Data Sheet—Saturday, June 24, 2017
A lesson to be drawn from my feature, published Friday, on Google’s Project Zero, the search giant’s elite computer bug hunting squad, is: You can do everything in your power to make sure your digital defenses are up to snuff, but that’s not going to help if a key partner is vulnerable. Attackers tend to aim for the weak link.
Google learned this the hard way when hackers associated with the Chinese government breached its systems in 2009 through a hole in Microsoft Internet Explorer 6. For Google executives, the intrusion provided groundwork that eventually helped justify the creation of an internal unit devoted to scouring the web for flaws in other companies’ code and demanding they be fixed. Since Project Zero’s founding in 2014, the team has shepherded along a slew of security improvements in non-Google products, albeit not without occasionally clashing with the company’s biggest rivals, such as Microsoft, Apple, and others. (You can read more about the bug-squashing SWAT team’s trials and travails here.)
This notion of the perils of tightly knit networks was on my mind Thursday while moderating a panel on third party risk for the New York information security meetup group. Eric Olson, vice president of intelligence operations at the cybersecurity firm LookingGlass, said he was amazed to see recognition of this bubbling up into public consciousness lately. He cited a recent story in Variety about how hackers had targeted a Hollywood post-production studio to get their hands on Netflix episodes for leaking. Netflix may take security seriously, but if its partners do not, then its efforts may as well be for naught.
Another panelist, Shaun Belders, head of Bloomberg’s vendor risk assessment program, mentioned that enacting preventative measures can get tricky even within an organization. He shared an anecdote about how he once was placed in the uncomfortable position of having to inform his boss, Michael Bloomberg, that he did not have access to certain company data due to strict corporate firewall policies. In the interest of cybersecurity, sometimes even the CEO gets locked out.
The lesson is simple: Businesses shouldn’t leave security to chance. In the presence of escalating digital threats against consumers and corporations—expertly detailed in “Hacked,” Fortune’s July cover story—perhaps more defenders should take a cue from Project Zero. Go on the offensive. Even if it means holding peers, partners, and bosses to the strictest standards.
I’ll show you mine if you don’t show me the door. Big western tech companies are reportedly sharing source code with Russian officials after the country adopted new cybersecurity laws demanding the firms do so. Members of Russia’s FSB, successor to the Soviet era KGB, are ostensibly trying to ensure that U.S. spies have not inserted any backdoors into security and networking products sold in Russia. The reviews also give Moscow, an American adversary, the ability to find potentially exploitable vulnerabilities in the products of major companies: Cisco, IBM, and SAP among them. (Reuters)
That’s a wrap. President Donald Trump finally denied having recorded private conversations between himself and former FBI director James Comey, after having sparked speculation that he might have with a suggestive Tweet posted last month. In his Senate Intelligence Committee hearing earlier this month, Comey lit up the room when he welcomed the then alleged’s audio tapes becoming public: “Lordy, I hope there are tapes!” (Fortune, Washington Post)
Flash crash! For brief moment on Wednesday, the price of Ether, the cryptocurrency associated with the decentralized computer network Ethereum, face-planted. The market value on Coinbase’s GDAX rapidly plummeted from $350 to $0.10 after a big trade caused a cascade of stop loss orders to trigger. Although the price quickly recovered, many traders got burned. (Fortune, Coinbase)
Lights out, Kiev. Russia has ben using Ukraine as a lab to test out terrifying digital attacks. In this gripping account of a recent cyberattack-induced blackout in the ex-Soviet state, cybersecurity experts warn that Moscow may someday kick off the training wheels and launch a larger attack elsewhere. In case you think these fears are overblown, consider that President Trump met this week with security pros to discuss how to “effectively combat threats against the energy sector, particularly the power grid.” Hopefully, it won’t ever come to that. (Wired, White House)
Hungry? Why wait? Well, this is why—if you work at the CIA.