A lesson to be drawn from my feature, published Friday, on Google’s Project Zero, the search giant’s elite computer bug hunting squad, is: You can do everything in your power to make sure your digital defenses are up to snuff, but that’s not going to help if a key partner is vulnerable. Attackers tend to aim for the weak link.
Google learned this the hard way when hackers associated with the Chinese government breached its systems in 2009 through a hole in Microsoft Internet Explorer 6. For Google executives, the intrusion provided groundwork that eventually helped justify the creation of an internal unit devoted to scouring the web for flaws in other companies’ code and demanding they be fixed. Since Project Zero’s founding in 2014, the team has shepherded along a slew of security improvements in non-Google products, albeit not without occasionally clashing with the company’s biggest rivals, such as Microsoft, Apple, and others. (You can read more about the bug-squashing SWAT team’s trials and travails here.)
This notion of the perils of tightly knit networks was on my mind Thursday while moderating a panel on third party risk for the New York information security meetup group. Eric Olson, vice president of intelligence operations at the cybersecurity firm LookingGlass, said he was amazed to see recognition of this bubbling up into public consciousness lately. He cited a recent story in Variety about how hackers had targeted a Hollywood post-production studio to get their hands on Netflix episodes for leaking. Netflix may take security seriously, but if its partners do not, then its efforts may as well be for naught.
Another panelist, Shaun Belders, head of Bloomberg’s vendor risk assessment program, mentioned that enacting preventative measures can get tricky even within an organization. He shared an anecdote about how he once was placed in the uncomfortable position of having to inform his boss, Michael Bloomberg, that he did not have access to certain company data due to strict corporate firewall policies. In the interest of cybersecurity, sometimes even the CEO gets locked out.
The lesson is simple: Businesses shouldn’t leave security to chance. In the presence of escalating digital threats against consumers and corporations—expertly detailed in “Hacked,” Fortune’s July cover story—perhaps more defenders should take a cue from Project Zero. Go on the offensive. Even if it means holding peers, partners, and bosses to the strictest standards.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
I’ll show you mine if you don’t show me the door. Big western tech companies are reportedly sharing source code with Russian officials after the country adopted new cybersecurity laws demanding the firms do so. Members of Russia’s FSB, successor to the Soviet era KGB, are ostensibly trying to ensure that U.S. spies have not inserted any backdoors into security and networking products sold in Russia. The reviews also give Moscow, an American adversary, the ability to find potentially exploitable vulnerabilities in the products of major companies: Cisco, IBM, and SAP among them. (Reuters)
That’s a wrap. President Donald Trump finally denied having recorded private conversations between himself and former FBI director James Comey, after having sparked speculation that he might have with a suggestive Tweet posted last month. In his Senate Intelligence Committee hearing earlier this month, Comey lit up the room when he welcomed the then alleged’s audio tapes becoming public: “Lordy, I hope there are tapes!” (Fortune, Washington Post)
Flash crash! For brief moment on Wednesday, the price of Ether, the cryptocurrency associated with the decentralized computer network Ethereum, face-planted. The market value on Coinbase’s GDAX rapidly plummeted from $350 to $0.10 after a big trade caused a cascade of stop loss orders to trigger. Although the price quickly recovered, many traders got burned. (Fortune, Coinbase)
Lights out, Kiev. Russia has ben using Ukraine as a lab to test out terrifying digital attacks. In this gripping account of a recent cyberattack-induced blackout in the ex-Soviet state, cybersecurity experts warn that Moscow may someday kick off the training wheels and launch a larger attack elsewhere. In case you think these fears are overblown, consider that President Trump met this week with security pros to discuss how to “effectively combat threats against the energy sector, particularly the power grid.” Hopefully, it won’t ever come to that. (Wired, White House)
Hungry? Why wait? Well, this is why—if you work at the CIA.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Fortune’s Adam Lashinsky and Jeff John Roberts penned an excellent cover story on how businesses are beating back hacks for the July 1 print issue. Here’s one great bit about the view from the boardroom.
Hacking is particularly frustrating for corporate executives who don’t understand their enemy. Embezzlers or extortionists? Sure. But faceless gangs of nasty nerds? It’s often harder for CEOs to wrap their brains around the motivation of their antagonists—or their audacity. “At the C-level they feel violated,” says Jay Leek, a venture capitalist pursuing cybersecurity investments and a former chief information security officer at private equity giant Blackstone. “I witness this emotional ‘What just happened?’ You don’t walk in physically to a company and violate it.” Read more on Fortune.com.
Google Will Stop Scanning Emails for Advertising, by Jonathan Vanian
Treating Cybercrime as a Disease, by Cliff Leaf
Meet 5 of the World’s Most Dangerous Hacking Groups, by Robert Hackett
Hackers Leaked ‘Orange Is the New Black’ Despite Receiving $50,000 in Ransom, by Tom Huddleston
Here Are 10 of the Biggest Corporate Hacks in History, by Jeff John Roberts
ONE MORE THING
Your last will and digital testament. After death, people’s online identities tend to linger, inaccessible to loved ones, in a purgatory of the web’s creation. Leftover Facebook and Twitter accounts. Untouchable bank accounts. Have you thought through your post-mortem plan? If not, then you should. (BuzzFeed)