"Internet Insurrection," and the changing economics of cybercrime
A panel on "Internet Insurrection," that is, deception, disinformation, malware, and adware, was held on March 7th, 2018. Moderated by Chris Olson (CEO, The Media Trust), the panel included Jerry Archer (Sr. VP & CSO, Sallie Mae), Alexander Garcia-Tobar (CEO & co-founder, Valimail), and Ondrej Krehel (CEO & founder, LIFARS).
Olson sets the stage by describing the digital environment that emerges from many actors working together. This should prompt us to ask, what are we doing to consumers or users when they visit our assets? And he asked the customary kick-off question in discussions of threat environments: what keeps you up at night?
Archer gave a one-word answer: authentication. "Credential stuffing has become the scourge of the Internet--it will replace ransomware this year as the principal threat," he said. "We have to make sure the tags and attachments on our sites are working. We need to watch carefully that we don't become an inadvertent middle-man. Identity and access management are our big concerns." Krehel pointed out that we're all very close, on the Internet, and there are a lot of trained military personnel who've moved into the criminal world. "You can just find your free cyber AK47 online without difficulty." Garcia-Tobar saw major issues surrounding our reliance on unauthenticated email communication channels. "We need to get companies and government agencies to authenticate their email, so you can lock down that the email is from whom it appears to be."
Since he was both moderator and panelist, Olson answered his own question. "We live in the digital economy," he said. "We find that most enterprises don't know whom they do business with, on the digital side of their work. Facebook and Google wouldn't serve fake news if they knew whom they did business with." But hardening against this is still a slow process. "We still live in a detect-and-notify world. That will change, but the digital ecosystem is still the Wild West. Fake news is a wonderful topic--it's all over the WSJ and CNBC. We don't know who's doing what."
Noting that the US Federal Trade Commission (FTC) has just taken a company to task because it sustained a successful credential stuffing attack, Archer asked the audience to recognize that this was a bellwether case. "What's our role in authenticating a customer? It will have to be something like behavioral analysis." There must be other ways of authentication beyond the demonstrably insufficient username and password. "These are the cyber criminals' least path of resistance. The government has said, you're responsible for not authenticating the customer, and that's a big change. You're now responsible for your customer's endpoint."
If you're going to enforce regulations against companies, Krehel said, you'd also like to enforce costs on the criminals, but this seems unlikely to happen. "Whack-a-mole won't work," in Garcia-Tobar's view. "If you don't know if you can trust the other side, it gets very hard to know that anyone's safe. Fundamentally the Internet has disintermediated us. We have to recreate trust."
Archer did say he was seeing some positive developments in the cloud, like immutable workloads., which are now a reality. "Now you need another version of the workload. You test it, etc., then you decide you want to put it into production. You destroy the old, replace it with the new." Krehel agreed that the cloud offered good opportunities for immutable workloads. "But consider the US," he added. "Half the people in this room are digitally naked, their credentials and identity fully exposed. We have no effective system to protect these people." Authenticating the person properly will be a great challenge, as the system exists today.
So authentication is crucial: consider what your website, or your app, is doing to the ecosystem. As Olson noted, malware is served by third-party code. The GDPR and the FTC increasingly require a high level of insight into your place in the digital ecosystem. If you fail to have such insight, you're placed in the position of violating consumers' trust. The panelists agreed. "Anyone who has an adverse interaction with someone that seems to involve you, you're going to be blamed," said Garcia-Tobar. "Companies need to start thinking beyond the fortress, and in terms of all the interactions."
International realities limit what governments can do to protect companies from the bad actors. "As long as you have criminal safe harbors," Archer said, "governments can't go after the perpetrator, so they seem to have to go after the company (which is actually a victim) and force them to increase their security. It's a backwards mentality, but it's the only one available to the government." We have to stop the bad guy from being the bad guy, he added. In Garcia-Tobar's formulation, this became, "Don't be the easiest guy to attack. We need to raise the bar on the difficulty of attacking." This is difficult but not impossible to do. As Archer said, "If you take away monetization, most cybercriminals are economically rational. If you can make it economically unfeasible, you'll make progress. People steal vast quantities of data because we aggregate it. Why don't we disaggregate it? But if you work on the detect-react model, exclusively, it's a lost cause."
Krehel offered a final thought: "Human talent creates code; human talent attacks code."