Your Smartphone Is ALWAYS Listening: Q&A With Cybersecurity Expert Moschovitis

“The Facebook data appropriation by Cambridge Analytica is just the tip of the iceberg, according to cybersecurity experts. In fact, our data is being culled from a variety of sources and our ability to stop it is essentially impossible.”

Read the full interview with Chris Moschovitis on Media Post.

Clear and Present Danger, V 2.0

This is the second version of my previously published editorial. I was compelled to update it because of two key developments:

First, on the morning of May 23rd, 2018, Jim Finkle and Pavel Polityuk of Reuters reported that “Cyber firms, Ukraine warn of planned Russian attack” the fourth such cyberattack starting with the 2015 and 2016 power grid attacks, and the 2017 malware attack that after crippling Ukraine, spread to the rest of the world.

Second, Microsoft’s President Brad Smith announced at RSA 2018 the signing of the Cybersecurity Tech Accord involving 34 tech companies. It is an attempt to create a digital “Geneva Convention” to establish behavioral norms in terms of cybersecurity and privacy. We all know how well the Geneva Convention worked, so why not repeat it? Just ask any of the multiple genocide victims between 1929 and today. The Geneva Convention is not NATO, nor The Warsaw Pact. It’s a “let’s get along” pledge with no teeth!

This is the real never-ending story! A story repeatedly reported, but — seemingly — of little consequence: Actions speak louder than words, and we have a plethora of the latter, but none of the former.

Let’s go back to December 13th 2016 when the New York Times published a feature article titled “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” In it Eric Lipton, David Sanger and Scott Shane did an excellent job in framing, in detail, the recent state-sponsored cyberattack against United States interests.

Russia is not alone in excelling at cyberwarfare. Many nation-states see this as the new “arms race.” They believe, rightly so, that this is a race they can win. North Korea, Iran, and China have demonstrated their capabilities time and again. So, has the United States and Israel. There is little doubt that practically every country is actively participating in the development, management, and deployment of cyberwarfare infrastructure. They all are, and they are building massive defensive and offensive cyberwarfare capabilities. Moreover, they are “in it to win it,” and they think they can.

What has made Russia’s cyberattack particularly egregious is not that it is the first, but that it is a blatant, “in your face,” show of power, ridiculing the last superpower standing. And, of course, it continues unabated. What makes it particularly deadly is that it is coupled with Russia’s deep scholarship in propaganda. I have read recent interviews from officials downplaying and demeaning Russian propaganda as “par for the course,” and “things we’ve seen before from the Russians.” If so, then we have not learned, and that costed us dearly. We have been badly defeated and ridiculed by what we all thought was a vanquished enemy of a cold war gone dead. In my view, news of the enemy’s demise is premature, and the cold war is very far from over.

On April 4th 1949, with the memories of the second world war brutally fresh, an alliance was formed between the United States, Canada, and several European countries. The North Atlantic Treaty Organization (NATO) was formed. Article 1 of the treaty reads: “The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations.”

Many more treaties followed, and the world’s doomsday clock reflected the threat: 7 minutes to midnight in 1947. 3 minutes in 1949, after the first USSR nuclear test. 17 minutes — the lowest value — in 1991. Now, it is back to 3 minutes to midnight.

The lowest value, 17 minutes to midnight, was reached when the world thought the cold war to be over, and the United States and Russia were engaged in nuclear arms reduction. Since 2015 it is back to 3 minutes as “Unchecked climate change, global nuclear weapons modernizations, and outsized nuclear weapons arsenals pose extraordinary and undeniable threats to the continued existence of humanity,” and world leaders fail to act.

Sadly, this is not their only failure. As catastrophically serious both climate change and nuclear arsenals are, and for that there should be no doubt, a third blight has surfaced: Cyberwar. Most think that hacking or cyberwarfare is a threat, to be sure, but not on the same level as nuclear weapons. Yes, millions of dollars may be lost, political careers ruined, and service interruptions may be inconvenient, but a cyberwar is thought to be confined to the virtual world, not the real one. They are deadly wrong.

Acts of cyberwarfare may have already claimed lives in the Ukraine, when Russian hackers attacked that country’s power grid leaving almost one quarter million residents without power. Lives may have been lost when the centrifuges in Iran’s nuclear enrichment facility were destroyed by Stuxnet, a suspected U.S. / Israeli cyberweapon. And, of course, there are many victims of cyberbullying that took their own lives demonstrating the power of reputational damage, an easily attainable effect of hacking any individual’s life story.

Experts warn of the certainty of real human casualties from cyberwarfare. Consider what would happen if the electrical grid was hacked and the country, or regions, went dark for weeks on end. Ted Koppel did in his “Lights Out” book, and the implications are devastating. Consider the ramifications of hacking medical records and facilities, water purification plants, traffic control, or telecommunications. I am sure that you can come up with your own nightmare scenario that leaves thousands, if not hundreds of thousands dead or injured, and our country in chaos.

