Computing / Cybersecurity

The fundamentals behind hacking, with MITTR’s Martin Giles

What business leaders and consumers need to know about the latest trends in cyberattacks and how to handle that next inevitable data breach.

Apr 25, 2019

The rise in ransomware incidents; hacking attacks and data breaches have become a scary reality for organizations and individuals worldwide. Increasingly, the issue of cyber security and what organizations need to do to better protect their people and their systems now sit at the top of the priority list for business leaders.

In this episode, Martin Giles, the San Francisco Bureau Chief of MIT Technology Review, shares his view that the widespread dangers of a cyber attack have become a guarantee for organizations in all sectors and regions. Giles describes how cyber attackers are most likely to penetrate a company’s defenses, including through cloud storage, cloud services and even hardware. He discusses some of the most striking trends in cyber security strategies, including the “death of the perimeter” —how the type of robust firewalls and strong anti-virus programs that were keeping companies safe, no longer work. Giles shows how business leaders can focus on effective cyber hygiene and cyber health to help protect both organizations and society as a whole.

Business Lab is hosted by Elizabeth Bramson-Boudreau, the CEO and publisher of MIT Technology Review. The show is produced by Collective Next with editorial help from Emily Townsend and Mindy Blodgett. Music by Merlean, from Epidemic Sound.

SHOW NOTES AND LINKS

Five emerging threats to be worried about

FULL TRANSCRIPT

From MIT Technology Review, I’m Elizabeth Bramson-Boudreau.

And this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.

Cybersecurity, digital safety, data privacy, questions surrounding these issues are shaping the way we think about the future of work.

More and more, the way we answer these questions are having a direct impact on our daily lives.

With this episode, we are starting a series about cybersecurity. We’ll be diving into everything from the latest on hacking attacks, to what organizations can do to better protect their people and their data.

Today, we’re going to hear about the state of cybersecurity for companies and organizations from one of the people writing about it as it evolves.

Martin Giles is the San Francisco Bureau Chief of MIT Technology Review where he covers cybersecurity and the future of computing.

In our conversation, we touched on everything from emerging threats to protecting your information. Let’s listen.

Elizabeth Bramson-Boudreau: Thank you so much for joining us, Martin.

Martin Giles: Thanks for having me, Elizabeth.

Elizabeth: Martin, you published a story in Technology Review at the beginning of the year in which you highlighted five emerging cyber threats we should be worried about. Which of those threats do you think is the most immediate risk?

Martin: Well, I think one that's really worrying is a threat that's kind of targeted at the computing cloud and we've seen a lot of companies move some or all of their processing and data to cloud service providers. Now the big ones like Google or Amazon, if they have significant resources and expertise in protecting clients. But some of the smaller ones you know think they have the same kind of resources and know how and they're vulnerable. And last year we saw a really striking attack. It's called Cloud Hopper and we think it was Chinese hackers who were behind it. And basically what they did is they got into the systems of companies called managed service providers which basically provide telecoms and technology services over the Internet and from there they were able to hop into the systems of the clients of some of these companies. We don't exactly know how much damage was done, but that's kind of like the first time we've seen a significant attack of this kind.

Elizabeth: So does that mean that if you’re doing your cloud computing with someone that isn't one of these massive cloud computing solution providers that you're taking on a certain amount of risk in not going with an AWS. Or, one of the other major cloud computing providers.

Martin: That's a great question. I think you know the right answer is basically you need to do your due diligence very carefully. You need to understand exactly what kind of security controls and expertise the particular provider you're looking at has and in your service level agreements. You know the kind of contracts you develop with them. You want to be very clear about you know if a hack like that occurs, you need to be told about it. I mean sometimes companies will say ‘well I don't need to tell my clients because I don't think any of their data was affected.’ You need to be sure that if there is a breach, you know about it, so that you can take the appropriate steps to protect your data and your particular interests.

Elizabeth: Okay. So another one of the threats you talked about in the story was artificial intelligence. And it's interesting because it depends on kind of who you talk to. If you're talking to a cyber security firm using AI, AI is the solution. So help us understand the extent to which AI is being used as a way of detecting and shutting down attack.

