Peggy and Richard Forno, senior lecturer at the University of Maryland, Baltimore (UMBC) Dept. of computer science and electrical engineering, discuss the reality of cybersecurity. He explains how and why data breaches are happening all the time, so much so that as a society we just might be becoming immune. This raises a much bigger question as to whether we need to plan for “what if’ things like if the cloud goes down.
Below is an excerpt from the interview. To hear the entire interview on The Peggy Smedley Show, log onto www.peggysmedleyshow.com, and select 07/23/19 from the archives.
Peggy Smedley:
So, Richard, lots to talk about today. Let’s start, if you could, give me your thoughts on the state of cybersecurity today because when I think about it, it’s rapidly changing and we’ve just seen some really interesting things with what’s going on with government issuing some big fines for failure to protect citizens. So what’s your take on it?
Richard Forno:
Well, I get asked that question a lot, and my response to begin with is kind of snarky, but pretty accurate, and that is, WE ARE SCREWED. We have all sorts of wonderful things that technology provides us on the internet and social media and mobile devices, wonderful things, but there are so many risks that are associated with it that a bad guy, whether they’re a criminal or a hacker or a foreign country, can take advantage of to cause mischief.
So, it’s a never-ending struggle between people in society embracing this awesome new tech and balancing the risks that go along with it. So, it’s job security for the cybersecurity field, absolutely, but it’s also a reality that we all have to deal with on a daily basis.
Smedley:
So when you look at that, using the expression, “We’re all screwed,” as you just said, is it the right thing to think about because we all want to be connected 24/7? That’s the way we want it. And then you have organizations… we look like an Equifax, who has had to pay out some big bucks, if you have to pay out millions of dollars and billions of dollars for big-data breaches in the end when data breaches are happening every day; are we as society going to say, “Hey, we’re going to get used to these big data breaches, and we’re going to get comfortable by them,” and then because of that we say, “Well, they’re just going to happen,” and we get lackadaisical because of it, or do we have to be vigilant to understand those bad guys are constantly knocking at our door?
Forno:
It’s actually a combination. The number of data breaches, to use this as one example of a cybersecurity problem, we see data breaches happening all the time; Equifax, the Office of Personnel Management, Home Depot, Target. The list goes on and on and on. And I worry, as do many of my colleagues, that were, we as a society are sort of becoming immune to news of another data breach because, “We’ve all got 20 years of free credit monitoring, so what’s the problem? It’s the price of doing business in cyberspace these days.” I understand where they’re coming from, but this information if it gets out there, it can certainly cause a ton of problems for individuals around the world.
Smedley:
What influence does technology have on, let’s say, national security, specifically, or in general, both on business on the enterprise side and on the consumer side?
Forno:
I’ll give you two examples. The first is on the national security side. For the past 20 or 30 years, there has been a raging debate in Washington policy circles and other capitols around the world about what we call, the going dark problem with encryption, meaning that governments in the past used to have surveillance tools and capabilities to monitor phone calls and fax machines and wires to conduct criminal investigations or intelligence collection activities. With the rise of a very strong encryption in the hands of pretty much anybody and being built into tools like the iPhone with iMessages and other tools, the governments around the world are having a hard time dealing with that when they’re trying to investigate crimes and intelligence concerns.
So, there’s this debate about what is the role of government surveillance versus civil liberties with regards to protecting online information. A lot of government people that I talked to would love the encryption be able to go backdoored, that the government being the good guys, hopefully, can have access to all the secure data to investigate things. But the problem is encrypted is really, really strong math, and you can’t create what we call a golden key where only the good guys have access. If you weaken encryption, it’s weak for everybody, the good guys and the bad guys. So that’s one example of a national security concern with technology, the encryption debate. But then on the individual and the enterprise side, you look at the rise of things like IoT, (Internet of Things), or social media or take your pick of any new service or platform that has come out in recent years.
Humans like the shiny objects. We rush to embrace things because they’re cool and they look awesome, and they maybe allow us to be connected, but we don’t think about what we’re giving up in return in terms of our privacy or our data. So now you’re seeing pushback from companies like insurance companies. Well, if you go out of town and you post on your Facebook page, “I’m going out of town for three weeks on a vacation,” and then your house gets broken into, your insurance company is probably not going to cover your losses because you were stupid enough to say you were going out of town and telling the world. So, it’s a combination of factors that has brought us to where we are today with this situation, which is not all bad, but there are problems we have to work through.
