We recently had the opportunity to interview Dr. Arun Vishwanath from his office in Buffalo, New York and discuss some of the recent high-profile security breaches and some of the urgent cyber security threats faced by governments and businesses.
Can you tell us about the Colonial Pipeline breach and how it could have been prevented?
The Verizon DBIR 2021 points to some 85 percent of all breaches being because of a human element—as in a weakness being exploited. This breach, like every major ransomware attack, was likely because of spear phishing, where someone either received the malware via an emailed attachment or clicked on a link that took them to a website that hosted it.
This was how the Sony Pictures ransomware hack also took place in late 2014 and since. In fact, in March 2016, I wrote a piece in CNN calling for urgent action and offering solutions.
The call was largely ignored as were the solutions. And attacks have continued, unabated, even as the security community has being trying to fix systems after the fact. In fact, reports suggest that Colonial paid a $5 million ransom—which goes to show how well our technical safeguards and incident response systems has failed. We need to take user protection seriously, change the security paradigm, by studying and building protections around people and processes, rather than solely focusing on technology. I recently published a new piece in CNN offering solutions.
Can you tell us about the SolarWinds breach and how it could have been prevented?
The SolarWinds software that is used by thousands of federal government agencies and corporations in the US and aboard was hacked. The malware was place inside the code. This requires a high level of coding sophistication. It is a case of espionage, which is difficulty to stop directly because of the resources behind such efforts. But we can still make it hard for the hackers to get into the cores of software and hardware as SolarWinds did.
Did SolarWinds leave the proverbial door open?
Indications are that they did. They had super weak, easily guessable passwords, which was visible to anyone who looked. Their software development process was also weak. At one time users needed to disable anti-virus software to use their tools. Mind you, SolarWinds software is used to monitor network traffic by someone of the biggest names in the federal government (such as the Treasury department, the department of Commerce, department of Energy, NATO, and the European parliament). These are high value targets as it is, and asking them to disable an essential protection is like asking them to leave their doors wide open.
I think SolarWinds shows that everyone needs to practice digital safety. It’s one thing for cyber security experts and engineers to ask everyone to be cyber safe, but they need to practice their what they preach.
What are the most important cybersecurity risks for 2021?
Ransomware is at the top.
Early this year, we leant about a hack into a municipal water filtration system in Florida. Someone tried to poison the entire city of 15000 people.
Now we have SolarWinds by DarkSide, a Russia-based hacker network. The same group has claimed other attacks and with companies deciding to pay because they are so unprepared, it is likely there will be more such attacks.
Ransomware attacks have been fomented by Iranians, Russians, Chinese, and North Koreans going as far back at 2014 and even earlier.
Even as the perpetrators are increasing, we are all more exposed than ever. We are away from the ringfenced safety of organizational networks and are working from home, on not-so-secure home networks, using consumer grade, often shared, devices, surrounded by many other devices. The number of contact points—as in the virtual surface—available for exploit has gone up.
The worst is yet to come and 2021 might, unfortunately, see even bigger attacks realized.
What is the “people problem” of cyber security?
The “people problem” is a phrase I heard in many different occasions when I met with IT managers (CISO, CSO, CIOs), many in leading research labs, national security establishments, and such. It’s a term that some of them used to describe their frustrations with users and keep them from doing things on their computers that shouldn’t. While the frustration is valid, its source isn’t the user: it is actually from IT’s understanding of users. Most in IT are recruited from engineering programs where there is little training on understanding the users’ motivations and cognitions. IT policies and practices end up getting in the way of many users’ work and they find workarounds or do things because they have to in order to get work done. Then, they end causing problems with data security and the phrase, which began as a description, becomes prophetic.
