes. “Some criminal gets in, and we found the hole and we closed it, and we have cameras and armed guards pointed at it. Now we feel safe,” he said.
Unfortunately, when we pull back, we see it’s a much bigger predicament than it would first appear. “The trouble is the fence is thousands of miles long, and focusing on one hole is missing the point. Whatever vulnerability we found is just one of many.” And the same goes for our systems.
One way to begin to gain control is working together, to see security as a collective problem and not an individual one, while putting the power of modern technology to work on it.
Steve Herrod, who is managing director at General Catalyst Partners and the former CTO and SVP of R&D at VMware, wrote a post on TechCrunch this past weekend in which he suggested that sharing security data both internally and externally could be the key to gaining some semblance of control over the problem. Companies have been reluctant to share data to this point because they see their security information as proprietary, but as Herrod pointed out, this is a wrong-headed view.
“By sharing data and applying the latest in big data analysis — which has a very real application in the security industry — companies are realizing the power in numbers. Holding off organized crime and malicious nation-states is a daunting task for any individual company, but the odds look much better as like-minded companies band together for their collective defense,” Herrod wrote.
Hugh Njemanze, CEO at ThreatStream, a cybersecurity company (which gets funding from General Catalyst) agrees, saying there is safety in the herd. “When the first organization gets attacked, the rest can be informed and defend themselves,” he explained.
Another approach, one that Google and other companies have taken, is to offer rewards for people who find vulnerabilities in their products. Once they know the hole is there, they can take steps to close the holes before a hacker can exploit them. HD Moore, chief security officer at Rapid7, a security vendor, says this could be a good investment for these companies.
A couple of startups have launched in recent years to help companies create their own bug bounty programs including HackerOne and Synack. These platforms use reward systems to encourage users to find bugs in their programs, putting this type of system within reach of every company, not just the big ones like Google, Yahoo! and Facebook.
“Service providers like Yahoo, Google and Dropbox are offering bounties for vulnerabilities because it’s a better deal for them. Paying a thousand dollars to find [an exploit] is money well spent,” Moore explained. As he says, it won’t draw security professionals for that kind of cash, but it will get people involved from economic areas where folks have these skills and the money means more to them.
Making Security Part Of The Plumbing
Helping one another find security vulnerabilities and sharing information is all well and good, but the best approach might be to make our devices and software more secure from the git-go. Cowan says we need to think about this at the programming level, but in most cases, programmers aren’t security experts.
“One of the important changes is to build security into application development itself. Programmers don’t understand encrypted files, access rights or multi-factor identification. Most people don’t know how to do these things,” he told me.
“We’ve been riding the tech wave and it’s time we paid for a life vest… We have to increase budgets in our business for security and have people who think about it so that trust is part of what we do for employees, customers and investors.” David Cowan
He added, “Fortunately there is a new class of security company focusing on app developers providing APIs to embed these kinds of [functionalities] into applications.” He offers Stripe as an example, which gives developers access to an API that allows them to add a security layer for credit card payments without a lot of heavy lifting.
Despite the doom and gloom, not everyone is so pessimistic about security. ThreatStream’s Njemanze says it’s an ongoing battle, and in spite of the high profile hacks, he says we are doing better than you think.
“It’s all about whether you look at the glass as half full or half empty. It’s an arms race between us and the bad guys. If it weren’t for [security tools like ours], the Internet would have ceased to function long ago. It looks like we are not winning and yet we still exist,” he says.
That’s true, but the situation remains tenuous for many companies. As Cowan says, if someone is determined to get at your data, chances are they’ll find a way to do it. That means we have to be all the more vigilant as an industry and find ways to defend ourselves because the technology and the security are not necessarily in sync.
“We’ve been riding the tech wave and it’s time we paid for a life vest,” Cowan said. “We have to increase budgets in our business for security and have people who think about it so that trust is part of what we do for employees, customers and investors.” Hard to argue with that.