There’ve been lots of big security breaches recently. Like in the case of T-Mobile, where about 50 million people’s personal information got exposed. And attacks on critical infrastructure, including the Colonial Pipeline hack. Remember those gas shortages along the East Coast?
As hacks go up, so does the demand for help preventing and responding to them. Lesley Carhart, an incident responder for the industrial cybersecurity company Dragos, says that, nowadays, people understand what she does — even her grandma. The following is an edited transcript of our conversation.
Lesley Carhart: It was shocking. A few months ago, [my grandma] cut out articles from the newspaper for me and said, ‘Hey, I know what you do now. This is really important. I’m excited!’ It really made my day.
Jed Kim: What has demand been like for your work recently?
Carhart: Yeah, it’s definitely been increasing. It’s been increasing for every organization, every company that offers these services. In fact, a lot of the companies that offer incident response services are getting backlogged at this point, because ransomware is so impactful. In the past, breaches didn’t really become impactful until there was damage or data was lost, or something. With the prevalence of ransomware, cybercriminals are creating an impact that’s almost immediate, and it causes great damage to an organization’s operations.
Kim: With the increased demand for the work that you do, are you seeing lower standards among cybersecurity professionals? Like, are you ever getting called in to fix messes that other people have made?
Carhart: I am definitely getting called in for that. And it’s unfortunate, because retainer services for instant response are certainly lower cost than hiring somebody on the spot. But they still aren’t cheap, and so I feel awful when I get hired in to do incident response, again, for an organization that had it done once improperly. The real unfortunate thing about that is that sometimes that first incident response that’s done improperly causes damage to the evidence, and the investigation can no longer be completed or fully understood.
Kim: What kind of mistakes are people making when they do it wrong?
Carhart: So, incident response is detective work. It’s a scientific method process, and it requires a scientific, investigative mind. And that means that we need to be building careful timelines based on evidence of what happened on a network. You can’t just go in and say, ‘I think that XYZ country is attacking this network,’ and just use your own biases and assumptions to guess what happened. That doesn’t work. We’re doing investigations. We have to be good, rational detectives and so that means, what evidence do we have? We’ve got to collect that evidence properly. We’ve got to timeline it out. And if you’re not doing those things, you’re not doing a proper, good investigation.
Kim: I keep thinking of a family of cops. Just because your father was a cop, your grandfather was a cop, your uncle, it doesn’t mean you’re gonna be a good cybersecurity professional.
Carhart: No. I mean, investigative methodology is investigative methodology, and the scientific method is a scientific method. But that’s a skill you have to learn. You have to learn how to think critically and collect evidence correctly and present that evidence in a sensible way that’s not influenced by your own biases about who’s attacking whom or what got stolen, etc.
Kim: It can be hard for regular people to wrap our minds around infrastructure hacks and their wider implications. What do you worry about?
Carhart: I work in the critical infrastructure space specifically, so I’m doing incident response for things like water, power, manufacturing, medical, etc. And all those different verticals have totally different postures and funding and things for cybersecurity. I think the one that keeps me up the most at night these days, and for the last few years, has been water and water treatment. And we actually saw quite a few cases in 2021 of compromises, cybersecurity incidents impacting water utilities, and the reason for that in the United States is that these are usually municipal utilities, so they’re not big companies that sell their services across multiple states. Oftentimes, they’re just a town or a city, and they may have one or two IT people. And that’s, that’s tough, you know, to also do all that IT work, and then also do cybersecurity. That’s a lot to ask of a person.
Kim: People just don’t pay attention to their water until something’s gone wrong. And that seems like a ripe opportunity for some terrible mischief.
Carhart: Everybody’s used to power going out. They know how to handle that. They know what it looks like, so when people think about hacks against infrastructure, or malware impacting infrastructure, they think about power right away. So it’s always grid this, grid that. But that’s just because it’s what we are used to and what we know in the United States, like we’re not used to turning on a faucet and not having potable water come out. That’s not something that most people in the United States have to deal with on a regular basis. But that’s really a horribly impactful thing — having sewage go the wrong direction in pipes, or contaminating water supplies or water just not being available. Those are really impactful things that people don’t think about a lot.
Kim: People may be seeing the Colonial Pipeline hack, or the T-Mobile hack, and just feel helpless. Do you have any advice for those people?
Carhart: Yeah, start with the basics. There’s a million people out there who are going to sell you their services and products for cybersecurity and say they’re going to fix everything. There’s no magic product out there that’s going to fix cybersecurity for any organization. Where you really need to start, especially with a limited budget, is understanding your environment and securing it well from the ground up. So, hey, what computers do you have out there? What servers? What are they connected to? And how are they secured? And then after that, let’s start seeing if they’re patched. Start with the basics. That matters a lot, it really makes a big difference in deterrence.
Kim: I feel, as a regular Joe, oblivious that my data has been hacked, and that I don’t know what’s gonna happen with it. I’ve just kind of resigned to it. Is that healthy?
Carhart: I know a lot of people feel really demoralized at this point about data breaches, about their data being stolen over, and over and over again. But it’s not really healthy. Your data and who you are, your internet presence, changes all the time. No, the adversaries probably don’t have everything about you, and it’s different criminal groups. So maybe like one group over here has some of your data and then another group over there has some other bits of data. They probably haven’t put it all together in a way that could be immediately harmful to you. So definitely, still think about security, and don’t get overwhelmed by all the bells and whistles. Again, start from the ground up. As individuals, do things like use a password manager and use unique passwords for every website. There’s little basic things that make these huge differences, like turning on multi-factor authentication and on services on the web. That makes a huge difference, and it’ll really deter a lot of crime.
Kim: I guess I was hoping you’d say there was a magic bullet. I’m kind of bummed there isn’t one.
Carhart: Me too.
Related Links: More insight from Marketplace’s Jed Kim
Want more proof that the demand for cybersecurity is up? You could look at what salary chief information security officers are making. Yeah, that’s a real position, and it’s getting more common. Higher demand means they’re making bank. The Wall Street Journal cites one survey that finds total compensation for CISOs is up 19% over last year.
Sometimes, it turns out unsecured data doesn’t happen because of hacking. It’s because people don’t understand how to use your software. Witness Microsoft’s Power Apps. It lets people and organizations make their own apps — apps that collect a lot of information. Wired says more than a thousand of those apps didn’t set their privacy settings correctly. That resulted in 38 million records out in the open that probably shouldn’t have been. Things like phone numbers, addresses, social security numbers, COVID-19 vaccination statuses. Yikes. Microsoft has since made privacy more of a default in Power Apps.
Lesley mentioned cybersecurity for critical infrastructure. According to Energywire, our power grid is also in need of better AI. That’s because all of the renewable energy plus electric vehicle charging is making running a grid more and more complicated. There’s a lot to consider when making decisions about what power goes where and when. Our human brains just aren’t going to be enough. But at least they can’t get hacked, amirite?
And, finally, I feel like I should find another link, but really I just want to watch that cringy dancing Tesla robot person some more. I’ve got my Halloween costume this year.