Solving this requires IT to change their approach to users. This means understanding users and then developing solutions around them. We saw this in the 1970s where organizations that used to treat is employees as personnel changed their view of employees and began treating them as resources. It’s when organizational personnel departments became human resource departments. This wasn’t a trivial thing, and in many ways led to an enormous increase in innovation and productivity that made the American workforce one of the most efficient in the world. We need to likewise change our mindset about users. We need IT departments to stop thinking of people as users and computer operators but as “computing resourcers”—a source of potential innovation who use computing technology to achieve it.
How are social networks like Facebook, Instagram and TikTok contributing to the “people problem” of cybsersecurity? What more can be done?
What social networks do is monetize user data. They trade user data—which is their currency. The entice people to come on board, stay on their site, and share information. This is then sold to advertisers.
What this does is provide a lot more information about people that is easily accessible. It also puts a price on the data—which creates a market for it. Wherever there is a legitimate market, there are always bad guys trying to exploit it. This creates a cycle of cyber breaches. Some of the data that is stolen feeds social engineering attacks, where hackers use the stolen data to attack people and steal even more. So, the vicious cycle begins with the basic business model of Facebook and TikTok. Unfortunately, there isn’t much we can do other than curb how much data is being sopped up by these companies. The more they take, the bigger the supply, and commensurate interest by bad guys.
Tell us about your role with the NSA committee?
The National Security Agency Research Directorate sponsors the Science of Security Initiative to promote cybersecurity science. Each year they hold a scientific paper competition. A distinguished expert review panel consisting of the 10 top cyber scientists in the nation, judge the papers on their impact to the field. I have been a distinguished expert on the panel these past few years and it’s been a great experience.
Researchers at NIST recently developed a new method called the Phish Scale based on your research to better train employees to avoid cyberattacks. Can you tell us about your research in this area?
Yes, it is based on my work and that of my students and collaborators. In 2015-16 I developed a model called the Vishwas or V-Triad. I presented it at Blackhat in 2016 and 2017.
The Phish Scale, which was developed in 2020, uses the same methodology I used, even the language from my model and comes to the same conclusions about phishing emails. One way to think about this is that here we have 3 federal government sponsored scholars from NIST ostensibly working without the knowledge of the V-Triad finding exactly what I did. It triangulates my work and underscores its validity for solving the problem of spear phishing.
What are the biggest cybersecurity stories from the past year that not enough people are talking about?
Ransomware attacks continued throughout the past year hitting schools, universities, and municipalities. It’s no longer front-page news. We are not sure if these are state-sponsored attacks, but the malware used in most of them originated in Russia.
The other case is the Huawei, where there was a warning issued about backdoors being implanted by the Chinese military in their equipment that was being sold globally.
The third is the hack into Jeff Bezos’s phone ostensibly by Saudi prince MBS.
These have been largely forgotten but point to the high stakes in cyber. We have entire nation states putting their resources to attacking companies, competitors, and dissidents. They are investing in deep exploits for use in some future cataclysmic day. This is a long strategic game.
I have written about where this leads in a Washington Post article. I called it the Digital Iron Curtain, where we may end with blocks of nations that create their own software and hardware because anyone outside cannot be trusted.
It is the beginning of the end of the Internet as we know it and I think last year saw us taking many more steps in that direction.
About Dr. Arun Vishwanath
Dr. Arun Vishwanath from Buffalo, New York, studies the “people problem” of cyber security.
His research focuses on improving individual, organizational, and national resilience to cyber attacks by focusing on the weakest links in cyber security —Internet users.
His interest is in understanding why people fall prey to social engineering attacks and on ways we can harness this understanding to secure cyber space. He also examines how various groups –- criminal syndicates, terrorist networks, hacktivists – utilize cyber space to commit crime, spread misinformation, recruit operatives, and radicalize others.
Dr. Arun Vishwanath lives in Buffalo and was a tenured faculty member at the University at Buffalo and also held a faculty position at Indiana University, Bloomington.
In addition to research shared with national security and law enforcement agencies around the world, his research has also been featured on CNN, The Washington Post, Wired, USA Today, Politico, and other national and international news outlets.