Martin: It's a great question. I mean it's kind of like you know AI is getting slapped on almost every kind of cyber security solution that's out there these days. And you know in some ways that you can understand why the industry is so keen to use this leading edge technology.  I mean you know cybersecurity defenders are kind of overwhelmed with attacks and these attacks are getting more and more sophisticated. So what AI can do is automate hunting, automate responses to hacks that occur so that things can happen much faster, much more efficiently than if humans were kind of in the loop. But you know you're right. I raised this issue. Is this is kind of panacea? It isn't. And again one has to be very careful because there are a lot of these AI models are being trained using what's called supervised learning. What is that? That basically means you get large sets of data and you train them on this data and you kind of tell them ,“Hey, this is malicious code. This is malware. This codes is kind of OK. So when you spot this one, there's a problem. When you spot this one, it’s fine.” Now there are two kinds of dangers with that. Number one, errors could get into that data set. And, number two, if hackers get into the systems corporate systems and find that data they can actually switch the labels or they can poison the data set by putting in other kinds of information. So again, you know you shouldn’t. You can trust but verify, if you like. I mean always be careful. Always be asking questions of the providers who are coming to you and saying, “Hey AI is the solution to everything.”

Elizabeth: So it's interesting because this relates to something I've heard you talk about, Martin, which is the quote ‘death of the perimeter’. Because it's occurring to me that as you're talking the assumption is that these nefarious actors are already inside the organization's security system. So, can you talk about what that means ”the death of the perimeter” and what people ought to be thinking about when they think about their security as such?

Martin: So, what I mean by the ”death of the perimeter” is not so long ago if you had kind of robust firewalls that basically separated your network from the outside world from the rest of the Internet and you had strong antivirus programs that you were running on your systems, you could kind of spot the threats coming and keep them out before they got in. And now that perimeter is dead. It is done. And it's done because we are seeing levels of sophistication among various kinds of hackers including particularly ones from nation states who have you know unlimited resources and unlimited time to try to break into companies defenses. That is a game changer. And, so, now you basically there's kind of two kinds of companies there's ones who've been hacked and ones who've been hacked but don't know it yet. And so in that respect you need to have a mindset that says, “We've been penetrated. So we need to have inside our networks, inside our systems the means to kind of spot somebody who's got in and shut them down before they can do any damage. That's what I mean by ‘the death of the perimeter.’

Elizabeth:Yeah and I've heard this likened to the body's response to bacterial viral infection. So the acceptance is that we know we can't keep ourselves and our bodies from being exposed to viruses or bacteria but rather our immune system is hopefully able to combat it. So that's sort of the metaphor that I've heard applied to the way we should be thinking about cybersecurity.

Martin: I love that analogy. I think it's a great analogy and it's kind of like you know when companies are kind of preparing themselves it's about cyber hygiene and cyber health and so you know I love the way you've done that. I think if more companies thought like that we would be in a better position overall as a society.

Elizabeth: Yeah well I can't take credit for it, but I will so thank you. So we are seeing an awful lot of data breaches and you're obviously these huge you know very well publicized data breaches like Equifax. I have a couple of questions related to that. Why haven't we been able to get on top of these data breach problems? That's one. And secondly, how common or pervasive is it really? Or is it a case where this gets a lot of headlines because it in some big hacks impact a lot of people? Is it something that every company needs to be worried about or are we still talking about something that's relatively uncommon?

Martin: That's a really important issue. There's an American ice hockey player who said, “I’m going to skate where the puck is going, not where it is.” And it's kind of like hackers go—

Elizabeth: I'm just going to interrupt you and say that that Wayne Gretzky is a Canadian hockey player and I think it's important that we get that fact correct.

Martin: Oh well, I'm British, so sorry about that. But you know hockey. It's all hockey to me. And so obviously hackers are going where this data is and companies are storing more and more of it. Right? It's cheaper than ever thanks to the kind of cloud computing services we talked about earlier on. So there's these massive mountains of data being stored and often what's happening is that they're not being properly protected. That's why we're seeing that these massive breaches and you know you can say well we don't see that many of them. And I think a lot of them don't get talked about, right? Companies trying to keep the wraps on this stuff. And it's striking to me that kind of like last year in Europe a new regulation came into effect called the General Data Protection Regulation GDPR. And since then we've seen a massive increase in reports of breaches. Right? And why is that? Because that regulation has swinging fines, really steep fines, up to 4 percent of global turnover of a company. So all of a sudden, we see a lot more of these particular breaches coming out. So there is a problem. We don't really yet know the full extent of it.

Elizabeth: Ok. So what should companies be doing to better protect their data? There is GDPPR regulation, but let's assume you're not in Europe and you're listening to this podcast, what should I be thinking about as a CEO of a company that has data like this?