I also have no doubt that there are brilliant minds working around the clock in our security services that continuously analyze and respond to these threats, as well as advise our leaders. But, I know from experience, their advice frequently falls on deaf ears. Just as executives don’t want to hear about risk, be it cyber, technology, or otherwise, so, I suspect, are government “executives.” Certainly, recent rhetoric on the value of intelligence briefings demonstrates this, just as the inaction and hesitation of the Obama White House in responding to the Russian attack against our political process.

We need a concentrated effort in this new front for the survival of humanity. We need our leaders to be educated and alert of the danger this poses. We need our people to be sensitized to the danger of cyberattacks, think “duck and cover” for the cyber age. We need our allies to reinvigorate their frameworks for resolving conflicts peacefully to include cyberwarfare. A cyber attack to one country should be considered an attack to us all, with the commensurate and immediate response. And, we need our international organizations to recognize the danger of cyber actor proliferation and take immediate and decisive action.

It’s a start, when nothing less will do. My Cyber Clock is, now, reset to 30 seconds to midnight, and ticking…

On December 13th the New York Times published a feature article titled “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.” In it Eric Lipton, David Sanger and Scott Shane do an excellent job in framing in detail the recent state-sponsored cyber attack against United States interests. But, the story doesn’t end there.

Russia is not alone in excelling at cyber warfare. Many nation-states see this as the new arms race. They believe, rightly so, that this is a race they can win. North Korea, Iran, and China have demonstrated their capabilities time and again. So has the United States and Israel. There is little doubt that practically every country is actively participating in the development, management, and deployment of cyber warfare infrastructure. They all are, and they are building massive defensive and offensive cyber warfare capabilities. Moreover, they are “in it to win it,” and they think they can.

What has made Russia’s cyber attack particularly egregious is not that it is the first, but that it is a blatant, “in your face,” show of power, ridiculing the last superpower standing. What makes it particularly deadly is that it is coupled with Russia’s deep scholarship in propaganda. I have read recent interviews from officials downplaying and demeaning Russian propaganda as “par for the course,” and “things we’ve seen before from the Russians.” If so, then we have not learned, and that costed us dearly. We have been badly defeated and ridiculed by what we all thought was a vanquished enemy of a cold war gone dead. In my view, news of the enemy’s demise are premature, and the cold war is very far from over.

On April 4th 1949, with the memories of the second world war brutally fresh, an alliance was formed between the United States, Canada, and several European countries. The North Atlantic Treaty Organization (NATO) was formed. Article 1 of the treaty reads: “The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations.”

Many more treaties followed, and the world’s doomsday clock reflected the threat: 7 minutes to midnight in 1947. 3 minutes in 1949, after the first USSR nuclear test. 17 minutes — the lowest value — in 1991. Now, it is back to 3 minutes to midnight.

The lowest value, 17 minutes to midnight, was reached when the world thought the cold war to be over, and the United States and Russia were engaged in nuclear arms reduction. Since 2015 it is back to 3 minutes as “Unchecked climate change, global nuclear weapons modernizations, and outsized nuclear weapons arsenals pose extraordinary and undeniable threats to the continued existence of humanity,” and world leaders fail to act.

Sadly, this is not their only failure. As catastrophically serious both climate change and nuclear arsenals are, and for that there should be no doubt, a third blight has surfaced: Cyber War. Most think that hacking or cyber warfare is a threat, to be sure, but not on the same level as nuclear weapons. Yes, millions of dollars may be lost, political careers ruined, and service interruptions may be inconvenient, but a cyber war is thought to be confined to the virtual world, not the real one. They are deadly wrong.

Acts of cyber warfare may have already claimed lives in the Ukraine, when Russian hackers attacked that country’s power grid leaving almost a quarter million residents without power. Lives may have been lost when the centrifuges in Iran’s nuclear enrichment facility were destroyed by Stuxnet, a suspected U.S. / Israeli cyber weapon. And, of course, there are many victims of cyber-bullying that took their own lives demonstrating the power of reputational damage, an easily attainable effect of hacking any individual’s life story.

Experts warn of the certainty of real human casualties from cyber warfare. Consider what would happen if the electrical grid was hacked and the country, or regions, went dark for weeks on end. Ted Koppel did in his “Lights Out” book, and the implications are devastating. Consider the ramifications of hacking medical records, devices and facilities, water purification plants, traffic control, or telecommunications. I am sure that you can come up with your own nightmare scenario that leaves thousands, if not hundreds of thousands dead or injured, and our country in chaos.