Smedley:
You brought up an interesting point. And I’m not getting into politics, but I am addressing a political thing. When we invade a private person’s information, we’ve seen this already happen in politics today, an individual before they were in office. Whether you’re a Republican or Democrat, it doesn’t matter, we don’t have the right, whether based on our constitutional rights, to do that. We’ve seen there’s a lot of debate. Did it happen? Did it not happen? Is that what you’re addressing right now? I mean you’re stating that we shouldn’t be allowed to do it. Now, whether it did happen or didn’t happen, those are the questions you’re raising right now.
Forno:
Well, the question of whether or not we should be able to do it is certainly something for the lawyers and the politicians and ultimately the voters. The technology, the capability of technology to allow an individual, you and me, to protect our information from eavesdropping or surveillance by somebody else, it gives the government problems because criminals can use this same technology to hide their activities. So, if we, for example, decide to weaken encryption everywhere because it will make law enforcement’s job easier, well, that places the rest of us at risk because our transactions and our information online may not be as secure as it once was.
Smedley:
Let’s look at the bigger picture right now, and I’m going to play like getting everybody all paranoid right now. We all see power outages. We all know we have a grid that is not, it’s old school, right? It’s not very protected right now.
Forno:
Yes.
Smedley:
Every time a grid goes down, are we weakening our defenses. Are we opening the opportunity for the bad guys to get in? Every time we have a brownout, every time we have an outage in New York or we have one in Detroit right now, every time this is happening, is that enabling something to happen or do we even know? Is it paranoia right now? Was it really because of overuse? Or do we simply don’t know?
Forno:
It’s both. Sometimes we’ll know if there’s a brownout or a blackout because of a storm or a weather event or a natural disaster. You can pretty much figure it’s because of Mother Nature, but there are certainly cases or incidents, some of which don’t make the headlines, where a power grid has a problem somewhere for a short period of time that may well have been caused by some adversary in cyberspace, whether they’re here in the U.S. or overseas, trying to find ways to cause mischief.
Smedley:
So the more that we’re connected, as consumers, as businesses, we have to do more. But how do you do more when the more we connect everything? We’re connecting diapers now. I mean, the average person gets an email, and that’s connected to the public utility. Everything gets connected. So, every time we just open an email the more and more the opportunity for the nefarious character to get in.
Forno:
Exactly. It’s a constant struggle. Because technology and new services and technologies come out all the time. And as we embrace these, we certainly can present ourselves up to attack or vulnerability. But just because we’re connecting to more and more things doesn’t mean we actually need to. For example, IoT technology, Alexas. and smart thermostats, these are wonderful gadgets around the house. Do I really need to have a smart refrigerator telling me my milk is going bad in two days? Or smart toaster telling me I burnt my toast? No.
So why would I want to put my refrigerator on the network and potentially open myself up to, say, mischief or an attack? We have to think about how we’re using technology and how we’re embracing it, and bring it into our lives and our homes to really do the calculus in our head to determine is this a good thing or not. We can’t just point and say this is awesome and cool and do it. What are we giving up? What’s the other side of that argument? And that’s a question that requires everybody, individuals to stop, and think, and do a little bit of analysis about what they may be getting into. And that’s hard.
Smedley:
Have we?
Forno:
That’s very hard.
Smedley:
Have we moved too fast in connecting everything without… Because as you hear all of the major carriers, and as you hear all of the major tech companies, and as you hear all of the major cloud companies, as we move to the edge, we move to the cloud, they tell us all, “It’s safe. Don’t worry about it. We’ve taken care of this.” Is it true or not?
Forno:
At the risk of sounding like a professor, it depends. In some cases it’s probably safe given whatever the endpoint is, and what’s happening at the end point. But we, traditionally, I’ve said since the mid ‘90s when dot.com took off that we are rushing into this networked society and we’re not fully understanding what we’re getting into. So, for example, the network-centric enterprise is wonderful. We can be connected to the cloud and have of all these wonderful technologies. But what happens if our link to the cloud goes down? Have we planned for that? Are we still able to function as a company if our link to Google and Google docs and Gmail goes down, right? Do we think these things through when we’re rushing to embrace the new technology? And in many ways we haven’t, and we didn’t, back in the late ‘90s to early 2000s, which leads to where we are today.
Smedley:
But Richard, haven’t we gotten to a point right now that we would like to think our tech companies are making sure now, and I’m going to now kind of defend them a little bit, that they’re hoping, because if they haven’t done what they need to do to try to keep up with the best, I’d like to think they’ve got the best and the brightest to keep up with the worst and the worst out there, right? So, we’re hiring the best and getting the best to keep up with the worst of the worst and that they’re trying to keep in step with them? It’s kind of a race right now.
Forno:
Yeah.
