The Unlikely Weapon in Cybersecurity: Going Analog

John-Sileo-Election-Interference-Warnings

A recent voting fiasco in Pennsylvania was a stark reminder that the only way to ensure the integrity of our elections is to use paper ballots. In Northampton County, a glitch in the computer voting system resulted in some straight-line Democrat votes being recorded as straight-line Republican, and gave a statistically impossible victory to a Republican judicial candidate. Thanks to paper backups of the electronic ballots, election officials were able to do a manual recount and restore the actual election results (the Republican judicial candidate lost by a small margin). 

As The Washington Post reported, voters got lucky. The margin of victory for the Republican candidate was so massive that there was obviously something wrong, but what if the margin has been in the probable range? It’s likely the error would never have been uncovered. 

The Northampton County voting machines were recently purchased in response to last February’s state-wide mandate to adopt voting systems with paper back-ups before the 2020 elections. In making the move, Pennsylvania joined other states in upgrading or replacing voting systems following Russian interference in the 2016 election and warnings from “ethical hackers” that voting machines in the U.S. are vulnerable.

Recently, Colorado became the first state to ban barcodes for counting votes, opting instead for receipts that show darkened ovals identical to the ballot itself. Colorado is also one of a handful of states to aggressively emphasize mail-in ballots, both for convenience and security’s sake. These moves come amid growing concerns over election security following Russian interference in the 2016 election and warnings from “ethical hackers” that voting machines in the U.S. are vulnerable

Reintroducing selective physical and human elements into the technological supply chain is the best weapon we have to protect our elections from interference. But this strategy—going analog—shouldn’t be limited to voting machines; it needs to be implemented across the board in public and private enterprise.

In our zeal to embrace the digital revolution and the convenience of smart devices, we’ve sacrificed some security, not to mention privacy. It’s hard to name a product or service that isn’t networked, but connecting every known device to the internet doesn’t necessarily make us “smart.” It makes us vulnerable. From Siri and Alexa to our televisions, insulin pumps and even refrigerators, our lives are increasingly dominated by digital tech—which is not only sharing our data but can also be hacked and manipulated. 

In July, the Department of Homeland Security issued a security alert, warning that flight systems of small aircraft can be easily and quickly hacked by someone with physical access to the plane. And last month, hackers successfully sabotaged vital systems of an F-15 fighter jet during an Air Force-sanctioned experiment at Def Con. 

The Def Con operation represents an increasing willingness of government agencies to open their doors to ethical hackers in an effort to thwart rising cybercrime. In August, 22 Texas towns were hit by a coordinated attack, in which computer systems were taken over and held for ransom. And that was hardly an isolated incident; Baltimore, Riviera Beach and a host of cities were similarly hit. According to CBS, 50 of 70 U.S. ransomware attacks in the first half of the year targeted cities. 

Even more troubling, an April report by the Ponemon Institute, found that 90% of all critical infrastructure providers say their Information Technology (IT) and Operational Technology (OT) environments have been damaged by a cyberattack in the last two years, and 62% experienced two or more attacks. Operational technology is what runs the physical systems behind our planes, trains, ships, traffic systems and power grid—so the stakes have skyrocketed from lost data to lost lives.

As cybercriminals ramp up attacks on Critical National Infrastructure (CNI), it’s vital that we innovate beyond increasingly ineffective cybersecurity measures. Thanks to mobile devices, the Internet of Things and cloud computing, “securing the perimeter” is no longer achievable.

The fact is, once information or operational systems are digitized, they are vulnerable to attack by remote forces—including hostile nation states, organized crime and malicious competitors. In other words, when the only method of controlling a system is digital, hackers have a way to assume 100% control. Going analog—introducing human and physical “backstops”—provides our best defense against network-based remote control. 

For example, commercial and private aircraft should be equipped with an “override” analog system that allows the pilot to disconnect the plane in the event of an attack and control it manually. The same is true for gas and electric utilities, traffic systems, hospitals and maybe even corporate computer networks. 

The U.S. Navy was an early adopter of the human solution, bringing back celestial navigation training in 2015. The move to train recruits and officers in the ancient art of navigating by the stars was prompted in part by fears that the Global Positioning System (GPS) satellites could be shot down, or the system simply hacked or jammed. It was a prudent decision, given that cheap GPS jammers can easily be found online.

