September 22—When the Colonial Pipeline was hacked last spring, it forced the company’s only complete operational shutdown in 57 years, ceasing its normal daily transport of 2.5 million barrels of fuel for five days. This is just one instance of widespread cybercrime in the past 12 months. Online attackers are getting increasingly sophisticated, finding new ways to outsmart our defenses. Chief Investment Officer Tony Roth sits down with cybersecurity expert Morgan Wright to discuss what businesses and individuals can do to stay safe from ongoing cyberthreats.
Please listen to important disclosures at the end of the podcast.
Wilmington Trust’s Capital Considerations with Tony Roth
Episode 41: Cybersecurity
Tony Roth, Chief Investment Officer, Wilmington Trust Investment Advisors, Inc.
Morgan Wright, Chief Security Advisor, SentinelOne, Senior Fellow, Center for Digital Government
We’re saying how do we respond to these things as opposed to how do we stop them. Anytime you say how do we respond to them you are automatically implying we have no capacity to stop them. And, yes, we do actually. With things like artificial intelligence, machine learning, we are getting better and better at stopping these threats.
TONY ROTH: That was cyberterrorism and security expert, Morgan Wright. Morgan is joining me today to share his views on the security threats we’re facing today and how they’re likely to evolve in the future.
Welcome to Capital Considerations, the market and economic podcast that’s fully invested in your success. I’m your host, Tony Roth, chief investment officer of Wilmington Trust. When the Colonial Pipeline was hacked this past spring, it forced the company’s only complete operational shutdown in its 57 years of business, cutting off it’s normal daily transport of 2.5 million barrels of fuel for five days. This, unfortunately, was just one instance of widespread cybercrime here in the U.S. over the last 12 months. Online attackers are getting increasingly sophisticated, finding new ways to outsmart our defenses. And the problem is only getting worse, with the FBI’s Internet Crime Complaint Center reporting year-over-year increases in both crimes reported and total losses over each of the last five years. How are individuals, businesses, and investors supposed to stay connected while staying safe? Here to help us better understand cybercrime and data security is Morgan Wright, an expert on cybersecurity strategy, cyberterrorism, identity theft, and privacy.
After a successful career in law enforcement, Morgan served as a senior advisor in the U.S. State Department Anti-Terrorism Assistance Program and his testimony before Congress on healthcare.gov changed how the government collects personally identifiable information. Morgan has worked as a cyberterrorism and cybercrime analyst and consultant for FOX News and FOX Business and has made hundreds of media appearances as an expert on cybercrime and computer intrusions. Morgan, thank you so much for being here today.
MORGAN WRIGHT: Tony, thank you very much for the invitation. Looking forward to it.
TONY ROTH: It’s a particularly apt moment given that we had a so-called zero-day exploit, a virus that impacted the main Apple iOS operating system for their phones and they just released a fix for that earlier today and that affected a lot of us. So, a very good moment to have this conversation. Before we begin, as I always do, I want to stress that Wilmington Trust is nonpartisan, and we take no political position one way or the other.
So, Morgan, I think there’s so many ways we could enter this conversation. But I mentioned at the top of the introduction the Colonial Pipeline incident and that was a case of what we call ransomware, which is to say that the company was hacked. Whatever the threat was, and you’ll tell us what that was hopefully, they had to pay a lot of money. And maybe you could just tell us a little bit about it. It’s sort of abstract for us. But when we were waiting in line to get gas it became very real how serious this kind of stuff is.
Who was behind this in your estimation, what were they trying to get? I suppose it was just money. But, sounds like they got a lot of it.
MORGAN WRIGHT: They certainly did, close to $5 million and we’ll talk a little bit. They were able to claw some of that back. The FBI worked with them. However, though, this was one of the first instances, Tony. When I testified before Congress, you know, we were talking about healthcare.gov. You know, it’s not sexy. When we talk about computers, things aren’t sexy because you don’t really see anything happen. I mean I—people would rather see Seal Team 6 rappel off of a building than talk about an intrusion, you know, in a computer.
What happened here though was this was a watershed moment and as people are listening, just realize, this was the first time we were able to see a visible impact to a cyberattack on our critical infrastructure, that being oil and gas. And what the attackers did is they found one system that did not have—they reused a password. They found it on the dark web. They were able to exploit that password, get access through one system, through an account that had not been shut off. And they were able to infect the administrative system, fortunately not what’s called the operational side, you know, the industrial control side, Tony.
But the fact is they shut down production and supply because they had no means to track where the oil was going, who was getting it. The image everybody remembers now is the poor lady pouring gasoline into a plastic shopping bag because everybody perceived that we were going to run out of gas. That’s the impact this hack had.