I also have no doubt that there are brilliant minds working around the clock in our security services that continuously analyze and respond to these threats, as well as advise our leaders.

But, I know from experience, their advice frequently falls on deaf ears.

Just as executives don’t want to hear about risk, be it cyber, technology, or otherwise, so, I suspect, are government “executives.” Certainly, recent rhetoric on the value of intelligence briefings demonstrates this, just as the inaction and hesitation of the Obama White House in responding to the Russian attack against our political process, or the flaccid reaction of the fourth estate in the face of fake news sites.

We need a concentrated effort in this new front for the survival of humanity. Confidentiality, Integrity, Availability, and Safety — the four pillars of cybersecurity, are now as fundamental to our lives as freedom of expression, movement, assembly and all the rights we have been taken for granted as inalienable.

We need our leaders to be educated and alert to the danger that cyber warfare poses. We need our people to be better educated in navigating the information highway, and sensitized to the danger of cyber attacks — think “duck and cover” for the cyber age.

Finally, we need to join with our allies and reinvigorate our frameworks for resolving conflicts peacefully to include cyber warfare. A cyber attack to one country should be considered an attack to us all, with the commensurate and immediate response. And, we need all international organizations to recognize the danger of cyber actor and weapons proliferation and take immediate and decisive action.

It’s a start, when nothing less will do. My Cyber Clock has been reset. 45 Seconds to midnight, and ticking…

Cybersecurity

In this incredibly informative video, Chris Moschovitis discusses the state of cybersecurity, how businesses can protect themselves, and what elements of your organization need to be closely examined in order to be fully prepared for a potential breach of privacy.

Cybersecurity Program Development for Business Video Series

In this 9-part video series, Chris Moschovitis, author of Cybersecurity Program Development for Business, will be discussing all aspects of cybersecurity. From understanding risk to managing the impact of an attack after it’s happened, Chris breaks down an organization’s step-by-step to do list for protecting themselves against cyber risk.

Watch the Video Series Here

Nefarious Cyber

Chris Moschovitis, author of Cybersecurity Program Development for Business, sits down to discuss security in large organizations and for individuals alike.

IoT

Chris Moschovitis, author of Cybersecurity Program Development for Business, sits down to discuss the intersection of cybersecurity and the Internet of Things.

A Chat with Chris Moschovitis

Chris, congratulations on the book! Let’s start by talking about your past a little bit. What do you remember about your first interactions with computers? Was there a moment when you thought, “Yeah, I’m going to be involved with this for my whole life?”

My first interaction with a computer was as a teenager in Greece. My friend Sotos was working for UNIVAC (now UNISYS), and he was charged with reporting the results of the world-famous 3-day annual automobile race called the Acropolis Rally. He asked me to help him. I was in high school at the time, and he had just returned from the United States with his Masters in Computer Science from the University of Michigan. This was in 1978, and the computer was the size of a mini refrigerator, just as loud and clunky, and would only take 8-inch floppy disks!

Right then and there, I knew. This was amazing! I wanted in.

Scroll forward about 7 years, and I was the recently appointed director of academic computing at Pratt. I vividly remember the first IBM personal computer (the AT) arriving at the university. It had a a 10Mb hard disk and formatting the drive took, oh! I don’t know… it seemed like hours, but I loved it. I loved everything about it! Tinkering, troubleshooting, teaching others about computers, everything about it.

Then, I got involved with BITNET, a precursor to the Internet used at some universities, and it was all downhill from there! Before you know it, we were killing viruses that were propagating via floppy disk! What’s not to love?

Ah, the good old days! Tell me, aside from the method of attack (networks instead of floppies, etc), what has changed about the “threat landscape” since you got started, and what if anything has remained consistent? Clearly, there is a lot more at stake these days than there used to be.

A lot has changed. Certainly the “vectors,” as you suggest, have changed, and that will continue. The more the technology changes and advances, the more new vectors (i.e., ways to attack) and new, sophisticated payloads (i.e., malware, viruses, etc.) will evolve with it.

The motives have also changed. Early on, it was mostly a game for hackers—just trying to see what they could do. Later, it became about espionage. And the profit motive followed soon after that. These days, it’s almost entirely about the money, though of course, espionage and cyberwarfare are still huge concerns.

The thing that has remained the same is our inability—and frankly, often our unwillingness—to confront this risk. Prevention is almost never a priority. That has not changed, and we pay for it every day.

What about information technology as a field? How has game changed since you got started?

I think the profession evolved to keep pace with the technology. We went from main frames to mini computers to desktops, laptops, and smartphones. Networking was evolving right along with the devices, connecting them faster and better.