Meanwhile, that same year, the Ukranian power grid was digitally attacked by Russia—leaving 225,000 customers in the dark. Grid operators on the ground were able to physically override digital systems to get the power back on in a reasonable time. 

These two examples illustrate a key point: Just because systems or techniques were used in the “old days” or aren’t connected to the internet, doesn’t mean we should exclude them as part of the security equation. We haven’t given up seatbelts just because smart cars automatically brake to prevent a collision. We should apply that same “both/and” logic to cybersecurity: The solutions can and should be both technological and human, digital and physical, internet-connected and old school. 

That’s the thinking behind the Securing Energy Infrastructure Act (SEIA), introduced in the Senate in 2016 (following the Ukranian attack). 

The press release announcing the Senate’s passage of the SEIA earlier this summer stated that the act aims to remove vulnerabilities that could allow hackers digital access to the energy grid, and “replace automated systems with low-tech redundancies, like manual procedures controlled by human operators.” SEIA is currently being considered in the House as part of the National Defense Authorization Act for Fiscal Year 2020. If it passes, a two-year pilot program will be set up to identify vulnerabilities and test analog solutions. 

While the SEIA winds its way through Congress, the private sector is already implementing analog solutions. In my work with defense contractors, I’ve seen entire computer systems taken permanently offline to keep them out of reach of remote foreign actors (to avoid situations such as China’s theft of Lockheed Martin’s plans for the F-35 fighter jet). This technique, known as air-gapping is not perfect, but it does make digital espionage more difficult. Similarly, classified communications often take place face-to-face—even when it requires travel to meet in person—and I’ve been in highly confidential meetings where the chosen “recording” devices were a whiteboard, dry-erase markers and the human brain. 

Many corporations are limiting what data they digitize in the first place, selectively opting to archive paper documents and records with physical locks rather than risk a remote hack. I’ve worked with several food-industry clients that have taken their recipe for the “secret sauce” completely offline, choosing to protect their intellectual property using nondigital means. It’s exponentially harder to gain access into a confidential physical location—especially when access is limited to a small group of trusted users. 

Even small businesses can benefit by taking key systems offline overnight, when a majority of successful hack attempts take place. Imagine the lawyer, dentist or doctor that eliminates more than 50% of all hacking attempts simply by shutting down their internet connection before they leave the office. This doesn’t work if employees are working remotely or data backups take place overnight, but many smaller businesses go offline at closing time. 

I’m not saying that all data should be handled this way or that (God forbid) we return to rotary phones—in fact, I’m a believer in the positive power of big data and the smart use of technology to drive progress and innovation. However, in the absence of a 100% foolproof method of protecting the digital systems that we rely on—including those responsible for our safety and security—we need to add analog protection on a selective, well-planned basis.

True innovation isn’t just adopting the latest technology. It’s also knowing how to beat it.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance.

Top Cybersecurity Trends 2020 & the Perils of Prediction

John-Sileo-Cybersecurity-Trends

(i.e., Cybercriminals read the same articles as cybersecurity experts)

Oh how we love to predict the future. Who will win the next Super Bowl, Presidential Election, or Best in Show Pooch-a-thon following the Macy’s Day Parade? I’m frequently asked as a cybersecurity expert to peer into my somewhat cloudy crystal ball and give opinions on what cybersecurity trends the criminals have in store for us. It’s so common at this time of year that I’m thinking of setting up a Fantasy Hacker League to take advantage of our love of betting on things that haven’t yet happened. 

Ironically, cybercriminals read the same predictive articles that we do, but they take notes. And then, innovative as they are, run in the complete opposite direction. Here’s a peek into the cheeto-soaked (that’s a false stereotype by the way – these criminals have PHDs) and highly brilliant minds of organized cybercriminals: “If a CEO is reading this same predictive article on how bad Ransomware is going to be in 2020, and that advice serves as the basis for her decision to over-fund anti-ransomware countermeasures, I, smart hacker that I am, will trade my pick on Ransomware in 2020 and browse the “Insider Theft” section of the cybercrime-gamblers catalog.” 

Unlike football (or dog shows), where the outcome is not influenced by predictions, cyberthreats often become trends because no one has predicted them yet. And by the time they do, the smart criminals have moved onto something new. 

