On Monday the RSA cybersecurity conference kicks off in San Francisco. Lots of security vendors will be there offering solutions for keeping businesses safe from hacking. The number of huge security breaches in recent years might make it seem like that’s impossible. In fact, this year the theme of the RSA conference is simply “Better.” Yikes. Molly Wood talked with Kim Zetter, a cybersecurity journalist and author of the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.” Zetter said in the world of cybersecurity, some things are better while others are not. The following is an edited transcript of their conversation.
Molly Wood: Where do we still need to improve?
Kim Zetter: We still need to improve on software. Back in the days of 1999, 2000, 2001, if you approached Microsoft to point out a vulnerability in their software, they would either ignore you or threaten you with a lawsuit. Microsoft doesn’t do that anymore, and a lot of the big companies don’t do that anymore. But there are still companies that don’t have bug bounty programs for reporting vulnerabilities, or when you do report vulnerabilities, they don’t respond in a timely manner or they still threaten researchers.
Wood: How much of this falls on the employees? We hear so often that we are the single point of failure, that you’re only as good as the employee who doesn’t click the phishing link. We recently ran a test internally at Marketplace and pretty much everybody clicked the link.
Zetter: That’s one of my pet peeves because I hate blaming the user. The user isn’t at fault here. I’m in a job as a journalist where I have to click on emails and open emails from people I don’t know. If you’re in human resources, that’s a part of your job, receiving resumes, oftentimes as attachments from people you don’t know. Blaming the user for doing their job isn’t appropriate. I think that the real issue here is designing systems that prevent a user system from experiencing harm when the user does click on something malicious.
Wood: RSA, of course, will feature a lot of security vendors that are trying to sell solutions to companies. Is the money spent by a company directly proportional to the amount of protection?
Zetter: No, because you have to spend smartly. You have to buy wisely. I’ll point to the issue of Target. When they were breached several years back, they had just implemented some multimillion-dollar security system on their network and that security system was issuing alerts saying, “Hey, there’s something suspicious here.” The people who were reading those alerts actually were in India. They were contacting Target employees saying, “We’re seeing these alerts.” The employees were ignoring them. The system only works if you actually implement it correctly and then you actually pay attention and act on what it tells you to do.
Related links: more insight from Molly Wood
A report yesterday from Moody’s Investors Service said that from a debt risk perspective, the four sectors at the highest risk from cyberattack are banks, investment firms, securities exchanges and hospitals.
The risk assessment is based on the combination of how reliant a sector is on technology and how much financial risk there is if it gets hit. When Moody’s says risk, what it means is those four sectors have a combined $11.7 trillion in outstanding debt. If one or two or all four sectors were hit by massive cyberattacks, the financial implications would be huge. In its report, Moody’s said, “Cyber risk is event risk and we see a rising tide. Digitization continues to increase, supply chains are becoming more complex and attacker sophistication is improving.”
Around 2011 is when the Securities and Exchange Commission started publishing guidance on how companies should disclose security breaches and cybersecurity risks. Moody’s has been looking at whether cybersecurity presents a credit risk in the same way as a natural disaster or some other “extraordinary risk event” since about 2015. That’s the last time, and the only time, it put out a report on cyber risks across lots of sectors.