Lessons from the Pentagon, Oracle, CrowdStrike, and an Ex-CIA Entrepreneur at Brainstorm Tech 2019—Cyber Saturday
My colleagues and I have just wrapped up this year's Brainstorm Tech conference in the dry, mountain air of Aspen, Colo., and I am back to soaking up the ample humidity of New York City.
At the conclusion of a lunchtime roundtable I hosted on Tuesday, I asked the session's featured speakers a two-part question with varying degrees of difficulty: What's the biggest challenge the world faces with respect to cybersecurity today? (Easier.) And what is the solution? (Way harder.) Here's what they had to say.
Dorian Daley, general counsel at Oracle, called attention to insider threats. "Sadly, I think some of the biggest challenges are people, and I mean that in a number of ways," she said. "A lot of the breaches really come from insiders. So the more that you can automate things and you can eliminate human malicious conduct, the better."
Mike Brown, director of the Pentagon's defense innovation unit and former CEO of Symantec, proposed raising costs for attackers. "We're still in a situation where it's too easy for attackers. They only have to be right one time, so there's not enough cost," he said. "We have to figure out how are we are going to—as a government and as private companies—make that a lot more difficult and have it not pay. Again, most of the breaches and threats by volume are criminal, so that’s an economics game."
Tim Junio, CEO of Expanse (formerly Qadium) and ex-Central Intelligence Agency analyst, recommended implementing a system for cybersecurity disclosures inspired by quarterly earnings reports. We need "the equivalent of a financial auditing system for cybersecurity, and there are two different ways in which that could happen. Companies could invent one, so the same people who do financial audits could create the framework, or it could be a federal standard like via NIST," he said, using an acronym for the National Institute for Standards and Technology, which publishes a touchstone cybersecurity policy framework for businesses. "Once that exists it sets up a whole lot of other things in the tort system—what are reasonable standards?—and that helps sort out a lot of what is messy in the industry today."
Dmitri Alperovitch, cofounder and chief technology officer of CrowdStrike and the final speaker, responded by cracking a joke. "I think there are actually only four problems in cybersecurity," he said. "They're called China, Russia, Iran, and North Korea."
Alperovitch made another point too. "At end of the day, it comes down to leadership. Too few boards of directors and too few CEOs are paying attention to this issue beyond paying it lip service," he said. "It's what [Oracle's] Dorian said, It's a problem for everyone—just like HR [human resources] is not just the problem of HR—cybersecurity is a problem for everyone."
Robert Hackett | @rhhackett | firstname.lastname@example.org
Never settle for less. Equifax is nearing a deal to settle a number of federal investigations into its 2017 data breach, which exposed nearly 150 million Americans’ Social Security numbers. The credit bureau is said to be paying around $700 million as part of the deal to the Federal Trade Commission, the Consumer Financial Protection Bureau, and most state attorneys general, the Wall Street Journal reports.
A hacker in every pot. Microsoft says it has over the past year detected about 800 cyberattacks against political organizations, such as think tanks and non-governmental organizations, that are associated with hacker groups from Russia, Iran, and North Korea. The company warned that the intrusions could be a precursor to attacks on U.S. campaigns and election systems.
FaceDown. Privacy advocates are raising concerns about a lately resurgent viral app called FaceApp that rose to popularity this week. The Russian app deploys an A.I.-algorithm that “ages” faces in uploaded photos. FaceApp CEO Yaroslav Goncharov told Fortune that “most” photos are deleted within 48 hours of upload, although the terms of service agreement grants the company a “perpetual” license.
WhatsDown. Researchers at Symantec disclosed vulnerabilities in WhatsApp and Telegram that could let hackers see and covertly manipulate multimedia messages. Yair Amit, chief technology officer of modern operating system security at Symantec, told Fortune that the best defense is for people to disable their phones’ external storage feature for apps.
Don’t storm Area 51.
Share today’s Cyber Saturday with a friend: http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
I spy with my “PII.” In the following investigation, Ars Technica dives into the data-hoovering world of browser extensions. A new privacy-infringing issue, dubbed DataSpii, seems to have affected up to 4 million people, collecting and publishing their web histories on an analytics site. (For those interested in how the sausage gets made, here’s the reporter, Ars Technica’s Dan Goodin, describing the reporting process and getting into a journalistic spat over the research.)
When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.
China’s Goal? To Become the World’s Dominant Superpower, FBI Boss Warns by Robert Hackett
How Facebook’s $5 Billion Fine Should Be Spent by Jeff John Roberts
These 7 Apps Are Android Stalkerware by Xavier Harding
Ring’s Founder Rebuts Concerns About Security of Connected Home Devices by Danielle Abril
ONE MORE THING
Man in the Moon. Happy 50th anniversary of the Apollo 11 landing, the first time humans ever stepped foot on Earth’s satellite. Take a good, long look at the night sky this evening and try to imagine yourself standing on that cold, levitating rock. Humanity is a blip in the cosmos.