But this isn’t always true, and we still do need to prepare for what is coming, which is why, in the spirit of the season, I can predict with almost perfect accuracy, the Top Cybersecurity Trends for 2020 that will affect the average organization. 

Top Cybersecurity Trends 2020 – The average organization will CONTINUE to…

  • Treat cyber risk as an overwhelming tech puzzle rather than a solvable business issue
  • Fail to budget appropriate funds to train the humans that misuse the technology
  • Give hackers easy access to the crown jewels by allowing pet names as passwords (see graphic)
  • Shut down for weeks or pay the ransom due to system backups that “just won’t restore”
  • Spend inordinate amounts of cash to protect “all the data” instead of “the right data”
  • Lose more data to incompetence, human error and malicious insiders than to hackers
  • Live in a Fantasy League where “something like this” can’t happen to “someone like them”

Why can I predict these and other trends so accurately? Because they have been trending for the past ten years and show no signs of stopping. The good news is that everything in this list is eminently solvable if you dedicate the appropriate time, budget and leadership focus. While you are taking action on the above items, don’t forget to consider the Top 2020 Cybersecurity Trends, Part II.

Top Cybersecurity Trends 2020 (What You Were Actually Looking For)

The Internet of Things and Ransomware Will Get Married. Instead of just freezing an organizations’ computers, ransomware will burrow it’s way into WiFi-connected refrigerators, industrial control systems, operational sensors and monitors, pace-makers, emergency room equipment, traffic lights and anything connected to the internet. It will then freeze the operation of the device and ultimately will demand that you pay a sizeable ransom to (maybe) get your nuclear power plant back online. 

Leading Organizations Will Discover a Centuries-Old Cybersecurity Tool: Going Analog Once information or operational systems are digitized, they are vulnerable to attack by remote forces—including hostile nation states, organized crime and malicious competitors. In other words, when the only method of controlling a system is digital, hackers have a way to assume 100% control. Going analog—introducing human and physical “backstops” into your security supply chain—provides the best defense against network-based remote control takeover. We will see traditional analog systems (paper ballots) increase security in the 2020 Presidential Election, better protect the electric grid (manual on/off switches) and decrease the chance of hacked naval navigation (sextants). 

Data Manipulation Will Challenge Financial Gain For Top Cybercrime Honors 

Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests. Every one of us takes data integrity for granted, except for cybercriminals, who will use that bias against us. Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.

A.I. Won’t Take Over the World, But it Will Follow Malicious Instructions Like a Robot

Right now, artificial intelligence is more human than we think. From my experience peering under the hood of AI-enabled technology like smart TVs, digital assistants and end-point cybersecurity products, I’m constantly amazed by how much human input and monitoring is necessary to make them “smart.” But that is changing as machine learning progresses. We tend to focus on AI taking over the world (thanks to the movies), but it’s not that we need to fear. It’s AI in the hands of would-be dictators and cybercriminals. Fathom, for a moment, Darth Vader, Hitler or a cyberterrorist in charge of an army of robots that always obey their leader’s command. As always, there is the positive side of the technology, and AI will be used to detect malicious attacks and defend the data on which our economy runs. 

To help you get ahead of these topics, I will be writing at length and speaking on all of the above trends (and more) in 2020. Please check back here often, or connect with me to get our latest news on Facebook, Twitter or YouTube. In the meantime, resist the trend to let fear paralyze you in taking action on cybersecurity.  

 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on intentional technology, cybersecurity and data privacy.

Google Buys Fitbit

Google Isn’t Just Buying Fitbit, They’re Tracking Your Donut Habit

You’re heading to the gym for a workout when you decide to surprise your coworkers with a treat. You search for the nearest bagel shop on your Google Maps app, which directs you to their closest advertiser, Donut Feel Good? Your heart pounds from the joy of anticipation — your team will LOVE you (or at least the sugar rush). Just as you’re leaving Donut Feel Good, your phone dings you with a coupon for coffee across the street. “Why not?” you think, as Google subtly nudges your behavior just a bit more. While you’re in the office, basking in coworker glory, Google is busy sharing your lack of exercise and trans-fat consumption with your health insurance company.  

Welcome to the surveillance economy, where your data is the product. I’m John Sileo, privacy and security are my jam (as my kids like to say), and my goal is to make sure you’re being intentional with how you allow technology to track and share your private information, especially as you consider buying a tracker for someone you love. 

