I was still digesting last week’s fascinating roundtable with Nicole Perlroth, cybersecurity journalist and author of This Is How They Tell Me The World Ends, when the news broke that the US’s biggest fuel pipeline had been taken out by a ransomware attack. Nicole’s closing prediction that cyber criminals, emboldened by their success in targeting hospitals with ransomware, would move onto other critical infrastructure, was coming true before my eyes.
So how do they tell Nicole the world is going to end? Apparently not with bang; a cataclysmic event that would see bombs falling or buildings tumbling, but instead, a quiet, creeping realization that the poisoning of the water supply or the cutting off of fuel lines will already be underway before you could see it coming.
For the book, Nicole has spoken to cybercriminals, hackers, government sources and infosec pros - either on or off the record - and come to the conclusion that the only way to save the world from all out cyberwarfare is by embracing transparency. Transparency is how we regain and harness the trust of the public, and how we will prevent vulnerabilities from being weaponized against us.
“Let’s call out some of the trade-offs we’re making in sacrificing cybersecurity for national security, and leaving systems more and more vulnerable. For too long these discussions have been had in classified government corridors. My motivation is to tell this story in a human way. Sunlight is the best disinfectant.”-- Nicole Perlroth
The bug market has always been a murky place. Brokers buy bugs from security-minded hackers and sell them to the highest bidder at an impressive markup. Governments buy zero days and keep them secret, using them for offensive purposes, despite the wider risk an unpatched vulnerability poses to individuals and businesses. Hackers have long struggled to get credit, reward, or even thanks for the work they do surfacing vulnerabilities, and organizations often remain oblivious to the problems hackers inevitably find. The black market hasn’t gone away, and governments still hoard bugs for offensive means, but Nicole credits vulnerability disclosure policies, and open bug bounty programs from folks like HackerOne, with democratizing bug hunting.
“HackerOne is turning the tide, you are changing the incentive model. I usually don't speak very positively about a lot of companies in the cyber security space but in researching this book, I discovered HackerOne as a force for good and resistance in terms of course-correcting a harmful incentive model.”-- Nicole Perlroth
Sandra McLeod, head of security assurance at Zoom, also preaches transparency and joined the conversation to explain how corporations can foster a culture of transparency. She told us that Zoom recognizes that transparency is key to building trust with customers. As a result, the company publishes an annual transparency report, hosts regular AMAs on what they’re doing to further protect and secure customers, invested in a bug bounty program and has recently opened a trust centre where Zoom shares privacy and security information and resources for customers and partners.
And the message of transparency seems to be translating. The Colonial Pipeline’s communication has been, in the words of another skilled cybersecurity journalist, “refreshingly transparent”. Colonial announced the cyberattack, sharing that it was ransomware from the get go. For the hacker community, which is committed to helping organizations but needing trust and information to do so, it simply wastes time when companies try to hide the obvious to avoid admitting weakness.
An effective defensive cybersecurity strategy is by its nature transparent. It involves looking underneath that stone, accepting that there will be software that’s putting you at risk and asking for help in identifying and fixing it. It was surreal to read about HackerOne's origins in Nicole’s words (chapter 15, “Bounty Hunters”) but it also reiterated our mission to me, reminding all of us that the hacker community exists wholly to make the world a safer place.
Nicole had a lot more to say about the impact of Solar Winds, offensive security practices and their limitations, and candid stories about hacker forums and nation state attacks. Listen to the full conversation here.