Your credit card has already been stolen. You just don’t know it yet.
Thomas knows it, though. (A 12-year IT security veteran, Thomas requested anonymity to protect the reputation of his employers, which have included Fortune 100 companies and several of New England’s biggest tech firms.) In the analogy of cyberdefense as a castle—a favorite of his—he tends to the moats, the walls, and the gates. Get past those, and he deploys the dogs. And he’s watched many people scale walls, break gates, evade dogs, and leave with your AmEx number.
“The only reason we don’t see things in the news every day is that bad guys have so much data that they just haven’t gotten to yours,” says Thomas. It’s easy to steal your credit card. “The only hard part is using it without tipping anybody off.”
There is evidence of the relative ease of these crimes in the prices that the stolen goods fetch in the underground hacker marketplaces. Credit card numbers—from premium cards, some offered with money-back guarantees if they don’t work—go for as little as $9. That’s just one segment of a booming hacker market: Attempts to knock a particular website offline can cost around $100; “Trojan” software that gives users control of other computers remotely is priced as low as $20.
And business is booming. A PricewaterhouseCoopers survey found that global security incidents rose 38 percent in 2015—the biggest jump in the survey’s 12-year history. Compared with sovereign nations, the cybercrime economy would have ranked 23rd in the world in 2014, besting the likes of Israel and Austria, according to the consulting group Hamilton Place Strategies. It’s not just independent hackers. It’s state-sponsored hackers who put on military uniforms and head off to their hacking desks in the morning. It’s ISIS. It’s the mafia. Every criminal trope imaginable is trying to get a piece of this.
All told, online crime inflicted $445 billion in damage to the global economy in 2014, according to a study by the Center for Strategic and International Studies. A $75 billion cyberdefense market has sprung up in the face of the threat, with analysts predicting it will grow to $170 billion by 2020. (In his proposed fiscal 2017 budget, President Obama requested a $5 billion increase in federal cybersecurity spending, up to $19 billion annually.)
Money is one thing, strategy is another. In an era of Internet-enabled refrigerators, powerful-and-cheap computing, and $20 hacking kits, there is an infinite number of attack points and shrinking barriers to entry for the bad guys.
So how do we win?
We talked to four HBS alumni whose cybersecurity businesses offer them a frontline view of the conflict about how the private and public sectors can tilt the odds back to our favor—and what victory would really look like.
Unite the Fight
On February 13, 2015, President Obama announced an executive order that encouraged the exchange of cyberattack data between private companies and between the private and public sectors. “This has to be a shared mission,” Obama told attendees at the White House Summit on Cybersecurity and Consumer Protection at Stanford University, where he signed the order onstage. “So much of our computer networks and critical infrastructure are in the private sector—which means government cannot do this alone.”
“I don’t think we’ve really fully solved how that relationship plays out between the federal government and the private sector. It’s very much a work in progress.”
—Josh Lefkowitz (MBA 2008)
Longtime tech VC Ray Rothrock (MBA 1988) was in attendance at the conference. There are few in the industry who can claim a similar veteran status: Rothrock had recently taken over as CEO of the cybersecurity firm RedSeal after 25 years at Venrock. For 24 of those years, he was focused on tech, launching Venrock’s Internet practice in 1992 and leading early investments in companies like Check Point, one of the first big firewall companies.
Rothrock listened to the speech and thought: “Finally.” As in, at last—the government is waking up to a reality that the tech community realized long ago. “The government has been reticent to open up that way because there is—appropriately—a tension of trusts,” says Rothrock. “Can I trust the government? Should I trust the government? My answer is no, you shouldn’t.” Anonymously sharing attack info, though, is another story. “You make these devices better with that data,” he says. Everybody wins.