Put simply, Google is moving out of our pockets and into our bodies. Thanks to their purchase of Fitbit, the health tracking device, Google can combine what they already know about us – the content of our internet searches (Bradley – Graphic representation: Google.com), location data (maps and Android phones), emails, contacts (Gmail), conversations at home, smart speaker searches (Google Home), video watching habits (YouTube), video footage, thermostat settings (Nest) and document contents (Docs, Sheets, etc.) – they will now be able to combine this with our health data. The sheer volume of the digital exhaust they’re collecting, analyzing and selling is phenomenal. Google is at the forefront of the surveillance economy — making money by harvesting the digital exhaust we all emit just living our connected lives. 

Fitness devices and apps can track what we eat, how much we weigh, when we exercise, sleep and have low blood sugar. They know that your heart-rate increases when you shop at your favorite store, can predict menstrual cycles, record body mass index and interpret your intimate cuddling habits. And you thought that gift you were about to buy benefited the recipient. Actually, you’re paying Google to improve your personalized tracking profile that they can sell to advertisers. Which you might be okay with, but you deserve to know enough to have the choice.   

Google and Fitbit say that our data will be anonymized, secured and kept private. Blah, blah, blah. This is a common tactic I call PPSS, Privacy Policy Slippery Slope. When we stop paying attention, the tech company emails us an “updated” 100-page privacy policy that they know we will never read and can never understand. They love taking advantage of our defeatist attitude – oh, there is nothing I can do about it anyway. That attitude resigns you to being categorized into a highly profitable behavioral profile, whether that’s Healthy, Happy and Rich, or Overweight, Underpaid & Obsessed with Donuts.

In a related story, Google has been quietly working with St. Louis-based Ascension, the second-largest health system in the U.S., collecting and aggregating the detailed health information on millions of Americans. 

Code-named Project Nightingale, the secret collaboration began last year and, according to the Wall Street Journal, “encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.” The Journal also reported that neither the doctors nor patients involved have been notified.

Now couple that with data on what foods we buy, where we go on vacation and our most recent Google searches, and companies will not only be able to track our behavior, they’ll be able to predict it. And behavior prediction is the holy grail of the surveillance economy. 

For the time being, you control many of the inputs that fuel the surveillance economy – but changing behavior is hard. I know because even I have to make intentional choices about how I share my health data. The keyword in that sentence is intentional.

For example, you can choose to take off your Fitbit or trust your data with Apple, which is a hardware and media company where Google is an information aggregation company. You can change the default privacy settings on your phone, your tracker and your profile. You can delete apps that track your fitness and health, buy scales that don’t connect to the internet and opt-out of information sharing for the apps and devices you must use. Your greatest tool in the fight for privacy and security is your intentional use of technology.

In other words, you do have a measure of control over your data. Donut Feel Good?

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. 

 

Keywords:

Meta: Are you comfortable having Google own your Fitbit data to add your heart rate, exercise frequency, current weight, and sleep habits to everything else they track about you? But they promise not to share…

 

What if Putin Had an Army of Killer Artificial Intelligence Robots?

John-sileo-artificial-intellegence-expert

The New Frontier: How Science Fiction Distorts Our Next Move on Artificial Intelligence and Cybersecurity

It’s been 51 years since a computer named Hal terrorized astronauts in the movie 2001: A Space Odyssey. And it’s been more than three decades since “The Terminator” featured a stone-faced Arnold Schwartzenegger as a cyborg terrorizing “Sarah Connah.” Yet, dark dystopian civilizations — where computers or robots control humans — are often what come to mind when we think of the future of artificial intelligence. And that is misleading.

I was happily raised on a healthy diet of science fiction, from the “Death Star” to “Blade Runner.” But increasingly, as we approach the AI-reality threshold, Hollywood’s technological doomsday scenarios divert the conversation from what we really need to focus on: the critical link between human beings, artificial intelligence and cybersecurity. In other words, it’s not AI we need to fear; it’s AI in the hands of autocrats, cybercriminals and nation-states. Fathom, for a moment, Darth Vader, Hitler or even a benevolent U.S. president in charge of an army of robots that always obey their leader’s command. In this scenario, we wouldn’t avert a nuclear showdown with a simple game of tic-tac-toe (yes, I loved “War Games,” too). 

