“My first reaction,” says Cooper Quinton, senior staff technologist with the Electronic Frontier Foundation, “was surprise that it took so long.”
He’s talking about the moment he heard of last month’s huge Facebook hack. “It wasn’t a shock,” he continues. “Every organization of any significant size will be breached, given a long-enough timeline.”
The super-hack, which exposed at least 50 million accounts to hostile takeover, underscored the reality that cyber vulnerability is a catastrophe for businesses. If one of the most sophisticated and massively capitalized Internet giants can be so shamefully compromised — despite its concerted attempts to secure sensitive data — what hope is there for everyone else?
And what does this mean for a cybersecurity industry that’s supposed to be making such stunning headlines less frequent? Where’s the good news?
The need for a new paradigm in cybersecurity has become blazingly clear. The mobile revolution has multiplied the number of vulnerable endpoints; the attack surface widens with every interconnected device.
This summer’s Black Hat USA conference exposed the latest vulnerabilities lurking in everything from phones to voting machines to airplanes. The showstopper: the revelation from IBM’s DeepLocker team that machine-learning techniques can now be deployed to design malware that conceals trigger conditions and attack payloads deeply enough to avoid detection by most antivirus and malware scanners.
A fluency in the field is now not merely a responsibility for a company’s CIO, says Kiersten Todt, managing partner of risk management firm Liberty Group Ventures. It’s also an important duty for any C-suite executive responsible for risk management, interfacing with law enforcement, or crisis communications.
Everybody needs to know the basics of spear phishing via direct message (as on Twitter), the gray market for zero-day exploits, and SQL injection attacks. Most importantly, executives need to understand that they may be targeted personally through a tactic known as “whaling,” or using legitimate executive names and email addresses to dupe unsuspecting employees into wiring money or sensitive documents.
“If you can actually spear the whale, you have a different level of access and the ability to speak in the first person at the highest level,” Todt says. “You can transfer assets, even change company policy.”
Feeling the Pain
Meanwhile, the attacks keep coming. The general public may already have become as numb to them as to vehicular fatalities, but the executives on the receiving end are feeling the pain. Acutely.
This year alone, before Facebook’s hackers grabbed the spotlight, the Justice Department charged members of the Iranian hacker clearinghouse known as the Mabna Institute with spear phishing their way into 144 U.S. universities. And the city of Atlanta suffered the infamous “SamSam” ransomware attack, which may end up costing more than $11 million to fix.
Innovations in the field are as impressive as they are worrisome. For example, a new form of ransomware known as KeyPass that debuted this year comes with an option for the attacker to take manual control of an infected system.
And for those who prefer stats to anecdotes: last February the Council of Economic Advisors estimated that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. CyberSecurity Ventures predicts that global damage connected to ransomware alone will reach $11.5 billion in 2019.
The situation has become so dire that a secretive group known as Intrusion Truth — possibly supported by corporate hacking victims or three-lettered federal agencies — has taken to publishing the names and addresses of individual Chinese hackers.
Meanwhile, cybersecurity has mushroomed into a $100 billion market. But beware, says Quinton: the industry is plagued by “snake-oil salesmen” masquerading as game-changers.
Adds Todt, “Cybersecuity is the flavor of the year. We are seeing companies that are simply rebranding old technologies to get into the space, and a lot of claims just overpromise.”
Several players in the space are now touting some variation of AI as a breakthrough solution, a way get beyond the traditional “patch” system of identifying malware after it’s struck and then distributing and upgrade existing detection software.
“AI will be helpful as it matures,” says Todt’s partner Roger Cressey, pointing to Cylance as a respected provider. “There will be a leap-ahead capability and you’re seeing companies moving into that. They’re saying they are going to power all the typical solutions previously offered, but with AI as a ‘steroid’ enhancement.”
One hope is that AI can reduce the threat of the end user as an attack vector, and there are reasons for optimism. One came out of the Defense Advanced Research Projects Agency’s 2016 Cyber Grand Challenge.
Billed as a competition to “create automatic defensive systems capable of reasoning about flaws, formulating patches, and deploying them on a network in real time,” the event helped convince PricewaterhouseCoopers “that AI capabilities can quickly identify ‘hot spots’ where cyberattacks are surging and provide cybersecurity intelligence reports.”
Still, some see the current cybersecurity applications of AI as inexorably reactive — and therefore insufficient — largely because they aren’t addressing the deepest root of the problem: the code itself.
“All the next-gen firewalls in the world wouldn’t have stopped the Facebook hack,” says Quinton, because the problem wasn’t a socially engineered zero-day exploit or password breach. Instead the culprit was a flaw written into the existing code that enabled the hijacking of a user’s authentication token.
A sizable enterprise running unique, proprietary software, particularly those with legacy systems, may be running tens of millions of lines of code. With that software often undergoing revision and editing by in-house DevOps and outside consultants alike, it’s highly likely that vulnerabilities are proliferating that won’t be identified until there’s an attack.
That’s before even taking into account the many “inside jobs” perpetrated by coders themselves.
“Coding is a huge issue because the amount of it needed is huge, and first to market will always trump secure to market,” says Cressey.
Notes Michael Chatten of the Myrtle Consulting Group, “Eventually these systems get so big it becomes impossible to spot the vulnerabilities that pop up, especially if you are combining big libraries.”
New software typically launches with between 20% to 40% useless code. While that may seem like a pure quality assurance issue, it can quickly reverberate into the security space. “It’s like the Ford Pinto: a quality management failure that became a major safety issue,” says Cressey
This is where a company called Holonic Technologies believes it can change the game. Its differentiator is what CEO David Jaye calls “semantic AI.”
“We don’t just read the code,” says Jaye. “We identify its underlying intent.” Think of the ability to comprehend the intention of the idiomatic phrases “I’m spent,” or “I’m beat,” and not just the literal phrase “I’m tired.”
Once the system achieves a completely mathematical understanding of that intent, it can identify both “weird” anomalies that are just bungled attempts to convey proper meaning and genuinely malevolent lines of code with “bad intentions,” according to Jay. The system “assumes you meant something, and looks for what that is — what you meant, not what you wrote.”
Holonic is presently managing projects with federal government contractors. Given the proven vulnerability of government systems from the municipal level up, it’s a robust market.
But while the industry-wide quest continues for a “cyber-Salk” vaccine — an AI that will not only solve the problem, but dissolve it – Jaye says clients should strongly consider using a suite of different approach tools to maximize their defenses.
Quinton couldn’t agree more. “A lot of companies seem to say, ‘buy our box and all your problems will go away.’ That doesn’t contribute to a healthy security posture for anyone,” he says.
Miguel Sancho is a freelance journalist, a former longtime producer for CBS News and ABC News, and a business consultant to media and technology companies.