Martin: Well, first of all you should think ‘do I actually need to keep the data’, right?. I just think a lot of data just gets stored because companies think ‘hey maybe someday I'll need it. And so I'll just keep it around.’ By the way it's really cheap to do. But that means that that data is vulnerable. So number one, do you really need to keep all the data you're keeping? Number two if you do have data you need to put it on a secure database that is basically strongly protected using multiple passwords and the data needs to be encrypted, strongly encrypted, if it's sensitive personal information. Maybe there's some kinds of data if it gets out, it's not so serious. But you know anything that is personally identifiable information from an individual or things like social security, health records, et cetera, that needs to be really strongly protected. And, finally, just think about suppliers too, who might have access to that data. And you also need to think about your suppliers and third parties because often hackers get into their systems, you may have the best defense is out there, but if they get into their systems they can find their way into your databases.

Elizabeth: I think that's really important. I think a lot of people think ‘O.K., I've got mine stitched up’ and don't realize that there's a vulnerability in a partner that perhaps might not be quite as stitched up or might have some sort of arrangement with a cloud computing provider that isn't necessarily the most secure either.

Martin: That's right. It's like that what's the weakest link in the chain. Make sure you understand who's in the chain and where that link might be.

Elizabeth: So, we've been talking about hackers that are copying or stealing data. But what happens if they just encrypted and then threaten to keep it locked down unless you pay a digital ransom. And sometimes I think this is done through untraceable cryptocurrency and these so-called ransomware attacks are becoming more and more common and they can really cause chaos, can't they?

Martin: Yes, they absolutely can. In 2017, we saw a ransomware attack called “want to cry’ which made a lot of people want to cry. And the reason for that is basically it attacked I think something like 200,000 thousand companies and what it does, I mean, it's basically a worm. Now a worm is a kind of piece of software that basically allows itself to replicate automatically from computer to computer in networks without any human having to get involved. And so what this worm did was basically locked down hundreds of thousands of computers and then the hackers asked for payments in untraceable crypto currencies to release the data. And yet we saw it again last year. There was a big Taiwanese semi-conductor company that was hit by the same kind of attack and it basically shut down its chip making facilities for days, until that kind of attack was was sorted out. And then we also saw last year something to me that's really shocking is that these hackers are targeting cities. They're targeting municipalities. Atlanta in March was hit by a ransomware attack. And basically it wiped out you know all kinds of legal files, wiped out some of the video that was being kept, you know the kind of camera video that police keep that disappeared. It hit utilities. It hit all kinds of different services and for days everything was out. People had to pay their bills using their back to paper. Good old analog paper rather than than digital payment. So this is this is a significant shift we have seen over the past I would say five to six years and it's extremely worrying.

Elizabeth: So, why are they targeting cities? Is it just about assessing spots of particular vulnerability and maybe municipal IT systems are not as robust as corporate ones?

Martin: Well, that's a great question. My understanding is that you know there were reports before this attack took place that showed that Atlanta had I think some something like 1,800 or 2,000 unpacked vulnerabilities —that’s flaws— in the kind of software that was running across all of its municipal operations. And so that's exactly the kind of gift that hackers go looking for. It's like ‘wow we have this whole toolkit of exploits that we can target that exploit the sort of sophisticated hacks that can target these kind of vulnerabilities to get access to systems.’ So if you do have these, if you're not patching and you're updating your software regularly to kind of close those vulnerabilities, that’s exactly what they're looking for. And I guess in particular Atlanta, but probably many other municipalities, may not be paying as much attention to that as say a corporation.

Elizabeth: So I want to get back to talking about what companies and executives should do about cyber attacks but before that I will also want to ask you about the Internet of Things and cyber threats associated with Internet of Things enabled devices. And I know many people go out and buy inexpensive made in China and IoT devices like cameras for their homes or an in any number of things that may not be particularly secure. Can you talk to us a little bit about that?

Martin: Yeah, I mean in your own home Elizabeth, I mean how many sort of web-connected devices do you think there are? I mean everything from your router to maybe your fridge. What have you got in there?

Elizabeth: I'm going to guess it's ten. Maybe?

