Election hacking. Information warfare. Adversarial artificial intelligence. All worrisome topics racing through Steve Grobman’s head these days. But the McAfee chief technology officer seems surprisingly upbeat about the prospects of meeting these cybersecurity challenges—or at least putting up a good fight.
I met Grobman at a coffee shop in downtown Boston last week. He was visiting from Texas to give a talk at the AI World Conference and Expo. Grobman previously spent more than two decades working for Intel in California and held key cybersecurity positions there, including his current role as technology chief for McAfee while it was still part of Intel. (Intel acquired McAfee in 2010 for $7.7 billion, then spun the company out last year in a $4.2 billion deal that reportedly gave investment firm TPG 51 percent ownership and Intel a 49 percent stake.)
As CTO of one of the world’s oldest and largest standalone cybersecurity companies, I was curious to pick Grobman’s brain about the latest developments in the industry—and where things might be headed in 2019. Here are the highlights of our conversation:
Xconomy: What are the most pressing cyber threats right now?
Steve Grobman: One of the things we’ve seen over the last few years is cybercrime has become a market-driven criminal enterprise. Cybercriminals will go to cybercrime capabilities that maximize their return on investment.
We saw a few years ago a big shift from data theft and selling stolen data on black markets to ransomware. Ransomware was a very attractive crime because cybercriminals could get paid directly by victims. They didn’t have to worry about the value of the data they stole going away. The problem they had with stealing a credit card number is if the card got canceled, you can’t monetize.
That has started to matriculate from just consumer and individual ransomware to now impacting larger organizations. We saw things shift into targeting soft targets. Like the beginning of last year, we started to see hospitals and police stations and … universities hit by ransomware. Now, we’re starting to see any organization that has something that could be held hostage potentially be a target for ransomware.
The biggest change, as cryptocurrency has become higher value, is a shift to cryptojacking. When cryptocurrency prices shot up, breaching a compute environment and then using it to illicitly mine cryptocurrency was very attractive, and in many cases cybercriminals could get higher revenues from that activity than holding infrastructure hostage for ransomware.
Now that we see crypto prices starting to decline, it would be reasonable to see some of that shifting back to other criminal endeavors.
The important thing for people to understand is cybercrime is just like any other market-driven enterprise, where you will have cybercriminals going through any portion of an inefficient market.
We’ve even seen some innovations in the cybercriminal enterprises, such as affiliate programs. The same types of innovation you see in legitimate businesses are happening in criminal enterprises. There are criminal organizations that set up all the technology and infrastructure, but instead of focusing on executing a ransomware campaign, they’ll make that available to others that want to get into the business. They’ll do things like revenue sharing. It’ll be built into the technology.
If a cybercriminal doesn’t have the ability to build the capabilities themselves, they can go to the underground market and join an affiliate program. They get access to technology, but they’ll be responsible for sending out phishing e-mails and getting victims to fall for the attack. We see more of these nontraditional endeavors.
X: Heading into the recent midterm elections, there were renewed fears that hackers might try to interfere with the process in some way, and reports this week that political groups were again hacked. What’s McAfee’s assessment of how things played out?
SG: There are reports out that there was continued use of information warfare during the election cycle.
A lot of the election infrastructure at the county and state level is lacking even the most basic cyber hygiene controls and is really a disaster waiting to happen. It’s unclear that there was actually mass exploitation [during the midterms]. We haven’t seen reports of that. But what’s concerning is all of the vulnerabilities are essentially there, and nothing would prevent even an unsophisticated actor from tampering with the 2020 election cycle. One of the things we’re advocating strongly is take 2019 and use 2019 to get a lot of that infrastructure in much better control for 2020.
One of the things that is concerning is there are certain information systems that local election boards [run] that are publicly facing—things like the election websites that provide sample ballots, information on where to vote. Part of the problem is everybody does things a little differently. What we’ve found is two major issues that were glaring. One is over 70 percent [of local election websites] don’t use dot-gov top-level domain names. The way this actually came to my attention is I stumbled onto it. I recently moved to Texas, and I needed to find out where do I vote. The website is votedenton.com. [For Denton County.—Eds.] It occurred to me, “Wow. Dot-com, really?”
There’s really no governance that says you need to use a dot-gov [URL] extension. There’s really nothing preventing [a malicious actor] from going to GoDaddy and [purchasing] vote-denton.com. [Notice the hyphen, making it subtly different from the official local election site.—Eds.] Would a normal person be able to know which one of those sites is legitimate? You can’t.
Part of what we’re advocating strongly is we want to get to a point where all local election boards and counties are using dot-gov to make it much easier to give guidance to the general public where we can say, “Only trust a site if it’s dot-gov.” But for now, we can’t even do that.
The other major finding that was shocking was