Part of the reason why the government took so long to move could have been as simple as structure. “There are lessons to be gleaned from how the war on terrorism played out, post–9/11, where there were all these fiefdoms that sprang up,” says Josh Lefkowitz (MBA 2008), a former intelligence analyst and current CEO of New York City–based cybersecurity firm Flashpoint. Lefkowitz and his cofounder spent “the better part of the 2000s” consulting for federal clients, primarily the Department of Justice, on terrorism investigations before starting Flashpoint in 2010. “There was a lot of dialogue about public-private partnerships, but the coordination was a real challenge—particularly when there was classified information involved.” It’s a broad point, but apply it to cybersecurity, says Lefkowitz, and you see why the National Security Agency might have access to some particularly useful threat intelligence that never, for example, filters down to retailers or health care providers in any useful or timely way.
There is some forward movement, though. Lefkowitz notes that the Department of Homeland Security began sharing threat data with private industry in March, opening the audience “beyond the elite of the elite who may have private relationships with intelligence officials.” The President’s executive order also set in motion the creation of specific information sharing and analysis organizations, which would allow for anonymous distribution of data between the public and private sectors. Private industry has used industry-specific versions of these systems—focused on everything from financial services to real estate—to share threat data for a few years now, spreading information about new phishing campaigns or ongoing wire transfer fraud threats to their members. But so far, says Lefkowitz, those connections have been built predominantly among businesses, and rarely between businesses and the public sector. “I don’t think we’ve really fully solved how that relationship plays out between the federal government and the private sector. It’s very much a work in progress.”
Info sharing isn’t a new concept in cybersecurity—the venue is just different. “Chief information security officers used to meet once a week for a beer and say, ‘Hey, are you seeing this?’ ” says Anne Bonaparte (MBA 1988), CEO of cybersecurity firm BrightPoint who has previously led security startups acquired by the likes of McAfee and EMC. “Security people recognize they are in the business of pattern recognition. It has happened before, but in a much more human way.”
BrightPoint’s business model is built on sharing. The company makes software platforms that allow organizations to discretely share threat intelligence with each other, helping head off any attack. Bonaparte uses the analogy of a neighborhood watch: Attackers, she says, are rarely after one target; they’ll usually go after a few at a time, and typically within the same industry. BrightPoint’s sharing networks might build connections between, say, a few big hospitals or financial services firms. Think of it as a private LinkedIn group or a Google circle. “Another analogue is a weather map,” says Bonaparte. “We’re allowing you to get ahead of the pattern.”
Sharing is also common among hackers, who often use discrete web forums—found on areas known as the Deep Web (unsearchable) and Dark Web (requiring special software to access)—to exchange tips and hacking tools. “Why are the bad guys so successful?” Bonaparte asked in an essay for the cybersecurity website Infosec Island late last year. “In part because they trade information with each other.”
It’s unfortunate that the bad guys employ best practices. But why not follow the leader?
“We’re not going to occupy Berlin and everything simply goes away. Cyberdefenses must be part of business.”
—Ray Rothrock (MBA 1988)
Reinforce the Front Line
In the cyberwar analogy, Lefkowitz’s Flashpoint serves as the scout. Its analysts speak a dozen different languages and gain access to discrete hacker forums, collect information on potential threats being discussed by credit card thieves and terrorists alike, and then distribute it to clients. (Flashpoint also provides a threat data stream to Bonaparte’s BrightPoint.) One example: A Fortune 100 company came to Flashpoint after seeing massive spikes in its fraud losses. After some digging, Flashpoint analysts tracked down the hackers responsible, who were boasting about their work and discussing the scheme in granular detail. The affected company shut the necessary doors, saving it an estimated $20 million.
Flashpoint has public sector clients too, including global governments as well as US military and law enforcement agencies. In fall 2014, it launched a Jihadist Threat Intelligence service aimed at these clients, offering terrorist threat info and analysis pulled from the web’s darkest corners. Rothrock’s RedSeal also has a number of federal clients, though he doesn’t necessarily know who they are. Brokered through a government intermediary, they simply show up as Customer One or Customer Two on invoices.