TONY ROTH: So, I’ve always been worried that somebody would shut down the whole electrical grid based on we wouldn’t have power or whatnot, and this is sort of an instance of that. So, essentially, they had a password, they were able to get into the system. They put some kind of virus that they could take back, right, so that if—they said if you pay us $5 million or whatever the number was, we will remove this malware from your system. Is that what happened?
MORGAN WRIGHT: Yeah, ransomware. What ransomware does is it does exactly that. It holds your data, it holds your system for ransom, and it uses encryption. It uses the same thing you use to protect your financial transactions. They use this to lock up every file with a secret key. And if you want that secret key, you want the decryption key, you pay them $5 million, you know, or close to $5 million. First of all, been my experience at SentinelOne where I’m chief security advisor, whether I, you know, I’ve been talking to members of Congress or the military, been our experience if you pay ransom once you will most likely be targeted two to three times over. Why? Because you’ve made yourself a victim. You, you’ve identified yourself as somebody willing to pay.
They will continue to target them. And in this case, they encrypt all your files and if you pay the ransom, it takes an excruciating long time to decrypt the stuff and most people who get attacked do not have an aggressive and up-to-date backup system, you know, backups of all of their information. So, it does. They are truly, Tony, held hostage to the attackers and unless you pay, then your files stay encrypted, and you lose all your data. You lose your ability to operate.
TONY ROTH: So, in this case was Colonial behind the curve or was this rather a case where they had a reasonable program in place but the people that got this password were so sophisticated in being able to find it in the dark web and then introduce this malware, that Colonial could not have reasonably protected themselves?
MORGAN WRIGHT: So, I would give this example. Imagine building a bank and you’ve got the best vault in the world, it’s got the best controls, it’s got, you know, it just, you just can’t defeat it, but you leave the door unlocked. The vault is no good. And what happens with a lot of these folks is they think, well, we’ve done a reasonable job.
I will tell you this, Tony. People do not spend enough, especially in the critical infrastructure area on cybersecurity, because why? It’s a cost center. They can’t really assign a profit to it. They can’t say we spent X dollars on cybersecurity, and it generated us, you know, 2X, you know, in return.
What happens in this case is they spend the bare minimum. I’ve dealt a lot with the critical infrastructure organizations. I helped stand up the first infrastructure or information sharing analysis center for the financial services sector called the FS-ISAC. People, especially in oil and gas and the energy grid, they are behind the curve, just like health care is, just like education is, in terms of applying patches.
But the biggest mistake here made, Tony, was they didn’t account for old accounts. They failed to shut off an old VPN account and somebody was able to harvest an easy-to-find password off the dark web and use that to get into the, should have been deactivated, account of an employee who left and get into the system. So, you can spend all the money you want, but if your controls are not good, if you don’t exercise the right due diligence, and if you don’t patch your systems and shut off these old accounts, you just leave a gaping hole somebody can drive a Mack truck through.
TONY ROTH: So, it sounds like bad electronic hygiene to me.
MORGAN WRIGHT: Very bad hygiene.
TONY ROTH: What was interesting to me about this particular attack is that it sort of conflated two things and maybe you could help sort it out for me. When I think about the perpetrators of these kinds of acts, I either think of, on the one hand, private actors, so gangs in Russia or China that are very sophisticated that are trying to get money. Is this about the money? Or, on the other hand it could be government, could be North Korea or Iran or it could be China or Russia that’s trying to test out the capabilities to see how they could negatively impact us during a more geopolitical moment that they want to do that.
And in this case, they were clearly after money. But at the same time, I heard that the Russian government was behind it. So, it sort of conflated those two types of actors that I thought were sort of distinct. Can you help me with that?
MORGAN WRIGHT: You basically have two types of actors. You have state actors and non-state actors. And based on who you are, that usually defines your goal, your mission, what the end game is for you.
And so, the objective for state actors is usually espionage. It’s information. In the case of China, they are the biggest offender of intellectual property in the world. The U.S. trade representative does a study every two years. China’s responsible from anywhere from $600 to $800 billion lost in intellectual property a year. They use that to accelerate the curve on R&D.
So, they, it’s espionage. It’s industrial espionage. But it’s also intelligence gathering. It’s information gathering, such as with the Solar Winds exploit, the campaign that was—we heard about in January where a company called Solar Winds had this network management software that was embedded throughout the government and they were able to exploit that in a, what’s called a software supply chain attack and read emails and see information.
But then, the other thing state actors tend to do is what’s called malign influence. For example, 2016, Russia did a lot of influence in the election. I, and I’m very careful. People also conflate the word influence and interference in these areas, Tony. Interference is an issue of sovereignty. If they actually interfered in our election, like they stopped people from voting, they destroyed databases, they, you know, shutdown, hacked in, that, that’s an issue of sovereignty.
