Editor’s Note: Gerhard Eschelbeck is the vice president of privacy and security at Google. He published the “Laws of Vulnerabilities,” is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security. The opinions expressed in this commentary are his.
Gerhard Eschelbeck: The cyber threats to our most personal data, our businesses, our infrastructure and our democracy are real
High-quality cybersecurity must become a prioritized pillar of society if we are to protect ourselves, writes Eschelbeck
In November 2014, the Guardians of Peace – a group affiliated with the North Korean government – hacked Sony Pictures because the studio was planning to release “The Interview,” a movie they felt insulted their leader, Kim Jong Un.
After the initial breach, the hackers threatened theaters that were planning to show the film. The premiere in New York was canceled, and theaters around the country decided not to show the movie.
Still wanting the film to reach audiences, Sony Pictures asked if we could release the movie on Google Play and YouTube. Obviously, there were very serious security risks that we needed to consider. We could be attacked by the same type of targeted malware that infected Sony, or face a distributed denial-of-service (DDoS) attack that could attempt to make Google unreachable, or receive any number of other online threats.
We decided to help because we were confident that we could protect people watching the movie and withstand any retaliation, so on December 24, 2014 we released the movie while a full room of Google security experts monitored for suspicious traffic and other signs of attempted disruption. Thankfully, it went off without a hitch.
That was my first month at Google. In many ways, it was a brand new experience, but it confirmed something security folks have long known to be true: a strong foundation of security is the building block for all businesses – online and offline.
So much has changed since 2014. We’re on the cusp of a new computing era with the emergence of artificial intelligence and machine learning that will help build incredible products for users and power businesses worldwide. Security has come a long way – our automated systems can pick a spear-phishing email out of an internet-sized haystack – and yet, as a society, we’re putting everything in jeopardy by not making a commitment to security.
You don’t need to be an expert to see this. We are all reading the same headlines: hospitals, credit agencies, law firms, media companies, and a slew of other organizations have suffered serious breaches in the last few years. Nuclear power plants have been targeted, along with political institutions and officials – from the UK and South Korean governments to the French and US election campaigns.
Government-backed groups may be behind some of the more sophisticated attacks. But increasingly, weapons and resources that were once only available to governments have become available to anyone. Some of the attackers’ tools are even available for free.
This is not a drill: The threats to our most personal data, our businesses, our infrastructure, our democracy, are absolutely real.
So, what can we do about it?
There were two crucial takeaways from the episode with “The Interview” that need to be recognized.
First, sophisticated cyberattacks are a new, everyday reality. That attack wasn’t the first, and it obviously hasn’t been the last. This threat isn’t going anywhere.
Second, from now on, high-quality cybersecurity must be a pillar of modern society. In 2014, it enabled millions of people to watch a movie on Christmas Eve. Now, it’s an essential ingredient to protecting our economy, our democracy and our way of life. This may all feel a little abstract, so let me be very specific about steps we can take, right now, to strengthen online security for everyone.
Everyone needs to learn the fundamentals of online security.
According to recent research (ironically, based on anonymized data collected from security breaches), the most common password last year was “123456.” A Google survey shows the No. 1 thing experts do to secure their data is update their software; that wasn’t even in a top-five answer for non-experts in the same study. When I’m out of the “security bubble” and talk to people about important security measures like two-step verification and security keys, I get blank stares.
We aren’t even close to where we need to be.
Programs like The National Cybersecurity Alliance’s “Lock Down Your Login” and Google’s “Be Internet Awesome” are a great start, but we need to continue these types of conversations in school curricula, and at home with our families as well.
Every organization needs to treat cybersecurity as a constant, critical priority.
According to a prediction by the International Data Corporation, 70% of major multinational corporations based in the United States and Europe will face significant cybersecurity attacks by 2019.
Small organizations should be consulting with security experts on a regular basis; larger organizations should have a chief security officer who can drive a sound security strategy, and the supporting processes and procedures to eliminate vulnerability. At Google, we require all our employees to use Gmail, coupled with a Security Key – the strongest version of 2-step verification – to thwart would-be phishing attacks.
For most organizations, the best solution is to use a commercial cloud service provider. Among other benefits, their scale offers visibility across a huge swath of potential threats. And if your employer is not prioritizing security with this urgency, sound the alarm.
Every citizen deserves to have government representatives who prioritize online security education and defend national infrastructure from cyberattacks.
This shouldn’t be a partisan issue; in the US, both the current and previous administrations increased funding to support the nation’s cyberdefenses. And many local governments are taking long-overdue action to secure voting machines ahead of the mid-term elections.
Citizens should demand that their representatives fight for funding of critical cybersecurity organizations like The United States Computer Emergency Readiness Team (US-CERT) that enable everyone to stay safer online. US-CERT helped coordinate this week’s disclosure of the KRACK vulnerability, an industry-wide issue. And representatives should support ongoing education campaigns, such as National Cybersecurity Awareness Month.
To tackle these ever-present threats, companies, users, advocacy groups, and governments all need to do their parts. Let’s rise to the challenge.