Friday, December 19, 2014

Dear George Clooney - A word about cybersecurity

The following letter was written in response to remarks made by the actor and activist, George Clooney, in this article: Hollywood Cowardice: George Clooney Explains Why Sony Stood Alone In North Korean Cyberterror Attack

Dear Mr. Clooney,

I have great respect for your work sir, on film and off; I have a feeling we hold many of the same views on politics and economics and social justice. So it makes me sad to see how badly people have briefed you on the stark realities of cybersecurity. You seem to be under the impression that America can, with impunity, tell cyber criminals to "bring it on". You appear to be having difficulty understanding why big companies don't want to provoke hackers. Please allow me to explain.

In my own work I have seen the way in which multinational companies generate billions of dollars in profits by applying digital technology to improve productivity. My job has been, for the better part of two decades, advising companies on how to defend this highly profitable digital technology that they deploy.

Sadly, time and again, too many times to count, my fellow security professionals and I run into companies and company executives who reject our advice as too costly to implement, as an unreasonable burden on their business. When we say that the path they are taking comes with a large amount of risk, they either don't believe us or they say, "fine, we'll risk it."

The result? America's corporate ecosystem, like those of many other countries, suffers from systemic cyber weakness to the point where no company today can afford to say "bring it on". Why? Because they know they are not impervious to potentially crippling hacking attacks.

I used to be in the penetration testing business, that's where you pretend to be bad guys in order to test another company's cybersecurity; our guys had a 100% success rate. They always found a way in, and they didn't even break the law to do it. Every pen tester I've ever spoken to has a similar record.

Let me give you some real world numbers to put things in perspective. This summer hackers raided JPMorgan Chase, impacting over 75 million households and 7 million small businesses. The company CEO publicly stated that the bank spends $250 million a year on cybersecurity. And the hackers still got in, which is why the CEO also said he expects the bank to raise that budget to $500 million. Let's assume the extra $250 million is the annual cost to fix the problem and keep hackers out; that amount is less than one sixtieth of the bank's average annual net income over the last five years ($16.5 billion).

And here's the kicker: JP Morgan Chase will not be spending $500 million in 2015, they're going to ramp up to that number over the next five years. In other words, even a huge bank is going to live with risk. However, you can bet they will try to minimize that risk by avoiding confrontation. Surely, you've made enough action movies to know the score here. The bad guys have powerful weapons, weapons against which you do not, as yet, have adequate defenses. Do you choose to fight anyway, even though seasoned experts tell you such a course of action risks the privacy and pocketbooks of thousands, maybe even millions of lives? Or do you regroup, take stock, get smart, harden your defenses, and figure a way forward.

Trust me when I say that is the way things are today. It's not that I don't believe in free speech. But as you know, exercising freedom of speech on the streets, in the real world, well that sometimes requires police protection. In cyberspace there is no police protection to speak of, not yet anyway. Rather than berate those who are being realistic about our current weaknesses, let's put our anger and our energy into demanding companies and governments do a better job of securing our digital assets and defending the digital world.

That's a petition I'd happily sign.


Stephen Cobb, CISSP
Tweet @zcobb if you'd like
to connect or stay in touch


Anonymous said...

Typical Security Mindset. Any company that makes a naive statement like asking hackers to bring it is simply foolish, no matter how secure they are perceived to be. The idea that "cyber-security" folks actually have a real answer, especially if that answer involves more software, is quite humorous. Next time get to point more quickly...

Bob Gezelter said...

Well argued. With all due respect to Mr. Clooney, "Bring it on" is not a strategy for success. It is a high-stakes gamble with a high probability of serious consequences.

steven edward streight said...

I love your forthright remarks about how clueless these dopey CEOs are.

None of them will wake up, unless a cyber attack wipes out all their company's files.

Then watch them howl and moan like the goofy doofus CEO of Sony Pictures is doing now.

Chris Abbey said...

Wholeheartedly agree !