Those of us who were on-board early on followed this evolution. For instance, I didn’t study “networking,” I studied computer science. I learned programming in languages like Fortran and COBOL, and I learned computer architecture and engineering. As far as “modern” IT goes, I learned right next to the people that were developing the concepts and testing them out. The speed of this evolution was, and remains, so blindingly fast, that staying on-top of it becomes a full-time job. Even now that computer science students study the current state of the field, by the time they have their degree at hand and start work, the landscape has changed.

Sounds like it can be very tough to keep up with it all! But this makes me think about how the fundamentals of cybersecurity are as much a question of psychology as they are technology. Reading your book, I was struck by the massive role basic human psychology plays in dealing with cybersecurity issues. After all, fancy terms like “social engineering” and “phishing” are really nothing more than conning somebody out of their password.

Yes, you are right! Many executives miss that and think about cybersecurity in terms of the technology only. But cybersecurity is all about people and asset preservation. Hackers get to these assets by first compromising people. And the truth is, people are much easier to compromise than a sophisticated defense-in-depth cybersecurity program. Anthropologists, psychologists, and sociologists can be invaluable to an organization that needs to build and maintain a sophisticated cybersecurity defense.

Thinking back on all the different organizations you’ve interacted with over the years, what personal qualities make for the most successful cybersecurity efforts? What behaviors or personality types should executives seek out and/or incentivize?

The most successful cybersecurity efforts are those that are sponsored and actively evangelized from the top. If there is no buy-in from the board and the C-Suite, the program will fail. That’s a guarantee. Paying “lip service” to a cybersecurity initiative is condemning it to failure.

Therefore, the first personal quality that I look for in the board and the executive time is sincerity and transparency in what they say and how they follow-up. The second quality—and again this goes from the top down—is engagement. A company with engaged management and engaged employees will have a far better chance to succeed in rolling out a cybersecurity program, than a company with disengaged, unhappy, and isolated employees and managers. If the question is what to incentivize, I’d say invest in your culture! Start there, and success will follow!

What are the mistakes that you see companies making again and again when it comes to cybersecurity?

The most serious mistake that I see is that companies confuse cybersecurity with Information Technology. They think of cybersecurity is an “IT” problem. It is not. It is a risk-management problem. Companies need to understand that cybersecurity and IT are two parallel tracks: IT creates value, and cybersecurity protects value. One cannot “report” into the other, or the “train” derails. We need to understand this and plan accordingly.

Do you find that IT departments themselves have trouble understanding this distinction? Or is that more of a boardroom issue?

Both. It’s easy for the board room, or the C-Suite to shift responsibility to the IT department. “The tech people handle this…” is a common answer from these types of companies, and the first sign of serious trouble ahead.

For their part, the IT folks can become possessive, guarding “their territory” at all costs. After all, they recognize that cybersecurity can, and should, audit IT. If the “own” the cybersecurity function, then they “audit” themselves, and to no surprise, they find little to be concerned about. No matter what IT tells you, they should not run cybersecurity. Even the best IT professionals will be biased towards their own shop. The functions must be separate.

I imagine it can be challenging for executives who don’t specialize in technology to deal IT specialists who, let’s be honest, are not necessarily known for their bedside manner! What advice would you give to folks who are maybe a little intimidated of the geeks in the server room?

It takes two to tango! Yes, the “geeks in the server room” need to learn to explain things in business terms. But, the “geeks in the board room” need to meet them half way. This is a major driver behind my book – establishing a simple, understandable language for all involved. That’s step one. Neither party can handshake alone. So, my advice? Start by engaging each other. Go to lunch! Go have a drink! Start learning from each other! It’s all about relationships and communications. Be genuinely interested in one another, and before you know it, you’ll have one big happy family!

Original interview was published on Cybersecurity for Business.

For Lawyers and Law Firms

In my most recent piece for New York Law Journal, I look at and discuss in detail how lawyers and law firms can mitigate cyber risk with the right cybersecurity controls.

The first step, “We need to recognize there is no ‘one size fits all’ solution.”

Read the full piece here: For Lawyers and Law Firms

Cybersecurity and Due Care for Law Firms

In my article for New York Law Journal, I explore how law firms can get more involved in their cybersecurity initiatives as well as how to care for themselves, their clients, and their employees.

Read the full article here: Cybersecurity and Due Care for Law Firms

When Bad Hacks Happen to Good Real Estate People

Have you ever wondered how a doctor feels when delivering a bad diagnosis to a friend or family member? When a real estate friend reached out to me with a case of a nasty laptop hack, I knew the situation was bad. Theirs wasn’t a life or death case, but a real estate agent’s professional life depends on information technology, and experiencing a bad hack can have a colossal negative impact on their financial well-being. Read more about when bad hacks happen to good real estate people in my latest article in the New York Real Estate Journal here.