Cybersecurity Is Broken And The Hacks Are Going To Just Keep Coming
“No one in the industry is incentivized to actually fix it.”
LAS VEGAS — The three CEOs sharing fruity cocktails are at the head of cybersecurity companies that bring in roughly $2 billion a year. But despite all the money their companies’ services bring annually, not one of them blinked an eye when presented with this statement: “Cybersecurity is a broken industry.”
“Sure, it’s broken, but it is also too big to break, you know?” one said. All three were enjoying their drinks at an off-record social event held during the Black Hat cybersecurity conference in Las Vegas. “Cybersecurity is really just security, in today’s world. And people will always spend money on security.”
Cybersecurity as an industry has grown by more than 20 times in the past decade, going from being valued at $3.5 billion in 2004 to $78 billion in 2015. Experts say this is only the beginning, and project it will nearly double its value again by 2017. Yet the digital world has never been less secure. The number of hacks, ranging in size and scope — from ransomware attacks that can be carried out by the most novice cybercriminal to sophisticated breaches carried out by state-sponsored hackers in China, Russia, and the United States — increase each year. And despite the rapid increase in dollars spent on cybersecurity, those leading the industry say they are less sure than ever if it is even possible to stop the attackers.
“The first thing we do is tell our customers that the hackers are already in their system,” Kevin Mandiant, CEO of the FireEye cybersecurity firm, told BuzzFeed News in an interview last year. But despite a boom in cybersecurity spending in 2016, FireEye reported earlier this month that its revenue is down, and has since seen its stock plummet. The company attributed it to the fact that simple ransomware attacks had increased, while the type of advanced, state-sponsored attacks that FireEye specialized in had not.
FireEye, along with a half dozen other companies, including Kaspersky, Trend Micro, Palo Alto, Fidelis and CrowdStrike, regularly publishes reports naming new hacking groups and the type of malware they use. But the reports, which are widely cited by cybersecurity experts and journalists alike, rarely attribute the attacks to a specific country or group, largely because they say that today’s technology makes it almost impossible to definitely say who was behind most cyberattacks (even if those attacks are on a major political party in the midst of a heated election).
If any evidence was needed for cybersecurity’s growing importance as an industry, you wouldn’t need to look much farther than the overcrowded booths on the stage floor at Black Hat and the VIP parties thrown by various corporations, ranging from Nike to Microsoft, that surround the event. The annual conference began as the more formal, industry-focused, sister to the unruly DefCon, or as it is sometimes called, hackers’ summer camp. If it seems weird that a conference for security professionals would be held back-to-back with the world’s largest hackers conference, then you don’t understand just how symbiotic the two groups are. Cybersecurity companies need hackers like defense companies need former army generals. At DefCon and Black Hat, cybersecurity companies compete with each other, throwing lavish parties at mansions and flashy Vegas nightclubs to draw the industry’s most notorious hackers into their boardrooms.
“Customers don’t know what cybersecurity advice or product to buy any more, the field is just so crowded, ” said Jeff Moss, a hacker also known as Dark Tangent. “This is the boom right now, we are [at] the peak of cybersecurity companies on the market.” Yet some of the biggest cybersecurity companies, including Symantec, Kaspersky, McAfee, and Trend Micro, had to make the embarrassing announcement last year that programs they were selling to their own customers actually contained vulnerabilities that would let hackers in.
“Half of all Americans are backing away from the net due to fears regarding security and privacy,” said cybersecurity expert Dan Kaminsky in his Black Hat keynote speech, citing a July 2015 study by the National Telecommunications and Information Administration. “We need to go ahead and get the internet fixed or risk losing this engine of beauty.”
The situation is even more dire in the developing world, where cybersecurity companies say ransomware attacks are running rampant. According to a recent report presented to journalists in San Francisco by the Helsinki-based F-Secure cybersecurity firm, the Philippines, Oman, and Malaysia rank among the top countries hacked each year. Considering the relatively low percentage of people in those countries who currently have access to the internet, what will happen in 10 to 20 years, as billions of new users in those countries come online?
Danny Rogers, CEO of the Terbium cybersecurity firm, told BuzzFeed News that problems that face the average internet user are going unaddressed. Instead, many of the top minds in cybersecurity are working for the government on programs looking for vulnerabilities within systems, which are then exploited to carry out intelligence work. The most valuable vulnerabilities are those known as zero-days: Those are the types of bugs that could allow a hacker to access every iPhone or Android on the planet. (To an intelligence agency, zero-days are worth millions of dollars, making the news this week that an unknown group had decided to make public a trove of zero-days linked back to the National Security Agency even more surprising.)
“The incentives are backwards,” Rogers said. “No one in the industry is incentivized to actually fix it.”
“The truth is, the bad guys are winning,” Samuel McKinley, a freelance cybersecurity researcher, said during a talk at Black Hat about a new mobile hacking technique. “Between the government not sharing what it knows, to companies hoarding what they know, the good guys are in the dark. While the bad guys, well, they trade ransomware and tips on the Dark Net.”
Moss, the hacker, said that what kept him up at night was what would happen in just a couple years from now, when the millions being made off of ransomware had been funneled back into criminal organizations looking to come up with ever more sophisticated hacks.
“Last year, $40 million was paid out to ransomware. This year, it is $200 million. Where is all that money going?" said Moss. “Some of it is going back into their R&D, and in a few years we might see really scary stuff.”