Policy/Procedures, C&A, Vulnerability Assessment, Penetration Testing, Mitigation, SAAS (Cloud), Disaster Recovery, Training, Data Encryption, Safeguard Implementation, Programming, 365/24/7 Support, Architecture, Cloud, Network, Helpdesk, Maintenance and Support, Physical Security, Product Reseller: Hardware, Software, Security, Upgrades/Maintenance
The threat of all-out cyber warfare is looming.
That sentence may sound exaggerated, alarmist – the kind of thing you’d expect to see in a clickbait headline. However, according to Shawn Key, an expert in cybersecurity with about 20 years in the business, it’s one of modern life’s hard truths.
Key, who works directly with Stratford University to train anti-hackers, was frank in explaining just how imminent a large-scale cyberattack is, all while drawing a picture of what one would look like and what we can do to prepare.
Innovation & Tech Today: What is the biggest threat right now with regards to cybersecurity?
Shawn Key: Let’s call it the emerging threat, not the biggest threat. I’ve said many times that the Internet of Things is also the Internet of Threats, and my concern is that we have this mass propagation of new, untested devices, and everyone wants to be first in the market with capabilities. And while they like to use terms like “baked-in security,” the reality is that that isn’t happening. So, with thousands of new devices connecting every day, the hackers are always one step ahead.
And we’re putting infrastructure in place that’s just not secure. And I’ll give you a quick in-the-weeds example. Companies like mine frankly that are encouraged to be entrepreneurs and innovative, the investors pressure us to get out a minimum viable product (MVP). They’ll have the most basic functionality, get something out there so we can start getting a return on revenue, and we’ll figure out the rest in phase two as we go along.
The problem is if you’re putting out your most basic functionality, you’re not putting in the money into testing and security, and something is now in the wild that consumers are using that is very problematic. And, to tie this all in, I use the word “consumers” because the last big attack we saw that took a lot of press was the East to West shutdown of a lot of the social media networks.
And it wasn’t that the actual vendors themselves had been shut down. The availability had been killed because major internet routers had been compromised. And the primary source of this failure, or what contributed to these hackers, was a distributed denial of service that was occurring on all of these [pure data] set path devices, you know, that Comcast puts out: drives and files. So, you have all these unwitting soldiers, electronic soldiers if you will, that are contributing to the hackers’ mission, and the consumers didn’t have a clue. All they had to do was leave the device on. The fear…the “cyber Pearl Harbor”… is that it’s not going to be our social media that’s affected next; it’s going to be infrastructure.
You’re gonna see a city like Los Angeles go down. And, all of a sudden, now we don’t have power. And it’s not that we just don’t have computers. Your refrigerator’s not working, so your food’s spoiling. And everybody’s mass panicking and trying to get to the store and clearing them out. Maybe the grocery store has lost power, so everything’s getting ready to spoil. It’s going to affect your heating and air conditioning. That’s another thing to mention. All these smart devices, they are connected to the internet. So, what happens when somebody hacks that and they’re running it at 90 degrees heat in the winter or 60 degrees cool in the summer, and you can’t do anything about it?
I&T Today: I remember you mentioning something about this power grid attack in the past, and you just mentioned again here. What do you mean by that? What is that? What does that look like?
SK: There’s an overwhelming alarm at the federal level of “What if our grid goes down?” The actual power grid that connects pretty much the [entire] country. But I look at this as being smaller in demographic. If the devices that distribute power in a metropolitan area are focused on it to go down, it doesn’t mean the whole grid has to. It’s a sizable population of people. Just think of what happens in the summertime from time to time when New York has a power outage just because everything overheated. Multiply that by ten and then it’s not as simple as “Hey, the electric engineers have to get a transformer back going.” These are now unknown security attacks that have occurred. We’ve got to figure out how it happened. How we recover, can we recover, how long it’s gonna take. And it becomes a much more serious problem. And that’s a legitimate fear. I’ll say this: there are some cities that without doubt have had some coordinated attacks that caused temporary outages. And it has not been publicized. It’s typically…how do I want to phrase this? It’s usually blamed on something else. I dare not want to call out anyone…Let’s just say they can get very creative with the origin of what happened.
I&T Today: Would you be able to point out any specific instances or is that a little too speculative maybe?
Shawn Key: It’s absolutely occurred in Michigan. And if you do a tiny bit of Googling, you’ll see a bunch of articles that allude to when and what happened. Also, so far as to allege that the last-minute maintenance of the D.C. metro system…that all of a sudden everything was shut down after a fire, and they said it was planned maintenance. Nobody plans maintenance 24 hours before and shuts the entire metro down. That seems to have been some cyber-related attack.
I&T Today: You’ve mentioned that a lot of the legacy systems that are employed in, say, our nuclear facilities are actually protecting us due to the “Internet of Threats” problem that you alluded to. Can you expand a little bit on that?
SK: Sure. You know, in the truest sense, a nuclear silo is placed away from everything else. And what happens with the technology is that it’s security through obscurity. We keep older outdated technologies because they’re not currently connecting to the internet. Not in the sense that a lot of our devices do. So, not being able to actually reach them – requiring someone to go into the silo, maybe with a CD-Rom DVD for upgrades and things – protects us. At the same time, because we are going backwards in technology, we’re not state of the art. It lends itself potentially when things are connected to forward threats that have never been patched or addressed historically. So, it’s kind of a double-edged sword. Security through obscurity can work until you need to connect. And if you don’t have the right counter-measures in place, you’re now 15 years behind and you’re extremely vulnerable. And that’s a constant fight with the nuclear groups.
I&T Today: It’s easy to feel a little helpless and terrified by what’s going on out there in the world of cyber warfare. How would you put me at ease?
SK: Well, I can’t put you at ease right now. I’m going to educate you and open your eyes. That’s step one: being aware. It’s bad. And it’s worse than we even realize. We have nation-states that have spent a decade or more planning for this next level of warfare. And we’re the first to admit our governments say we’re over 200,000 people, minimally, short of the workforce to keep pace. And this is the same thing as being overwhelmed in the battlefield. And that’s a real problem that we have to face right now. The good news is that we are getting the word out. People, especially the younger generation, seem very interested in being ethical hackers and cyber warriors. So, we’re going to catch up.
One of the technologies that we put at Stratford is one of our own. The company here that I’m founder of is called Blind Spot. Most of the security technologies revolve around what I’d like to call digital fingerprints. We know what the bad files look like; they leave some kind of print. Unless you have an exact match of what that file signature looks like, you’re not going to find the bad files. And what we’ve created is a special algorithm that looks for exact and partial matches of these signatures. And this is revolutionary because you’ve got tons of bad files that have to be compared on hundreds of thousands of files on a workstation for example. And we think it’s a disruptive game-changer.