According to government software contractor Deltek, the market for federal spending on private cybersecurity contractors reached $8.6 billion in fiscal year 2015, and is estimated to rise to $11 billion in 2020. Why so much outsourcing? Part of it is simple need and capacity issues, but there’s also the fact that the government just isn’t perceived as a cool place to work. Faced with the opportunity to spend your days in brightly colored offices with video game rooms and bountiful cafeterias, why would young talent choose buttoned-up cubicle life in some Brutalist office building in DC? In a February op-ed in the Wall Street Journal that laid out his cybersecurity plans, President Obama noted the cultural challenge: “We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.”
“The private sector vendor community has done a great job of attracting that talent,” says Lefkowitz. “You may not want to wear a suit—and maybe you’d have trouble passing a background check, and maybe you want to play video games during your break.”
But even the private sector is facing talent shortages. Anne Bonaparte sees it firsthand in her corporate customers: a lack of frontline security workers. “They’re not developers or data scientists,” she says. The workers they need range from entry level to managerial leaders, all responsible for manning the software systems and scouting the landscape. “People often say, ‘Oh, we need more Harvard PhDs,’ and while that might be great, that’s not really the problem. The problem is we need more individuals entering the security profession.”
A 2015 report by Cisco estimated that there were more than 1 million unfilled cybersecurity jobs worldwide; a study that same year by CareerBuilder found that 89 percent of information security analyst postings went unfilled. “It’s staggering,” says Lefkowitz. “It requires a holistic strategy for fostering individuals who have the skills to slot into cybersecurity. I don’t think we’ve really solved for that as a nation.”
Part of the problem, Bonaparte says, is marketing: “We have to rebrand security.” The trick is not just selling it as cool and exciting, but making that message appeal to a broader audience. “Security is always guys with dark glasses and earbuds or military gear—everything is presented as very male,” she says. “Frankly, in cybersecurity, there’s a lot more to it.” It’s weather maps, it’s puzzles, it’s patterns. It’s thinking about where you can close doors so the bad guys can’t get in. It’s about having a real impact on your country’s well-being. (Bonaparte has suggested a tech security recruiting push aimed at women akin to the “Rosie the Riveter” campaign of World War II.) Bonaparte offers the example of how universities are attempting to attract more women to STEM careers. If a school wanted to promote general interest in Python, a popular programming language, it wouldn’t focus on hosting Mountain Dew–fueled, all-night hackathons, she says. “That’s not appealing to everybody. But if you say, ‘Let’s try to find innovative solutions to bringing lights to rural villages,’ and it happens that you have to use Python programming to do that, you’ve reframed the problem. That’s what needs to happen in cybersecurity.”
Make Life Harder for the Hackers
Ray Rothrock has this condensed history of cybercrime, broken down into eras based on their respective defense strategies. There were the early days of firewalls built to keep out the bad guys, then came protection against viruses and Trojans, then on to data leak detection, and eventually the emergence of complex defense systems built to ward off multidimensional attacks.
Today, he says, it’s about resilience. That’s what RedSeal promises, offering a FICO-like score that management and board members alike can use to gauge their security preparedness. In practice, the defense looks like this: Some frontline security officer gets an alert that there is suspicious activity on the company’s network—a spike in data flowing out of the system, perhaps. A certain data server has been taken over by a malicious third party. “Push the RedSeal button, and the system says, ‘Ah, we know where that is,’ ” says Rothrock. “It’s this server right here, and here are the data servers that will be attacked next. Here’s how to fix it.”
Fix it—not burn it down. There’s a big difference. Rothrock, sitting in an HBS conference room in February, points to the ceiling. “It would be like in a big room like this. You’ve got one, two, three fire nozzles in this room.” Using the RedSeal analogy, if there was a fire at his end of the conference room, only the sprinklers above his head would need to be turned on. “The fire is at this end. Why flood the room?”
That’s what Sony Pictures did. When hackers broke into the movie studio’s network in 2014—inflicting a reported $35 million in IT damages—administrators at Sony just shut the whole network down. In Rothrock’s example, the issue would be isolated while the rest of the company chugs along, generating revenue. “Our thinking and our capabilities are just now getting to that point.”