What they did was it’s called malign influence. They actually found wedge issues, abortion, gun control. Now it’s about COVID. You know, they, we’re finding that they’re driving issues around vaccinations and va-, what they call vaxxers and anti-vaxxers. Again, what—it doesn’t matter. Russia, China, they don’t care who’s in office. What they care about is creating division. They care about creating confusion. Those are objectives for a nation state. For non-state actors, it’s money.
TONY ROTH: So, the state actors are going after something other than capital. They’re going after effects within the Western world. And while I appreciate that the Russian meddling in our election through the introduction of additional call it propaganda, if you will, into social media, etcetera, that impacted the election arguably is untoward. It’s not how we think about the purity of our democracy.
I don’t typically think of that as a cybersecurity issue per se and maybe I should be, because I think of that as more, if you will, subtle mind control through false information. But it’s not necessarily somebody going and breaking into a secure system as such. Do I have that wrong?
MORGAN WRIGHT: There’s a couple aspects to it. For one thing, it is a cybersecurity issue from the standpoint as you start thinking about defending yourself against attacks or looking at the origin of where information is coming from, you start looking at, where does the IP address, you know, the internet protocol address come? Where does it originate out of? And one of the things Russia did was find a lot of servers in the U.S. to make it appear as though it was U.S.-based.
That creates an issue of deception. That creates an issue of influence. But, let me tell you, from a security standpoint—and cybersecurity is more than just ones and zeroes. It’s about people. We used to call it PEBKAC, problem exists between keyboard and chair. You know, it’s usually the human that is right in the middle of this.
And so, if I can get you, if I can access your information or find out who your contacts are, I may not be necessarily breaking into a system to take it down. But, Tony, if I can find out who you’re talking to, who you’re connected to, if I can social engineer my way into your social media account, I can use that spread this maligned influence.
So, cybersecurity is not just a, well, we just have to secure a computer or a piece of hardware. It’s about your personal information. It’s about your password. It’s about your data. It’s about your social media presence. So, it is all-encompassing.
And what Russia was able to do, China is able to do, they do it on a much longer term, is they’re able to influence actions, activities, narratives on the internet. And one of the ways you do that too is through the targeting of people who are influential in certain communities in order to understand what are they saying and who they’re talking to so I can go influence them? Or, in some cases, which is what happened with Saudi Arabia and what’s happened definitely with China, people die. The lack of cybersecurity or the use of zero-day exploits have led to the death of people.
TONY ROTH: When you think about the Russians and the Chinese, it sort of feels like the Russians are more focused on meddling, maybe extracting some money. They seem satisfied with that.
I would describe what the Chinese do much more as economic espionage and appropriation of intellectual property at a much greater scale of harm than what the Russians have been doing historically. Now, of course, the Russians could do something very malign like disrupt our electricity grid or Defense Department, God forbid. But generally, it seems like what the Chinese are doing is dimension of the economic impact is much greater and they would probably be the largest offenders here. Would you agree with that?
MORGAN WRIGHT: Yeah. China definitely has economic interests in mind. When they do stuff, it, it’s usually it’s totally about espionage, whether it’s directed against the government or industrial espionage to find what’s the research on COVID.
I can assure you right now that China has what we in intelligence parlance is called you get a targeting officer. You task somebody with saying here’s the information I need. And they will assign targeting officers to go after things, like I want to know what Moderna’s doing, I want to know what Pfizer’s doing, I want to know what Johnson & Johnson is doing, I want to know what the studies are saying, I want to know what’s the most effective mixture, I want to know what the efficacy is, I want to know what clinical trials are saying, because they are stealing it for two reasons.
One, for because there’s a lot of money to be made in vaccines. And, number two, for them it’s a national security issue. They rank near the bottom on freedom of the press when you look at Reporters Without Borders. So, we don’t have any idea how bad things really are in China in some places. And so, for them stopping COVID, finding an effective vaccine, is a national security issue.
Russia on the other hand, you got to remember, Russia has created basically the first intelligence organization. It was called the VeCheka and it was back from World War I. They are masters at intelligence and looking at the long game. And, you know, that’s why there’s so many Grand Masters in chess out of Russia.
So, they approach it different ways. But one thing China has that Russia doesn’t is 1.44 billion people. That’s what China brings to the table. Russia is the best at this in terms of intrusions. But China can put 10 people for every one person Russia can put on it. So, just from a scale standpoint, they’re a herd of cattle just stampeding through your cafeteria.