As I noted in my post about deepfakes, not only is AI getting more sophisticated but it’s increasingly being used in nefarious ways, and we recently crossed a new frontier. Last March, the CEO of a U.K. energy firm received a call from the German CEO of the parent company who told him to immediately transfer $243,000 to the bank account of a Hungarian supplier — which he did. After the transfer, the money was moved to a bank in Mexico and then to multiple locations.

In fact, the U.K. executive was talking to a bot, a computer generated “digital assistant” — much like Siri or Alexa — designed by criminals using AI technology to mimic the voice of the German CEO. The only digital assistance the crime-bot gave was to digitally separate the company from a quarter million dollars. 

Rüdiger Kirsch of Euler Hermes Group SA, the firm’s insurance company, told the Wall Street Journal  that the U.K. executive recognized the slight German accent and “melody” in his boss’s voice. Kirsch also said he believes commercial software was used to mimic the CEO’s voice — meaning this may be the first instance of AI voice mimicry used for fraud.

Trust me, it won’t be the last. We’re at the dawn of a whole new era of AI-assisted cybercrime.

What’s ironic about the prevailing wisdom around AI, however, is that the capabilities of criminals and bad actors is often underestimated, while those on the cybersecurity side are overestimated. At every security conference I attend, the room is filled with booths of companies claiming to use “advanced” AI to defend data and otherwise protect organizations. But buyer beware, because at this stage, it’s more a marketing strategy than a viable product. 

That’s because artificial intelligence is more human than we think. From my experience peering under the hood of AI-enabled technology like internet-enabled TVs, digital assistants and end-point cybersecurity products, I’m constantly amazed by how much human input and monitoring is necessary to make them “smart.” In many ways, this is a comforting thought, as it makes human beings the lifeblood of how the technology is applied. People, at least, have a concept of morality and conscience; machines don’t. 

In a sense, AI is really just an advanced algorithm (which, by the way, can build better algorithms than humans). The next stage is artificial general intelligence (AGI), which is the ability of a machine to perform any task a human can (some experts refer to this as singularity or consciousness). This is an important distinction because current AI can perform certain tasks as well as or even better than humans, but not every task — and humans still need to provide the training. 

We’ll achieve artificial general intelligence when we’re able to replicate the functions of the human brain. Experts say it’s not only theoretically possible, but that we’ll most likely develop it by the end of the century, if not much sooner. 

The U.S., China and Russia are all pursuing the technology with a vengeance, each vying for supremacy. In 2017, China released a plan to be the leader by 2030, and that same year Russian President Vladimir Putin said, “Whoever becomes the leader in this sphere will become the ruler of the world.” Darth Putin, anyone?

And this brings us back to those doomsday scenarios, but I’m not talking about cyborgs roaming American cities with modern weaponry. The real threat is to American industry and infrastructure. So, instead of worrying about a future where bots are our overlords, it’s time we focus on the technological and legislative conversations we need to have before AGI becomes ubiquitous.

Cybercriminals using AI were able to swindle an energy company out of a quarter million dollars without breaking a sweat. 

They’ll be back.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Going Analog: Tom Kellermann Emerging Cyberthreats

John speaks with Tom Kellermann, Chief Cybersecurity Officer at Carbon Black, about emerging cyberthreats and what we can do to protect ourselves.

About Tom Kellermann

Tom Kellermann is the Chief Cybersecurity Officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017, Tom was appointed the Wilson Center’s Global Fellow for Cyber Policy in 2017.

Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro; Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury.

In 2008 Tom was appointed a commissioner on the Commission on Cyber Security for the 44th President of the United States. In 2003 he co-authored the Book “Electronic Safety and Soundness: Securing Finance in a New Age.”

Kellermann believes, “In order to wage the counter-insurgency we must spin the chess board. The killchain is obsolete – we must measure success of disruption of attacker behavior. Understanding root cause is paramount. Combination of TTPs define intent. Cyber is All about context and intent/cognition.”

About Cybersecurity Author & Expert John Sileo

John Sileo is an award-winning author and Hall of Fame Speaker who specializes in providing security awareness training that’s as entertaining as it is educational. John energizes conferences, corporate trainings and main-stage events by interacting with the audience throughout his presentations. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.