Editor’s note: Robert R. Ackerman, Jr. is the founder and managing director of Allegis Capital focusing his investments on the cybersecurity market.
President Obama has tried for three years to persuade Congress to pass a cybersecurity bill. The president went so far as to highlight his cybersecurity proposals to a prime-time audience during his recent State of the Union address. And in the wake of the massive Sony hack, the political climate may finally have shifted in his favor.
Indeed, the Sony breach was one of the worst in corporate history. It torpedoed a Hollywood blockbuster and nearly brought down a major studio. But, more important, it represented a significant escalation of cyber warfare and demonstrated the quickly accelerating skills of hackers everywhere.
In the past, a typical cyber breach, like those at Target and Home Depot, resulted in the theft and sale of credit card numbers. Yes, that’s a huge problem. But no dark secrets were revealed and no personally incriminating information was splashed across the Internet.
The Sony debacle took hacking to a new level because it exposed the company’s entire communications network. Everything was compromised, including voicemails, emails and text messages. Like the email that called Angelina Jolie a “minimally talented spoiled brat.” Or the one that revealed the passwords to the banking and shopping accounts of Sony Entertainment CEO Michael Lynton.
All told, more than 230GB of data was leaked by the attackers, according to CSO magazine. Based on that estimate, the bad guys likely made off with more than a terabyte of data. But it’s not only the amount of data stolen that matters, it’s the data’s value and the harm caused by its exposure.
Whether the Sony breach was the result of the North Koreans, criminal/hacktivist elements, rouge insiders or some combination of all three, it is impossible to fully secure existing IT infrastructure. And you can’t spend enough to totally eliminate the threat.
The real takeaway is that communication as we know it is simply not safe anymore.
Privacy and security are illusions, especially now that corporate data exists everywhere and goes everywhere. It lives in the cloud, it travels with us on our smartphone and tablet, it’s shared on countless social media sites.
Worse, a great deal of the data that people and companies deal with daily — sensitive and otherwise — is transmitted over unencrypted channels, much of it “in the open” over wireless networks where the data is easily available to bad actors looking to intercept it.
It’s for this reason that mobile communications must be secured at all costs. If they’re not, there will be many more hacks like the Sony breach — and the Target breach and the Gmail breach and the Home Depot breach — in the months ahead.
We can’t stop them overnight. There are simply too many miscreants littering cyberspace and too many gaps in the typical information-security infrastructure. But we can make a good start.
Toward that end, the Electronic Frontier Foundation (EFF) recently created its Secure Messaging Scorecard, which examines dozens of messaging technologies and rates each of them on a range of security best practices. The campaign focused on communication technologies — including chat, text messaging, email, and video calling — because these are the tools everyday users need to communicate with friends, family and colleagues.
The eye-opening study revealed that many “secure messaging” products weren’t actually secure, with popular applications like Facebook Chat, Skype, Snapchat and WhatsApp scoring very low. In the face of widespread Internet and mobile surveillance, that’s yet another reason why we need a new generation of technology innovators that can build privacy platforms to ensure that confidential information remains confidential and is only accessible by intended recipients.
Indeed, there was one new company in the EFF study, Silent Circle, that earned perfect marks on EFF’s secure messaging scorecard. I’m not an investor in Silent Circle, but the company has raised $30 million to date from other prominent investors.
Founded by two of the world’s most respected cryptographers, Phil Zimmerman and Jon Callas, Silent Circle provides a software platform for ensuring private communications remain private. Zimmerman is the creator of Pretty Good Privacy (PGP), a legendary email encryption software that he published for free on the internet. And Callas created Apple’s Whole Disk Encryption and worked closely with Zimmerman on the development of ZRTB, the influential cryptographic key-agreement protocol.
What’s so intriguing about a company like Silent Circle is that it is building a complete ecosystem around privacy, control and security for mobile communications. Silent Circle’s Blackphone features fully encrypted voice, text and video calls, and a virtual private network that anonymizes web surfing, all built on a custom version of Android. At present more than 30 of the Fortune Global 50 companies are using Blackphones to help secure their communications and further mobile productivity.
In the wake of the Sony attack, 11 major movies in production are also using Blackphones to keep sensitive details under wraps and protect the privacy of actors who are working on the films.
But even with its reputation at the forefront of privacy, an obscure vulnerability in Silent Circle (since fixed) was reported earlier this week, demonstrating privacy and security require constant vigilance to stay on top. Peer-review, open-source testing is an essential component of these efforts.
Another interesting company, in which I am not an investor, is called Confide. It enables users to send email messages that automatically self-destruct as soon as recipients read them or reply to them. Confide also encrypts messages without storing them on its own servers, so once they’re gone, they’re gone forever. In hindsight, that’s a technology Sony surely wishes it had deployed.
Secure mobile communication doesn’t have to break the bank. In fact, investing a ton of money in security hardware and software will never guarantee a secure infrastructure. When it comes to security, it’s matter of quality not quantity.
Sure, many security hardware and software vendors will see increased sales in 2015 as the size and scope of cyber breaches continue to grow. But many of those purchases will be reactionary, without enough thought given to how the enterprise can be best secured. As a result, at least some of the purchases will ultimately go to waste or end up as shelfware.
Experts estimate Sony spends about $20 million a year on security, which equals around half the $42 million production budget for The Interview. I’m guessing Sony—and a lot of other companies—will be spending more on network protection in future. And, if they’re smart, they’ll be devoting a good portion of it to mobile security.