Smedley:
So, one would like to think they’re trying to figure out how do we keep improving on all of this? Is there not something that they’re saying, “Look, we’re going to keep developing the best AI (artificial intelligence), the best machine learning, the best technologies so we can get to quantum or wherever we’re going to get so that we are better and better.” Is that not what’s happening? As a professor, are we not getting there?
Forno:
Oh, we are getting in there as a discipline, as an industry. Research, development, and testing always takes place. And that’s good. That’s healthy. That’s as it should be. Where there’s problems, is when we have a product or a service that is still being tested or is not fully ready and we start relying on it for critical services. I’ll give you an example. Email has been wonderful. We, all use email or many of us use email these days. But the email protocols that lets that email go from me to you is very insecure and it allows spammers to take advantage of that protocol to send out spam, which can include malware and other bad things. But trying to fix the email problem means changing the email protocol, much of which is baked into our infrastructure. And it’s going to be very, very difficult, if not impossible, to rip it out and replace it.
So, we’re stuck with what we have. That’s an example of how we’ve let technology and our use of technology kind of leapfrog over our ability to control it and secure it effectively.
Smedley:
So, we started with something that was insecure and we’re kind of stuck with something and we have to live with what we did.
Forno:
Exactly.
Smedley:
We have to hope that you guys as professors are creating these great young minds to come out, that can think of something better and brighter.
Forno:
And it’s not just the professors creating the next generation of product developers. It’s also creating a society. Individuals that are just good digital citizens. Folks that will think about what they’re putting on social media. For example. I mean it sounds trite, but a lot of the errors and the problems that we’re talking about here with regards to cybersecurity, really, it comes down to the person. When I give lectures and talks, I say that cybersecurity has three elements: the hardware, the devices, the software, the stuff that runs on the devices, and the Wetware.
And the Wetware is the most complicated computer in the world. But it’s also the easiest one to exploit. And that’s the human brain. And if we have people that are lazy in how they develop code, if they’re lazy in how they administer networks and servers, if they don’t follow processes and policies, best practices, you’re going to have problems. So, a lot of these issues ultimately comes back to creating a more well-rounded and formed user who is both an end-user and an administrator developer. It all comes back to people. It’s not just a technology problem.
Smedley:
Well, if we kind of controlled, I’m never a big believer in controlling the way things go out, but I think we have to control the way people push anything out in social media today. I never thought I would ever say that coming out of a journalist, but I have to tell you the things that go out in social media today are just dreadful, dreadful.
Forno:
That’s a whole separate issue where you see the intersection of technology, the ability for people to put that stuff out there, and the law, First Amendment protections in this country, and commercial contracts between the company and the person who posts it. So that’s really a first world problem that we’re grappling with these days.
Smedley:
Well, it goes back to what you just said. But even on the Wetware that you just described, somebody could send something out and cause harm and it was, you know, “I thought I was just goofing around.” And they cause just genuine harm in so many other ways.
Forno:
Oh, sure.
Smedley:
I think that it’s kind of a society we just don’t realize what we’ve done. But that’s probably another discussion at a whole another time. But when you look at all of these things, what does the future hold in a bigger way? When we look at this right now, are we, as a society, looking that we’ve moved too fast? And why is it so important for companies to have technology policies in place? Do they need to do it themselves? Do they need to be working with partners to really be one step in front of the other? Because, as I was saying in the first segment, I really think they really need to understand what they’re doing. Because there’s got to be a right vision for implementing technology. You have to have the right people, the right practices, the right policies. And I’m curious what your vision, you know it way better than I?
Forno:
Well, the first thing on a for a company or an enterprise is when you see a new technology or a new product that you think would bring benefit and value add to your company or your customers, look at it and then bring it into your lab environments and play with it, see how it works, and really think through, take a very NASA mission control methodical approach to this technology to understand its role and potential role in your organization. And identify both the benefits and the possible trade-offs and consequences if you decide to really embrace and roll this thing out. That’s always a good first step.
Forno:
Beyond that, companies of all sorts, whether it’s Equifax or your local power company, need to, and many do, have strong policies and procedures in place governing cybersecurity and technology administration. The problem is the best policies are still easily circumvented by people who don’t follow them. Or they don’t get around to doing something because work got in the way. So we did not upgrade our latest software to protect our firewall. Life gets in the way of these things, and we really, I think, need to focus less on control and more on resiliency. How can we as a society, or an individual, or a company function in the face of adversity, whatever that might be?
Smedley:
Talk about that.
Forno:
That’s what I think the future thinking needs to be.
Smedley:
Talk about why resiliency is so important because I think a lot of companies don’t put enough emphasis on that.
