How do you calculate risk?
It’s simple, according to Michael Hayden, former head of the U.S. National Security Agency and later the Central Intelligence Agency. The ex-spy boss boiled the concept down to its basics at a computer security conference earlier this week. Here’s the formula he presented on a slide:
Risk = threat x vulnerability x consequence
The equation is nothing new in the world of risk management, nor is it particularly precise—at least as a mathematical model for information security. (Hell-bent hacker x unpatched software x 17 = ???) It is, however, a useful shorthand for understanding the factors that expose systems to danger. Nudge a little here, take a little there, and it gives you a sense for how a person might best manage their defenses. Think of it as an “ideal gas law” of sorts, except for digital attacks instead of chemistry.
“Most of the history of what we call cybersecurity has been in that middle factor—vulnerability reduction,” Hayden said on stage. That means maintaining firewalls, perimeter barricades, software patches, and good passwords. In other words, stop the bad guys from getting in. Reduce the attack surface. Fortify.
In the new paradigm, however, consequence is what matters most, Hayden continued. Breaches are an inevitability. “They’re going to get in,” he said of hackers. “Get over it.”
To cope with the new circumstances, defenders must invest time and energy getting to know what data is worth protecting, who should access what, when, and from where. Authentication—validating identity—becomes key. What good is a wall, after all, if your adversary can open the gate from inside?
Hayden knows this predicament better than anyone. Just ask Edward Snowden—or, ahem, as Hayden referred to the NSA mega-leaker on stage: “Voldemort.”
Speaking of which, Hayden’s reaction to the new Snowden film trailer is worth a watch—even if the trailer itself isn’t. And with that, enjoy the weekend. More news below.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Sony hackers strike again? Cybersecurity researchers at the British defense contractor BAE Systems say that the malware used in a recent $81 million Bangladesh bank heist resembles code used in the 2014 attack on Sony Pictures. The code, they said, has “the same unique characteristics.” (Fortune)
And those hackers attacked another bank. The money-movement messaging network SWIFT said that, in addition to the heist at the Bangladesh central bank, a commercial bank has been targeted in what might be the same hacking campaign. SWIFT did not release the name of the bank, nor did it mention how much money might have been stolen. (Fortune)
John McAfee is back in business. The antivirus software pioneer known for outrageous antics has been appointed CEO and executive chairman of the small tech firm MGT Capital. The company, which bought assets from his anti-spyware firm D-Vasive, has been renamed John McAfee Global Technologies. (Fortune)
SAP bug rises from the dead. The U.S. Department of Homeland security warned companies about a vulnerability affecting corporate systems from the European software giant. The computer bug, which SAP addressed six years ago, can still be exploited—unless companies take additional action. (Fortune)
IBM Watson dips into cybersecurity. Big Blue has begun to teach its AI system about computer security with an eye toward eventually selling services to IT security managers. IBM said it would work with eight universities including MIT, NYU, and Penn State to strengthen Watson’s expertise in the area. (Fortune)
Expect an Apple vs. FBI sequel. FBI Director James Comey told reporters that the battle over access to suspects’ encrypted data is far from over. He said that Facebook’s encrypted messaging app WhatsApp is already helping criminals cover their tracks. (Fortune)
By the way, the Pentagon and a pornography site are bug bounty brothers.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Alibaba recently joined—and was soon suspended from—an anti-counterfeiting group. Here’s Fortune’s Scott Cendrowski on why the Chinese e-commerce giant’s fleeting membership upset so many people.
Ever since Alibaba gained acceptance into the respected Washington, D.C.-based International Anti-Counterfeiting Coalition last month, internal fireworks have been brewing.
Alibaba, of course, runs Taobao, an eBay-like selling platform in China with 9 million small sellers. The degree of counterfeiting on the site is staggering: routine searches for brands pull up thousands of listings advertising prices so far below normal retail prices the products are obviously counterfeit, despite the often genuine photos accompanying them.
Alibaba has faced criticism from foreign governments, foreign brands, and even China’s own government over counterfeit items. The Chinese who shop for genuine brand goods online do not shop for them on Taobao. Read the rest on Fortune.com (as well as this update).
How Biometrics Are Worse Than Passwords by Jeff John Roberts
As Data Leaks Go, This Is About as Embarrassing as It Gets by David Meyer
Top U.S. Officials Urge More Cooperation With Silicon Valley by Jonathan Vanian
Apple and Other Phone Makers Probed Over Security Delays by Jeff John Roberts
ISIS Has Launched a Mobile App—For Children by Don Reisinger
You Can Now Play Capture the Flag Through Facebook by Robert Hackett
Celebrity Email Hacker Faces 10 Years in Prison by Michal Addady
ONE MORE THING
Meet “embassy cat.” Whistleblower-megaphone Julian Assange received a kitten as a gift from his children this week. The founder of the controversial data dump-publisher WikiLeaks has been holed up in the Ecuadorian Embassy in London for years in order to dodge arrest. No doubt he will enjoy the company. (Fortune)