Herbert Lin is Senior Research Scholar of Cyber Policy and Security at Stanford University’s Center for International Security and Cooperation (CISAC). Lin is also a Hank J. Holland Fellow of Cyber Policy and Security at the Hoover Institution, a prestigious research center for public policy. In addition to working in cyber policy and security, Lin has a PhD in Physics from MIT.
Q: What is your overall vision of the state of business cybersecurity in 2017?
Herbert Lin: Business cybersecurity is complicated. Most businesses understand that they have to pay some attention to it, but many people are handicapped because they don’t understand how to make cybersecurity investments. So if you’re the Chief Information Security Officer of a company, and your manager says, “I’m going to give you a million dollars,” what should you spend it on? And I think that the answer is that most people have no [clear] idea of how to spend it. So that’s one thing.
The second thing is that there is often an underappreciation of the risks that are actually involved. I think that senior managers often don’t understand what their core assets are, what really needs to be protected. You can’t protect everything at equal level, so you have to be able to prioritize what things are most important. And that’s very hard for enterprises to do.
And a third thing is that, even the enterprises that manage their business risk properly (whatever “properly” even means), they manage it as a matter of their own enterprise needs. Which of course you would expect them to do. But their enterprise may be more critical to the functioning of society than they realize. So the societal impact of a big cybersecurity problem — for example, if you’re an energy company, an electrical grid or something like that — if you go down, it’s more than just your shareholders who suffer. It’s everybody that depends on you. It’s a hospital down the street, and everybody that has food in their refrigerators, and so on.
Q: Do you think critical infrastructure is being adequately protected?
A: The question is, what does “adequately” mean? Should we be doing more? I would advocate doing more, but in the United States there is the undeniable fact that more power outages have been caused by squirrels than by cyberattacks. Will that continue to be the case in the future? I don’t know. It’s a silly comparison in some sense, because squirrels don’t act maliciously, and adversaries do. And the fear is that if adversaries act maliciously, they can do a lot more harm than squirrels can.
Q: Ransomware attacks are still on the rise. What can we learn from the recent WannaCry and Petya attacks?
A: Ransomware attacks are a kind of denial of service attack, and institutions have to be able to work their way through it, they have to have backup procedures in place, and so on. Backing up is hard, and it’s a pain, but you have to do it. You have to know how to operate when you’re under threat, for example when you don’t have your electronic medical records online. You have to know how to operate under those circumstances.
Q: Would you say there will be another large-scale ransomware attack?
A: Yes, in general I think the answer is yes. You’re going to see more and more of this kind of stuff, and ransomware is an easy way of making some money.
Q: What role do you think that companies will play in a potential cyberwar?
A: They play both deliberately, and inadvertently. One of the issues is that they, inadvertently, have a bug in one of their programs, and they don’t fix it. This is a problem, because they have a vulnerability, and they didn’t fix it. So they play a role, because they put the vulnerabilities in. They didn’t do it deliberately, but they put the vulnerabilities into their software.
They have the opportunity to configure their systems in a different way to make them more or less secure. Sometimes companies give user defaults that are configured to be easy and insecure, rather than hard and secure. And that’s a choice. The reason they make that choice is in the name of user convenience. They don’t want users to say “your products are hard to use,” because that gives them bad press. So they make the products easy to use, but often less secure. So that’s a business decision that they make. And that’s a way they help contribute, inadvertently, to the problem.
And there are other instances in which companies cooperate with government agencies to facilitate offensive operations. For example, an intelligence agency might approach a company, let’s pretend it’s an antivirus company, and say, “Here’s a signature we’d like you to ignore, and we’ll pay you 10 million dollars to do it.” Why do they do this? Because they want to attack somebody, and they know they’re using this antivirus program. So that’s a way — I won’t say it’s a legal way — but that’s certainly a way in which intelligence agencies have been known to work in the past. So the cooperating company, here, is helping facilitate an offensive operation that is facilitating a cyberwar in some way.
Q: In 10 years from now, do you think the world will be more or less safe?
A: I think it’s going to get worse, but it’s not going to be catastrophic. If I had to pick the most likely outcome, that’s what I’d say. How much worse? I don’t know. But I think it’ll be a little bit worse.
Q: Why?
A: Because I see all the trends leading in that direction. People want the benefits of information technology and are not willing to pay the costs. So the cost is insecurity. I think that in the long run people are going to start paying attention to that. It will get “a little bit” worse because I don’t think we’re at the turning point yet, where the costs exceed the benefits. But we’re getting there. I think that’s happening slowly. And at that point it will be a different ballgame.
And why just “a little bit” worse, why not catastrophic? I think that in the end, because the rest of the world is so dependent on it that it will all blow back. It doesn’t benefit China to take down the World Wide Internet. They want to use it for small game. If you’re a parasite, you don’t want to kill the host. You just want to sap its energy. But there’s a limit to how much you want to extract.
Q: What is the most important piece of cybersecurity advice you would give to a company?
A: I would say that cybersecurity is a never-ending battle, and you will never be able to solve the problem once and for all. Be willing to invest more than you think you should.
Parts of this interview were lightly edited for clarity.