There are many front lines in the battle to secure cyberspace for any given business: hackers, nation states, corporate espionage, supply chain security, AI-powered cyber tools, and ratcheting-up risks with the Internet of Things.
All these facets—together with the tech companies carving a path through the dangers to take control in the ever-shifting state of play—were the focus of Xconomy’s Cyber Madness forum held in Boston last week. Big thanks to EY, our host, for providing a fantastic space with stunning views, and top-notch support.
And special thanks to Keith Patankar of Patankar Photography & Design for taking photos. Be sure to view the slideshow of them above.
The half-day conference, held April 8, broke open a range of case studies in security to help professionals get their arms around today’s challenges and tomorrow’s innovations in the sector.
“Try to get hacked in order not to get hacked,” was the prescription of Marten Mickos, CEO of HackerOne, a San Francisco-based company that assembles ethical hackers that probe computer systems and collect bounties for spotting vulnerabilities. Mickos and Olivia Brundage, an information security engineer with Washington, DC-based Mapbox, outlined how her mapping startup used the collective to hunt down soft spots in its software application and network infrastructure.
“The bad guys are already in your underwear, in your pockets, stealing everything you have,” Mickos said. “Every system will get hacked, and it is better to enlist the ones who will tell you how they did it so you can fix it.”
The event brought together executives, founders, investors, and security professionals from a range of industries, all seeking practical takeaways about the evolving cyber battlefield.
Michael Daly, Raytheon’s (NYSE: [[ticker:RTN]]) chief technology officer for cybersecurity and special missions, kicked off the day in a discussion with Xconomy Editor-in-Chief Greg Huang about how he secures his digital self at home, at work, and on the road. He said technologies such as blockchain’s distributed ledger and quantum computing are highest on his list to lead to breakthroughs in cybersecurity.
The intellectual property risks emanating from China came into full view as American Superconductor CEO Daniel McGahn presented how his Ayer, MA-based company (NASDAQ: [[ticker:AMSC]]) survived a corporate espionage plot and successful cyber theft on the part of its largest customer—a damaging blow that resulted in 600 lost jobs and more than $1 billion in market cap erased.
In 2011, an American Superconducter employee took a $1.7 million bribe from a Chinese customer to steal the source code of software that managed power flow in wind turbines. The theft was investigated and eventually prosecuted by US authorities, resulting in a guilty verdict and a $59 million settlement from the customer, China-based Sinovel.
“It’s very James Bond movie-like. … It sounds fun, but it sucks to live it,” McGahn said. “We are at war with China, and we’re losing.”
The exploding growth of web-connected devices, from thermostats to baby monitors, has raised alarms about how many more entry points hackers now have to get into people’s personal networks. It has also prompted discussion of what security standards these devices should be held to before making their way to store shelves.
The risks are starting to sink in more broadly as the cyber world is increasingly stitched into peoples’ domestic lives, said Emily Frye, director of cyber integration for the MITRE Corp.
“The idea is becoming more real to us because the space we traditionally considered cyber spaces are no longer distinct from our actual bodies, right?” Frye said, highlighting that the internet touches many people’s home climate control systems and even refrigerators.
Moderator Rick Grinnell, co-founder and managing partner of Glasswing Ventures, asked Minim CEO and founder Jeremy Hitchcock whether the IoT industry had learned its lesson in the wake of massive botnet operations such as the Mirai distributed-denial-of-service attack in 2016, which took advantage of security holes in web-connected devices to temporarily render much of the web inaccessible. Hitchcock said software developers know how to write more secure code nowadays, but there isn’t always the incentive to do so for low-cost consumer devices.
“We have the best shovels,” he said, “but just don’t want to commit to digging.”
Cybereason chief information security officer Israel Barak presented step by step how one of his company’s “honeypot” intel-gathering operations quickly learned how a power control system, such as an electrical substation, could be compromised by hackers. Once Cybereason launched its fake computer system, which, to outside hackers, looked and felt like a real power control system, it took two days for it to be compromised.
In a panel of cybersecurity CEOs that included Veracode’s Sam King, Rapid7’s (NASDAQ: [[ticker:RPD]]) Corey Thomas, and Onapsis’s Mariano Nunez, the question of the day was how do you keep up with how fast the field is changing?
“How do you add sophistication and simplify [the product] at the same time has been one of the harder skillsets to navigate,” Thomas said.
Xconomy deputy editor of tech Jeff Engel contributed to this report.