“Skating on stilts.”
That’s the way Stewart Baker once described how the technologies we love will be turned against us in new forms of terrorism.
In fact, he wrote a policy memoir with that title more than a decade ago (subtitled Why We Aren’t Stopping Tomorrow’s Terrorism). It presaged today’s ransomware crisis and other types of cyber assaults on America’s businesses, critical infrastructure, and government agencies.
Today, Baker—whose CV includes serving as America’s first assistant secretary for policy at the Department of Homeland Security—heads the homeland and cybersecurity practices at Steptoe & Johnson LLP and hosts The Cyberlaw Podcast, a weekly “opinionated roundup” of frontline cybersecurity, crypto, privacy, and government news. (The Washington Post has called Baker “one of the most techno-literate lawyers around.”)
As such, he is focused on helping corporate and other clients navigate cyber challenges and industry regulations. He recently spoke to Endpoint about security mistakes companies make in the cloud, the impact of President Biden’s executive order to strengthen cybersecurity, and the need for simple cyber hygiene practices to prevent massive breaches.
What cybersecurity issues should enterprises be most concerned about?
At the risk of being boring—I think the answer is that they have to do the boring stuff first. They have to do all the block-and-tackling of managing and patching their network. Just do all the things that everyone says you should do. Software patching is high on that list. So many of the problems people run into are because they don’t get patching done before they get attacked.
People get burned on failure to patch all the time. The Equifax breach was because of a patch failure. Anybody who hasn’t patched their software within 24 or 48 hours of a release update is at risk. And the window for patching is shrinking all the time.
I don’t think people have fully appreciated the kinds of stupid mistakes you can make in the cloud.
That’s particularly dangerous for enterprises because they want to test patches rather than just install and pray. You need a process that takes you from getting the latest software version, to having something you’re confident will work on your system, to installing it. That is something you need to do very quickly.
What are some of the cyber risks you see in the increasing use of cloud computing?
I don’t think people have fully appreciated the kinds of stupid mistakes you can make in the cloud. The cloud is more secure in many ways, but it offers opportunities to make mistakes that expose data. Again, people may be too self-confident, or they may be learning to work with the cloud in a way they didn’t have to learn to work with the on-premise server network they owned.
As we move workloads into the cloud, physical separation of the network from the internet is gone. And we are counting totally on authentication—and maybe authentication done by other people. And learning to treat the authentication process as your principal line of defense is, again, it’s a little bit of a cultural shift. We certainly saw that in the SolarWinds breach. The attackers used an authentication scam. It ended with Microsoft saying yeah—there are a lot of ways the management of authentication encourages people to take shortcuts they probably shouldn’t take.
What business sectors do you think are most vulnerable to cyberattack?
For a long time, you’d say, well, obviously, people who have money and people who have a lot of customer data. I guess I would add to that now the people who have systems that can’t afford to interrupt. That is to say—people who are vulnerable to ransomware. I think probably those are the folks I would be most concerned about.
What areas of enterprise software are most vulnerable?
I worry about products that enterprises use to manage software that are not end-of-life, but at that stage of life where the product probably doesn’t have enormous revenue growth prospects for the seller. It found its niche, it filled its niche, and it’s serving its niche. And that can be very profitable. You could even run a software product company for a decade or more on that basis.
But there’s a significant temptation to milk the product at that point. You’re counting on revenue from existing customers or people who already are in a particular sector. You’re not going to get a lot of new customers, [so] you need to make the customers you have as profitable as possible. That means raising prices and maybe, more importantly, cutting costs.
I worry that companies that sell software products are tempted to cut corners on security. And you hear accusations of that after breaches. We certainly heard that in connection with SolarWinds. And I do think that that’s a real worry because it’s a perfectly rational thing for companies to do. And so if you are a purchaser of those services, you have to start getting nervous if you see that you’re relying on a product whose end of life can be somewhere down the road five or 10 years. That would be one thing I would worry about.
I worry that companies that sell software products are tempted to cut corners on security.
I would also worry about security systems that have to have deep hooks into the enterprise and the software that serves the enterprise, but who themselves are facing the internet and, therefore, are on a very tempting attack surface. Attacks that rely on security systems are something I think we’re going to continue to see.
Why do you think there has been an increase in ransomware attacks in the past couple of years? Have attacks actually increased, or have they just become more successful?
The ransomware business model has gotten much more sophisticated. Cybercriminals now know how to price discriminate among customers. So they’re asking for much more money from people who can afford to pay more, and less money from people who can afford less. And then they are milking their access to install encryption, and then also to steal data and use stolen data as a basis for extorting further revenue.
The hog processing industry, which was created in Chicago in the 1860s, became famous for having as its slogan, “We process everything but the squeal.” And I think that’s what we’re seeing with ransomware. They are finding ways to monetize everything but the squeal. The data that they steal, the importance of the software for actually delivering the services that have to be delivered, the sensitivity of the client relationships, so that the client data that is exposed is fully monetized (or rather the threat of exposing that is fully monetized).
Ransomware attackers are just getting much better, because there’s a lot more money in it.
All those things have turned ransomware from kind of a script kiddie annoyance to something that is worth investing a lot of money in if you’re an attacker. And that’s what we are seeing. The attackers are just getting much better, because there’s a lot more money in it.
Where is the law and regulation strongest in terms of requiring companies to operate best security practices?
The industries and entities that have the most government interest in best practices and the most incentives are probably financial services, Department of Defense, military suppliers, and electric power providers. The one place regulation-plus-best-practice has done the best job is in financial services, where the financial and regulatory penalties are perceived as very high. So there are business and regulatory reasons for constantly trying to innovate best practices.
It has been less successful with the defense industrial base. That’s partly because it’s such a heterogeneous group of companies with such varied abilities to pay for and invest in security.
The government’s authority is also constrained because sellers of these services often have market power. If DOD asks for too much by way of compliance, they will get pushback politically.
The place regulation-plus-best-practice has done best is in financial services, where there are business and regulatory reasons to innovate.
What about utilities and energy providers, which also seem to be under attack?
Electric power: I am not confident. Certainly, there is a lot of attention being paid to security and electric power providers. But whether we’re getting our money’s worth there, whether they’re getting their money’s worth, I don’t know.
The biggest worry with electric power systems is operational security as opposed to IT security. There are fewer people who understand how to achieve security in digital operational systems.
The nightmare is the power goes off and doesn’t come back on. And if you are a power company, you are graded as pass or fail—you either delivered the power or you didn’t. You don’t take the system down to install new patches. So the question is: What can you patch without interrupting the power supply? I worry there just is not the same culture of patching and protecting, and taking things down, if necessary, in order to provide protection.
Do you think President Biden’s executive order requiring the sharing of cybersecurity information will succeed?
I saw the order aimed mostly at the cybersecurity of government contractors and the government’s own cybersecurity. There were concerns that when a supplier of software found a problem, they might disclose it to their HHS customers but not to their DHS customers. It’s a very ambitious order in terms of all the responsibilities. I’m not ready to say there’s more they need to do until I know that they can do the things they have already bitten off.
Looking ahead, how do you think cyberattacks and breaches will develop and change?
We have come to the end of the illusion that we will patch our way out of this problem. But we haven’t fully accommodated ourselves to what that means. We may never again have systems that are secure against attack. So we have to find other ways to diminish the likelihood of attacks.
It means we need better mechanisms for attributing attacks, for punishing attackers, for denying the benefits of their attacks. We need to do more about punishing the people who do get over the wall. They’re all smart people who could be making a lot of money in IT. We also need to change the incentives to the point that they think maybe they should do something else in IT.