Martin: Yeah that's exactly it. That's kind of like the numbers. We're talking double digits now in many homes right. And a lot of these devices as you rightly point out, they kind of have like weak security when they come in, they have kind of default password settings on them. You know they don't have kind of robust protections against kind of you know intrusions. And so what we're seeing is kind of this Internet of really worrying things. And you know there are there's moves afoot to try and kind of encourage the producers the manufacturers of these devices to kind of upgrade the security writing industry efforts. But I think you know maybe this is one area where ultimately we're going to have to see the government step in and actually where I am in California. You know California has the first pass the first kind of IOT specific law that I know of. It's going to come into effect in 2020, at the beginning of 2020. And basically what it says is manufacturers of these products have to take reasonable efforts reasonable steps to increase security in their products. Now that's kind of vague, right? But in particular they kind of said you know you must have the ability to change a default user name and to establish a unique password for the device. Now you know like I said it's kind of a I mean it's not ideal. It's by any shape sense of form, but it's a first step. And I think you know because many manufacturers who sell in California sell elsewhere hopefully they will you know everybody else will get the benefit of this.

Elizabeth: And if you're making your devices compliant for California, which is obviously a populous state then you may as well you know you may as well roll that out across the product line. Nationwide I suppose is the concept.

Martin: One hopes so, but there's no guarantee of that. But I think if you're if you're a company you know, you're thinking about what this means to you. That kind of manufacturing side. But what about as a company that's seeing more and more connected devices coming into its offices. Now we're connecting everything from light bulbs to heating systems to the Internet. You know the kind of attack surface as the cyber security folks like to call it, is kind of expanding really rapidly. And so again you know number one it's important to kind of audit what you've got in your manufacturing facilities in your offices. What exactly have you got? What's that's connected? How is it protected? How does it hook up to your network? What kind of protections does it have? And what kind of protections do you have in your network that can stop hackers getting to those particular devices? And it’s kind of frightening because ultimately at the end of the day. We're seeing you know very determined probably nations that, well definitely nation state hackers from places like Russia and North Korea targeting industrial equipment trying to get in and take control of processes that could actually be really dangerous. So you know this is a massive issue. It's a whole topic in and of itself for a future discussion.

Elizabeth: You've painted a pretty bleak picture of the cyber threat landscape. I know you're not a bleak guy, but the picture is a little bleak. If I'm listening to this and I am responsible for making these kinds of decisions for my company, should I rush out to get cyber insurance to protect us, if we are a victim of hackers?

Martin: Yeah, you're right. I'm not a particularly bleak guy. I like to try and look on the bright side of things, but we have to be realistic right. It’s a balance of risk and reward. You know, generally, you know we are doing pretty well at this. You know in order to not all be under our desks wearing tinfoil hats and panicking. So you know there's a very big and very sophisticated cyber security industry out there that's doing a pretty good job of trying to keep us safe. But at the same time you know breaches will happen. And what I said about the ‘death of the perimeter’ you know they are inside they will get inside and sometimes they'll succeed. So what can you do? So insurance is like an obvious kind of way to sort of underwrite the risk if somebody does do something bad to you. And there are good things. But to take a step back now number one, general insurance policies you know some people think they cover cyber risk. And actually this is interesting because there's a very big court case going on right now between Mondelez International which makes things like Oreos, which are American Cookies not Canadian ones. And then you basically had a cyber attack last two years ago maybe which basically put a lot of its systems out of action and it has made a claim I think for hundred million dollars from Zurich American insurance and Zurich says well on your general policy we're not going to recognize that.

I think fundamentally because they're claiming it's an act of war because it was probably a nation state hacker that did the hack now. So your general policy is maybe not covering you. And so a lot of people are looking at trying to buy cyber policies. There aren't very many of them around at the moment. Insurers are still nervous about this. The good thing about these policies is that before an insurer will underwrite one they're going to go through your systems your processes and procedures your personnel to make sure that you have the very best defense is in place. That's the good news. The bad news and do an audit effectively and a fundamental top to toe audit of your security posture. The bad news is kind of I'm sure they're writing a ton of exclusions too. Maybe after this court case they'll be saying ‘Yeah we can't cover you against nation state hacks and we can't cover this particular risk or that particular risk.’ So again it's not a panacea but I think it's a really interesting development in this intersection between financial services technology and geopolitical risk.

Elizabeth: I think what you're saying is that general insurance may or may not cover it is trying to avoid liability for hacking. Cyber insurance may is sort of nascent but if even if it does sort of blossom as an industry there probably be all kinds of caveats against things like a nation state attack. So is cyber insurance even worth spending one's time researching?

Martin: You characterize it perfectly. I just think it's an open question. Like I said you know it can can encourage you to do things that perhaps you might not have thought of doing by yourselves. But right now I think the risk reward ratio is is it still perhaps not attractive enough to make it you know I must have.

Elizabeth: So what about collaboration between businesses governments and the security kind of industry to handle cyber threats? First of all is that kind of collaboration. Is it possible? Do our governments have the ability in particular I'll pick on government….Does our government have the sort of understanding of the issues to be able to engage in that kind of collaboration? Is it happening? and what do you think about it if it were to occur?