Forno:
Well, resiliency, I mean, earlier in my career, I was in a dot.com company, and we had what we called denial-of-service attacks hit our sites many times when they would try to shut our sites down, and our rule of thumb was we would rather get 10% of our daily traffic and still have some money coming in than shut everything down and fix the problem right away. Let’s stay functional to some degree even though we’ve got this bigger problem we’re dealing with. That’s this function of resiliency and risk management. We made a decision that we’d rather see some revenue coming in on an hourly basis.
Resiliency for an individual is not being so dependent on a technology that we forget what it means to be human and not to get too metaphysical on you, but when I teach undergrads in our computer science ethics course, I ask them who has a smartphone, and they all raise their hands. They’ve all got iPhones and Samsungs, Androids. I say, “Okay, now what if you’re in a car accident, and I come help you, and you told me to call your mom for help. Your phone is broken. How do I call your mom?” “Well, just pick up your phone and call mom?” “Well, I don’t know your mother’s number.” I asked the students, “Do you know the top three or four phone numbers that you dial on a regular basis?” The answer usually is no, they don’t. That’s a very basic level of resiliency. If I give you my phone, can you call home?
So, at an individual level, resiliency allows us to stay functional as people and to get things done. At an enterprise or a national level, it allows us to, again, keep money flowing, keep government operations going. Look at what’s happening in cities like Baltimore and Atlanta with these ransomware cases that shutdown entire government agencies. Dealing with that and trying to minimize that impact should be a function of resiliency. Can we stay functional when this bad stuff is taking place?
Smedley:
So, is that knowing how to address being functional, but knowing what to happen, knowing how to respond when there’s somebody…. You have a ransomware, that whole idea, what happened in Baltimore. When someone says, “Hey, we’re going to take you down,” and knowing how to publicly address it is also, that is important, right?
Forno:
Right. What’s the fallback? What is your backup plan, your fallback plan? Wall Street’s a good example, 9/11. When the attacks happened on 9/11 up in New York, the banks, the brokerages, and the stock exchanges immediately shifted all their activities to backup centers in New Jersey that were out of the blast radius, if you will. They could still close out trades and kind of stay functional. They had planned for a scenario like this, and that’s a function of resiliency. More to the individual’s case, having a printer that directly plugs into your computer versus requires a network connection to a network down the hall, that’s a functional resiliency. If your network goes down or your print server goes down, you’ve got to print that contract out, what are you going to do? If you’ve got a printer connected to your computer, you could print it out all you all you want.
Smedley:
Do you think enough…. I mean, when you’re a small company, you have to think differently than when you’re a really large company. So, when we think overall right now, and you’ve given that great idea of resiliency. When we think also then of privacy, just in privacy right now, is resiliency and privacy two different things that people need to think about because I think sometimes, they think…. We’ve got just about two and a half minutes left. Do people interchange them? Are they completely different in their mind? Should they be thinking about them differently?
Forno:
I think people may conflate the two, but they’re complementary. Being resilient might mean I’m not on Facebook, and I’m not, so if I want to know what’s happening in your world, I’ll have to call you on the phone or find you on Twitter or send you an email to share your pictures. So, there’s sort of like a back channel. It may not be as convenient or as efficient, but there’s an alternative process available. That helps protect my privacy online if I’m not on Facebook, but it also means I’ve got a way of communicating with you that is outside of the Facebook-walled garden, and that’s a whole another discussion about resiliency in the face of an internet that’s being increasingly walled off with large companies like Apple or Facebook or Google or Amazon, but that’s another discussion.
Smedley:
When you look at the bigger picture right now and you’re seeing everything, is there one or two things that you would give now and say, “Here’s my three points I want to summarize for everyone. This is what I want you to think about as a takeaway from this conversation today”?
Forno:
Sure. The first I would say is, again, resiliency. Think through our use of technology and what we’re doing with it, and do we really need to embrace everything that we’re told to embrace by companies or the media? Secondly, I would say we need to create an informed digital citizenry that understands things like being able to do some due diligence on an email they get to verify it’s legitimate, not believe things that you’re simply seeing on social media. If it sounds too good to be true, it probably is.
Think before we click. Think before we retweet. Things like that will go a long way because as we’re seeing in this year with the political season starting, cyber and the real world are becoming very intertwined, and I think the politics of the modern day kind of breaks that wall down where activities in cyberspace, whether it’s political influence, does sort of transcend the real world with political campaigning. We need to have a population that is intelligent and critical thinking enough to separate fact from fiction and noise from influence. That’s a very, very hard process, and it’ll take a long time to implement.