With the threat landscape continuing to evolve, it’s more important than ever to examine the past and the lessons we’ve learned as we plan for the future. At CMMC CON 2024 recently spoke with Nicole Perlroth, esteemed cybersecurity journalist, author, and member of the CISA Cybersecurity Advisory Committee about her experience and work in covering cyber crimes.
Nicole’s investigative reporting has shed light on global cyber weapons markets and how vulnerabilities are exploited by adversaries to undermine national security. Her New York Times bestselling book, “This Is How They Tell Me the World Ends”, has brought critical attention to the cyber arms race, making her a leading voice in cybersecurity. After her decade-long stint with the New York Times, she joined Cybersecurity and Infrastructure Security Agency (CISA) as an advisor, Ballistic Ventures as a cyber storyteller, and Silver Buckshot Ventures as a managing partner.
Most impactful investigation
Nicole started by sharing that the Chinese advanced persistent threat (APT) infiltration of the networks at New York Times opened the door to her reporting on cybersecurity. “I think it was Dmitri Alperovitch, then from CrowdStrike, who first uttered this phrase when he was at McAfee, ‘There’s only two types of companies left. Those that have been hacked and those that don’t know they’ve been hacked yet.’ That’s what everyone kept telling me, and I made it my mission at the New York Times to tell that story.
“I could find someone at just about every Fortune 500 company to say in a completely off the record capacity, ‘We’ve had some experience with Chinese hackers’, but no one would go on the record because they were worried about what it would mean for class action lawsuits, their stock price, or their reputation. Then one of the worst and best things happened, which was that my own employer was hacked by a Chinese APT.
“I was tipped off by someone in the IT department and I asked if I could embed with them. There is nothing that can make you get religion more than watching a nation state walk into your building every day, virtually at 9:00 AM Beijing time and roll out around five,” she continued. “We watched as these hackers would come in, and it quickly became clear that they were after our sources and the sources of one investigation in particular by David Barbosa who had done great reporting on the corruption among families of leaders in the Chinese Communist Party.
“So I told that story and the editor said, ‘Why are we telling this story? What will everyone say?’. My two cents was that I didn’t think they were going to say much because there was a very high likelihood that they had been hacked too. To the New York Times credit, we told that story from start to finish, and it was amazing.
Back then, no other company had been so open about a cyber attack, except for Google with the Aurora attack in 2010. For the nation’s biggest newspaper to report on their own experience with breach was a sea change. “It was the investigation and the story that completely changed our national conversation about this threat and gave everyone a deep accessible understanding of what we were up against,” says Nicole.
Most surprising discovery made when researching her book
While she shares that she encountered and uncovered many things that astounded her, she stated, “I wrote the book because there was one of me at the New York Times and every day I would be off covering some Chinese APT breach. I needed to bring the lay person to where I was sitting and say, ‘Okay, I know this sounds technical and scary, but I’m going to walk you into this space.’
“People needed to understand why we were so vulnerable and that a lot of the trade-offs that were being made in the name of national security were sacrificing cybersecurity. One of the programs I focus on in the book is the zero-day exploit programs within government agencies here and elsewhere. Government agencies sought espionage and sabotage value in developing, purchasing, or requiring zero-day exploits and then using those in their operations. It also meant that they had to keep secret these holes in widely used systems like iOS or Windows.
“It was important for me to call out these programs and say, ‘Hey, this is worthy of you knowing about it because it’s worthy of us having a broader national debate about why so many vulnerabilities exist in the software, and what the value of them is to government agencies for offense. Perhaps given the fact that we are getting hacked every single day, if not every single minute, it’s time to rethink some of the trade-offs we’re making in favor of offense over defense as a nation.’ That was the goal.”
Takeaways businesses should pay attention to
Businesses need to be aware that they are the new frontline, warns Nicole. “You are where the interesting IP is. You are the ones managing the nation’s critical infrastructure or 80% according to the number that gets tossed around the most frequently. When a nation state wants to take us down, they’re not going to go for Cyber Command or the Pentagon, they’re going to come for you. For a long time it seemed absurd that it’s up to businesses, their IT teams, and their employees to not click on a phishing email and inadvertently let a nation state APT in. But that’s where we are.
“If you could solve cybersecurity with technology alone, then we would have solved it 25 years ago—but it’s not just an IT issue. It’s also a leadership issue, a board issue, a resources issue, a human resources issue, a cultural issue, and an education issue. It’s not just up to your CISO anymore. In fact, we need to reframe what the role of a CISO is. It shouldn’t be someone who prevents attacks because that’s asking the impossible. It should be someone who is in charge of continuing key business functions once you are attacked and trying to control the blast radius once that incident happens.”
Regulating mandatory minimum cybersecurity
“I’m not someone who thinks that regulation solves everything,” she continues. “In general. I find regulations really annoying and in cybersecurity we have a particularly tragic history with hammers coming in and trying to do the right thing, but making things a lot worse. That said, I do think it’s time for some serious regulation.
“Sarbanes Oxley changed everything for CFOs and reporting, and the way that large organizations conduct business. At minimum there needs to be some regulation for critical infrastructure operators to meet the bare minimum set of cybersecurity requirements.
“When I was investigating Colonial Pipeline at the New York Times, I got my hands on a confidential DOE assessment that said, as a country we could only handle two or three more days of the pipeline being down before our economy was brought to its knees. That incident happened because the biggest conduit for gas jet fuel and diesel to the eastern seaboard had a situation where they forgot to deprovision an employee and that former employee’s username and password was getting sold and traded on the dark web, which consequently allowed cyber criminals to come in and completely hold our pipeline hostage.
“Likewise with Change Healthcare, the fact that all of this sensitive patient data is now out there and was never encrypted in a way that would prevent cyber criminals from accessing it, that’s ridiculous. We do need minimum standards, especially for the Colonial Pipelines and Change Healthcares of the world. We need to as a country think about doing a new kind of census. Go sector by sector and say, ‘What is the company that touches the whole ecosystem that if this one piece got badly ransomwared, it would take the whole sector down?’
“We need to identify these companies and make sure that they are meeting these minimum standards. The NIST standards are not so onerous or so burdensome that they can’t be met.” Government regulation is needed and it’s the only way that at scale we’re going to make meaningful change.
The path forward
“As Americans, we always think that we are fortunate to be separated from our adversaries by two oceans. Those oceans don’t exist on the internet. When you look around the world and see where countries have really done well at improving their cybersecurity exposure, it’s usually countries like Japan, Finland, and South Korea, where there is an adversary breathing down their necks. And we need to start thinking that way as Americans.
“It’s time because we are now the second most targeted nation state on earth,” Nicole concludes. “As amazing as we are, and as amazing as the American military is, unfortunately, we have the softest underbelly because we are the most digitized and an envy of other nation states economically and with our intellectual property. Every time we’re adding some element of automation to our businesses, we have to think, ‘How could this be used back against me? Just because I can hook this thing up to the internet, should I be hooking this thing up to the internet? And if I do, how am I going to protect it?”.
If you have any questions on how to improve the cybersecurity of your organization, contact the experts at CyberSheath. We’re here to help.