Cybersecurity with Peter Russell
Cyber hygiene, cyber arms dealers, security is a problem of endurance, and committing cyber crimes in stealth.
Peter is a Senior Business Analyst at McKinsey & Company who specializes in cybersecurity. Please note that the views I expressed are solely my own and not those of McKinsey & Company
We would love to hear about your journey. How did you initially become interested in cybersecurity?
The first time I really thought about cybersecurity was when I read David Sanger’s “Confront and Conceal” for a high school summer program. I was enthralled by the story of Operation Olympic Games -- when NSA / US CYBERCOM allegedly deployed Stuxnet, a computer worm, against Iranian centrifuges at the Natanz nuclear enrichment facility. I properly fell in love with the topic when I went to Washington, DC with Princeton’s Center for Information Technology Policy over fall break my freshman year (2015). We met then-President Obama’s Cybersecurity Policy Coordinator (J. Michael Daniel Princeton ‘82) and talked about cyber conflict in the Eisenhower Executive Office Building, and I was hooked. This trip also showed me how cybersecurity and its sister disciplines -- online privacy and internet freedom -- sat at the intersection of so much else that’s critical to our society -- freedom of speech, assembly, and the press, freedom from tyranny, the right to private property, business continuity, and protection of the vulnerable, among so much else.
How do you spend your time these days?
I’m a cybersecurity consultant, so most of it is spent working on behalf of clients :) When not doing that, I’m trying to stay abreast of the latest trends and news not only in security -- which has plenty going on -- but in other facets of enterprise technology. I also like to go for walks, eat bagels, read, and spend time with friends.
What are you most worried about?
A digital pandemic -- what happens if a malicious party finds a generalizable bug that can negatively impact the majority of Americans.
“Give cybercriminals this much: they are opportunistic.” As opportunist people ourselves, we’d agree! What makes a great cybercriminal?
Stealth. The best criminals commit crimes that remain unsolved. The best cyber criminals steal, or extort, or compromise, without being caught or exposed. Ransomware gangs are a fascinating example of this, and the REvil “RaaS” (ransomware-as-a-service) gang shows how they a) really wanted to avoid scrutiny and news coverage, and b) need to think about operating, for all their opportunism, like other businesses (e.g., with better “know-your-customer” checks than they had). You can think of them as cyber arms dealers who are building a strong brand and franchise.
To what extent do you humanize/dehumanize cybercriminals?
Always humanize them. Digital observation of PLA (People’s Liberation Army) Unit 61398 reveals employees like any other who show up to work at 9, take lunch, check social media during their afternoon slump, and clock out. The most prominent ransomware gangs are professionals given safe harbor by states (we believe) in exchange for focusing their attacks on specific geographies (e.g., US and democratic Europe) and staying away from host nations and allied infrastructure (e.g. Russia, Belarus). These are people with needs, wants, regular lives, pressure points, and other underlying motivations no different than ours. And they’re going to be largely rational when it comes to monetizing their training and skills.
SWEs often struggle with adequately securing their systems. What are solutions out there to fill in these gaps?
All manners of tools exist -- too many to name. There are tools that help you: write secure code through both static code analysis and dynamic tests (e.g. Checkmarx); leverage secure packages and binaries (e.g. JFrog); automate configuration and deployment into the cloud or on prem / via containers (e.g., ); and a host of tools . This only scratches the surface of other cloud security, endpoint security, identity and access management, threat detection and response, and other tool categories out there today. While not all of these tools are created equal (YMMV, significantly), the problem isn’t a lack of solutions.
Engineers are yet to internalize security by and in design and threat model new features and applications they build. Engineering managers are yet to allocate the appropriate time and resources to pre-deployment security reviews. Business leaders are yet to accept the necessity of investing in their security organizations (which are still largely viewed as a cost center) in a way that enables the business and the sustainability of talent working within the organization, or the short-term tradeoffs in time-to-market as security orgs bring themselves online. And critical vendors like AWS, Microsoft, Google, Facebook, and others fail to act in good faith and make their default configurations secure or private for fear of impacting initial usability or the customer journey towards purchase / monetization. Security is a collective action problem, and we’re spending too much time talking about it instead of doing something about it, even and especially when it may contradict any small piece of our interest.
What are the latest technological advancements that are changing the field? How are people preparing for new fields, such as augmented reality and brain-computer interfaces?
In security:
AI / ML -- it’s overhyped right now in security (mainly because it’s difficult to generalize/develop good algorithms on crummy data) but, if done right, it can help solve the cybersecurity talent problem and make defenders better at defending. (It’s not the only way to do this, by the way, which is worth talking about.) It may also make for craftier attacks, if adversaries can leverage it properly (e.g., building better phishing emails, faking identities for brute-force access)
Quantum computing -- it’s the big hairy monster in the closet that threatens to break everything for those who are unprepared -- which includes a lot of common infrastructure and historical data/communications, encrypted
Blockchain -- deserves a mention not because of its security properties (despite being a secure distributed database technology) but because the explosion of cryptocurrency volatility/value has likely given rise and reason to ransomware gangs. Non-dollar payments that are difficult (albeit not impossible) to de-anonymize and that are in speculative asset classes that have grown in value at huge multiples are exactly what a modern digital mobster wants for Christmas.
Others -- not huge yet, could see them getting bigger
How secure is open source?
I believe it depends entirely on how much effort is put into securing open source code, which depends in turn on the stewards of the code. At its best, open source enables passionate developers that care about the durability of their project to critically examine and improve it, leveraging a global talent pool to do so. At its worst, it gives attackers (albeit sophisticated actors) means by which to more easily locate vulnerabilities or inject their own vulnerabilities. The former group can, of course, frustrate the latter, but only if they are able and they care. And in the meantime, the existence and success of JFrog Artifactory and companion tools that provide for secure repositories of tested and trusted “open source” binaries speak to the reality that, while the long arc of open source code eventually bends towards security, we’re very far from there today in most cases.
COVID forces more non-tech companies to use more tech, thus creating more opportunities for hackers. How do they approach making a secure online presence?
Two sides to this (at least):
The need to secure your own operations (e.g., transitioning to a “zero trust” model less dependent on the perimeter, training employees against the massive spike phishing emails, coordinating ransomware response when your employees are not colocated)
This is the hard part. Most organizations coupled a nearly-overnight shift in IT operating models with rollout of new technologies (e.g. SSO and MFA) meant to support those end goals (e.g., Zero Trust). Organizations have had mixed success accomplishing these goals, and as hard a time navigating the byzantine cybersecurity market / evaluating vendors and integrators
The need to secure interactions with your customers (e.g., shifting to more secure logon experiences / away from passwords, shifting quote-to-cash processes and payment processes online, building durable sites that can handle higher volumes of requests)
Depending on your business, the pandemic likely accelerated your adoption of select technologies that considered security as part of the package (e.g. Shopify, Stripe)
What is something only someone who has worked in cybersecurity knows? Or, what surprised you most when you started to dive more into the field?
That everyone has had an email / username / password credential combo stolen -- so change your password. :)
What are hackers’ biggest motivations?
Depends on the hacker. Historically, in aggregate, recognition and money.
How do you map out attack vectors?
I like the MITRE ATT&CK Framework
What is something that you have always wanted to do that you haven’t gotten around to yet?
Visit Los Angeles. And go to a Bruce Springsteen concert.
We know it is impossible to predict the future, but from the perspective of today what do you want to be doing in 10 years?
Running my own company. Don’t know what yet, though.
What advice would you give your younger self?
Read more, learn to cook, and learn to code as soon as you read this.