(courtesy Anne Bonaparte)
For attackers, better defenses aren’t just a test of their mettle or skills—they’re a drain on time and money. “Bad guys have economics, too. They can’t spend all day trying to burn your house down,” says Rothrock. “They’ll go to the next house and try to burn that one down.”
Matthew Prince (MBA 2009) has seen these forces at work. Before founding security and hosting firm CloudFlare with classmate Michelle Zatlyn in 2010, Prince founded Unspam, which helped create an email equivalent of the “do-not-call” list. “In the early 2000s, it seemed like a problem that could really threaten the use of email generally,” says Prince. But when larger providers like Google or Microsoft began to use cloud services that could employ data from their millions of customers to help snuff out junk email, it made it hard to stay in the spam business. “The cost of sending spam got higher than the cost of stopping it, and now you’re actually seeing—within the last five years—the rates of spam are dropping. I think we can do the same thing around a lot of security challenges over the long term,” says Prince.
Prince has seen this play out at CloudFlare. Hack-for-hire services, he says, regularly charge around $100 to try and knock a website offline. He knew CloudFlare was making its name when some of those services raised the price to $1,000 for attacks on sites hosted by CloudFlare. “And today, a lot of those sites simply say we don’t attack CloudFlare–based sites,” he says. “It’s been interesting to see that we’ve gotten to a scale and size where the attackers are actually modifying their behavior based on what we do.”
Of course, not all attackers go right at the wall. Some of the biggest hacks rely on human error to walk them through the front door. When the Associated Press’s Twitter account was hacked by the Syrian Electronic Army on April 23, 2013, the group tweeted out “Breaking: Two Explosions in the White House and Barack Obama is injured” to the account’s almost 2 million followers. The resulting stock turmoil is estimated to have temporarily swung the market by $136 billion. How did they get in? Hackers sent an email to AP reporters that appeared to be from a UN official, with a link that seemed to direct to a Washington Post article. Instead, the link sent them to a page that resembled an online version of their Outlook page. When they entered their login information, it was sent directly to the Syrian Electronic Army, which then tracked down an email with the Twitter login info.
To Rothrock, one of the easiest ways to reduce the human factor and make it harder to hack is to treat digital awareness like a public health issue. “Everyone has to participate, everyone has a role to play. You need to change your password every six months. You need to have dual factor authentication on your email when you’re away”—for instance, entering a password as well as a code texted to a cell phone.
And it starts earlier than your first desk job. “It goes into schools,” he says. It goes into teaching kids. We need to teach them a little bit of cyber hygiene.”
Thomas, the cybersecurity veteran who had some bad news about your credit card in the beginning of our story, has an easy way to spot new employees. “They run,” he says.
Primed by Hollywood depictions of cybercriminals being warded off by fast-moving defenders, they fly down the hall, laptops in hand, breathlessly announcing breaches. Settle down, Thomas tells them. We have protocols for these things. Breaches happen.
“That’s been the biggest change in security over the past five years: People are no longer saying the only job is to try to keep the bad guys out completely,” says BrightPoint’s Bonaparte. “No one runs a perfect shop. Detection and response are equally important to prevention.” There are too many ways in, too many holes to cover. There’s no absolute peace.
“Do people still carry guns and walk in and rob the 7-Eleven? ” says Rothrock. “Of course they do. But we make the penalties harsh. We make the capability to catch them high so that they think twice about it, and that’s what we’ve got to do with cyber.”
But Rothrock is certain that we’ll win. So if victory is an eventuality, what will it look like?
“We’re not going to occupy Berlin, and everything simply goes away,” says Rothrock. “Cyberdefenses must be part of business.” Winning means cyberterrorism and cyberwarfare have become a sort of manageable tax or a cost of doing business, and not a nuclear weapon that can destroy an entire company—or an entire economy.
“And the world will keep going,” he says. “That is the victory, but we’ll still be fighting forevermore.”
Class of MBA 1988, Section F
Class of MBA 2008, Section E
Class of MBA 1988, Section F
Class of MBA 2009, Section D