At Fortune Brainstorm Tech, a number of cybersecurity organizations and the head of the FBI’s cyber unit discussed threats from China, Russia and others, including private industry.
As it is just about everywhere, cybersecurity was a big theme of the Fortune Brainstorm Tech conference last week. At a roundtable lunch, executives from a number of cybersecurity companies and organizations discussed new threats. While they said things may actually be improving, they also pointed to bigger worries from nation-states.
Meanwhile, the FBI’s Amy Hess talked on stage about the various kinds of threats and what companies should do in response. Asked if we should be afraid, she said “the short answer is ‘yes.'”
At the lunch roundtable, one of the big issues discussed was the role that nation-states such as China and Russia are playing, both in external breaches and in trying to infiltrate companies directly to do things such as steal intellectual property.
Michael Brown, former CEO of Symantec and now director of the Defense Department’s Defense Innovation Unit said that in Silicon Valley, “the smaller companies are not as aware as they should be of the threat of insider breaches and foreign players like China.”
He said most of the breaches and threats by volume are criminal, not coming from the various governments, so what both government and private industry need to do is make breaking into systems both more difficult and more expensive. He noted that attackers only have to be right once to get into a system, while defenders have to be right all of the time to keep people out. “It’s an economics game,” he said.
“There are only four problems in cybersecurity: China, Russia, North Korea, and Iran,” according to Dmitri Alperovitch, co-founder and CTO of CrowdStrike. He said not only were those countries themselves major hackers, but many criminal hackers also operate out of those countries. These groups are so intent on hacking that if they try hard enough, they will eventually find a weakness in your network.
Tim Junio, the co-founder and CEO of Expanse, which monitors the internet to look for information that belongs to customers’ firms, said that “It’s incredibly rare—and late in the game—for companies to think about the fact that foreign actors are going to recruit people to penetrate their networks.” He suggested that we need the equivalent of a financial auditing system for cybersecurity.
Oracle general counsel Dorian Daley agreed that more companies needed to focus on insider threats, but stressed that top executives of the company had to take cybersecurity seriously. She talked about how Oracle had a security oversight committee and talked about doing a “corporate colonoscopy” to look for security issues, and then correct them.
In an on-stage interview, Amy Hess, Executive Assistant Director for the FBI’s Criminal, Cyber, Response, and Services Branch (at top) said that terrorism, espionage, IP theft, and simple crime are all part of the “cyber” issues.
She said China’s goal is “to become the world’s dominant superpower,” adding that the Chinese government is willing to steal information, intellectual property, personally identifiable information (PII), government secrets, and R&D in order to get there. In addition, she said, the Chinese are willing to invest in companies and become part of the supply chain to get more information. She said this gives them easy access to technology that took American companies years to develop, tapping American ingenuity. “They get it for free, they get it quickly,” she said.
Russia was different, Hess said, because while it was still interested in stealing military secrets, government secrets and R&D, it was also a “malign foreign influence.” She said Russia used our dependence on social media to make people question whether what they are reading is real, and to use those platforms to divide us.
Hess said the FBI coordinates with the Department of Homeland Security on how to defend networks in the US and works with the Department of Defense to see what’s happening offshore. But she said the FBI’s main role was “accountability”—to figure out who is hacking and hold them accountable. For instance, she said that based on FBI investigation, the Department of Justice charged several individuals with stealing information in the run-up to the 2016 presidential election. The FBI saw attempts to infiltrate election systems in 2016, she said, but that while there was no indication that votes were changed, hackers were certainly trying to get information surrounding the election process.
She was concerned not only about China and Russia, where the FBI has formally charged agents of those governments, but also Iran and North Korea. Criminals were also an issue, as the “money is pretty phenomenal.” She said that over the past 15 months, the FBI’s recovery asset team recovered $380 million, or 78 percent of what was called in.
The FBI highly encouraged companies to contact it when they see something that looks off, Hess said. She said she realized some companies may feel they are at a competitive disadvantage if they acknowledge they may have been hacked, but the FBI can help, help other people, and help prevent the next attack. She noted the FBI has no obligation to tell the world about an attack, and said, “We take that very seriously.”
She wanted to encourage collaboration and cooperation, that she would like to see the ability to move back and forth between the private sector and government more easily. While the government can’t compete with private industry in salaries for cybersecurity professionals, it can compete on the mission, she said. At the least, “We need each other to share information.”
The biggest issue in cybersecurity remains humans, she said. This includes user error, such as not updating systems or installing patches, as well as the “perpetual clicking on things where you don’t know where they lead to.”
Asked what her greatest fear was, Hess said it was the company’s “critical infrastructure,” and how someone taking out even a small portion of the cellular network, finance, energy, or transportation networks could have “dire consequences.” She was worried about new connected devices, saying that in a rush to get things to market, sometimes security is an afterthought.
I asked what she thought about companies or municipalities paying ransomware, an issue that has been in the news lately. She said it was not a good idea to pay the ransom as this just “encourages others.” Plus, there was never a guarantee that it would work. She said lately ransomware was more likely to target smaller businesses that are “potentially more susceptible,” as well as municipalities.
“You’re going to be a target,” Hess said, “so think of yourself that way.”
She was also asked about the concept of “hacking back,” and said she had real concerns about private industry taking offensive actions. She said she was worried about collateral damage, secondary and tertiary consequences the organizations may not be aware of, and how this could be more dangerous to the critical infrastructure.
Original Link: https://www.pcmag.com/article/369820/cybersecurity-organizations-warn-on-nation-state-and-inside