Martin: You raised two very good questions. I mean the first one does government have the kind of depth of knowledge well you know in the sense that government often has experts working for it that are trained hackers themselves to go and attack other countries and of companies infrastructures. You know they certainly have in-house some knowledge and some sophisticated knowledge of this kind of thing. However, in general I think nobody really understands your risks as well as you do or at least you should do if you're a company. You have the insights into who might be you know posing a threat to you should have the insights into where you might be vulnerable and how best to deal with that. However you know we are talking about nation state hackers now increasingly who are attacking companies and searching for you know everything from data to intellectual property and maybe to even have the potential to cause physical harm. And that's a game changer. And there I think we do need to think about the interface between government, the private sector and security the security kind of research industry and tighter collaboration is essential. So you often see like the Department of Homeland Security in America the FBI get called in when there's a big hack. And increasingly it's kind of like an interchange it's not ideal right. Way Away from an ideal kind of exchange of data and you know. Often it's kind of one way up to the government and not much comes back but we're getting better at that.

But I think there's one kind of area that I think is really important to try and resolve and that is there is a whole set of people out there like white hat hackers and their job basically is to go out and trying to penetrate companies networks and systems to see if they can get in. And then if they find a vulnerability they report it to the company and many companies now have bug bounty programs so they they pay hackers. If there is a kind of responsible disclosure you don't just suddenly say Hey I found this thing. Guess what. They actually report it to the companies so the company has time to actually address the risk before an announcement of the of the bug is made. But and there's financial rewards if you don't have one of those programs I think it would be really important to explore it and think of setting one up because it's very effective way of kind of you know identifying where there may be weaknesses without you know before hackers get in. But there's a legal gray area and it's still we still seeing cases of hackers being sued. White Hat Hackers being sued for penetrating networks and they find a bug, they report it and the company says ‘hey actually we're going to see you because you basically broke the law in doing that.’ And you know technically in some cases they did. So I think we need to kind of we'll get together and work out how we can create a better kind of heat safe haven for this kind of activity.

Elizabeth: Oh that's fascinating Martin. Thank you. It's been a very interesting conversation. Do you have any final pieces advice for our listeners? Things that they should bear in mind given that you are at the cybersecurity expert here at technology review. Go ahead. Yeah.

Martin: Well, yeah, there's basically two fundamental messages. You know the first one I mean we're talking early on about the kind of thinking of of cybersecurity threats is like a health issue. I mean cyber hygiene making sure you are doing the basics really well is so important and that's everything from regularly changing passwords using very hard to crack passwords to making sure you patch your software regularly updated regularly and make sure you whitelist software. That means basically making sure that only certain people authorized to upgrade or change a particular piece of code can actually do so. Those are all kind of like cyber 101. And there are some great lists out there like the SANS 21 that basically have these kinds of checks on them and you just follow those. And then the second thing and that's what I trying to get across in the article which you talked about at the beginning you know these kind of emerging cyber threats is you know be prepared to think the unthinkable. Often, we don't you know we don't get creative enough in thinking about where threats can come from. And trust me, the hackers on the other side they are super creative he was say thank you.

Elizabeth: Thank you, Martin. As a reminder, you can follow Martin on Twitter at Martin Giles. This has been the first episode of a series on cyber security and in our next two episodes we will go into greater depth on some of the topics we touched upon today including the latest on hacking attacks and what companies can do to protect their people and their data. So Martin thank you and thank you all for listening.

Martin: Thanks, Elizabeth, for having me to talk about this really important subject.

Elizabeth: That’s it for this episode of Business Lab. I’m your host Elizabeth Bramson-Boudreau.

I’m the CEO and publisher of MIT Technology Review magazine.

We were founded in 1899 at the Massachusetts Institute of Technology, and you can find us in print, on the Web, at dozens of live events each year, and now in audio form.

For more information about the magazine and the show, please check out our website at technologyreview.com.

The show is available wherever you get your podcasts.

If you enjoyed this episode, we hope you’ll take a minute to rate and review us at Apple Podcasts.

Business Lab is a production of MIT Technology Review.

This episode was produced by Collective Next with help from Emily Townsend \and with editorial help from Mindy Blodgett.

Special thanks to our guest Martin Giles. You can get more from Martin on twitter at martin giles, All one word, that’s M A R T I N G I L ES. Get well Martin!

Thanks for listening, and we’ll be back soon with our next episode.