TONY ROTH: Well, Morgan, I thought it was really interesting. A couple days ago I read that the Chinese government had spent a half a billion dollars licensing a vaccine from Canada, which is an mRNA vaccine, which is the basis for both the Pfizer and Moderna vaccines. And that’s an instance where I suppose they were not able to get the formula through elicit means and had to engage in a fair bargaining in order to get that intellectual capital.
MORGAN WRIGHT: Actually, I would just, I would put a different spin on that. What I would say is that the need was so great as they didn’t have the time to do the full R&D or do the full development. They’ll still do that, trust me.
But the need right now was so acute that they needed to have something in-hand that was already ready to go. Now, that will not stop them in the future from appropriating intellectual property, looking at the vaccine themselves, and saying, hey, we could replicate this.
Look, when they tried to—they made a big announcement, so did Russia, we’ve got our own vaccine, everybody, you know, we’re good. Except it was crap. You know, it didn’t work. And so, in the rush to do this they realized they weren’t good at doing this. And so, now they’re buying it from Canada.
China does what we call the three Rs. They rob you, they replicate it, and they replace you. First of all, they rob you of the technology. Then they replicate it. Then they replace you in the market and they do that from physical products to digital products to vaccines.
TONY ROTH: So, moving away from for a moment and this is perhaps a digression. We had a recent episode on bitcoin and cryptocurrency. It was a great episode. Is it the case that moving away from the state actors and back to the private actors that in a way the presence of crypto has really enabled them because it allows them to attain their goal, which is to get paid a financial transaction in a fairly secure and anonymous way? And would they be as successful with their entire ecosystem of malware and ransomware if they didn’t have the advent of cryptocurrencies?
MORGAN WRIGHT: So, many years ago I used to run the internet investigations for Microsoft, their Law & Corporate Affairs department, and I did all the internet investigations for pirated software, because they didn’t have the expertise at the time. They’ve come a long way since then. And it was very easy to shut down transactions because everybody relied on an email address or send us money orders or cash. That was easy to shut down. You send a demand letter, you could shut it down.
Now, fast-forward. It was the dark web, and the dark web was actually created by the Naval Research Laboratory. So, what we would call the Tor Browser, the dark web, was created by us in order to allow secure communications of human right activists, of our military overseas. And then, what happened was is they started doing things like what was called Silk Road. They were selling drugs over the internet. But the problem you ran into, Tony, was there was no way to effectively monetize it because they kept getting shut down.
Had it not been for bitcoin; bitcoin is what enabled the dark web to survive and actually thrive in many of these areas and the reason being was the anonymity. Now, I say limited anonymity because you—there are now techniques and I’ve talked to the people who are doing them over at Treasury and other places. It is possible now. It takes some effort, but you can now track back, as they did with DarkSide, as they did with some of these ransomware actors to track back to the wallets and find out where these things were being tied to.
Because what happened, a couple of these cases that have been made have been based on not the fact that the crypto wasn’t secure, that the transaction itself, you know, the underlying technology is sound. But it’s the implementation of their trade craft, of their—how they protected their secrecy. That’s what was penetrated. So, it’s like, again, it’s like having that bank vault. Hey, that bank vault is solid. You can’t drill through it. You can’t blow it up. But if you leave the front door open or if you leave the combination on a sticky note on the front of the safe, it does you no good.
And that’s the way to exploit things like cryptocurrencies, bitcoin, you know, whichever cryptocurrency you want to do. The internet has a return address. It may be tough to find sometimes. But if you put something out there and want something back, there is a way to trace it back and the Treasury has got tools now that they’re using to do exactly that, because I think that will be the next watershed moment with governments is how do we regulate crypto, you know, how do we bring it into the fold. And with Facebook announcing their Diem, you know, and their foray into digital currency, this is going to be a very interesting time for crypto, for digital currencies, to see what happens.
TONY ROTH: Yeah. Well, it’s surprising that the government has been, has taken such a passive let’s see what happens attitude with them, because clearly, it’s been an enabler for a lot of bad actors.
MORGAN WRIGHT: That’s the only way ransomware works today is through bitcoin. You can’t send a check. You can’t send bags of cash. You know, it’s the Willie Sutton conundrum, which is, remember he’s the bank robber back from the ‘30s. You know, why do you rob banks, Willie? Because that’s where the money is.
Now the thing is you could still, you can rob all these companies using bitcoin because you don’t have to physically be there anymore. That’s why organizations like DarkSide we were talking about earlier, they’re not directed by Russia, but they operate with the implicit approval of the Russian government because we have no extradition treaty with Russia. We don’t have legal attachés over there that work with us. We don’t have mutual legal assistance treaties.
So, it’s very difficult to find and arrest people in Russia. It’s basically, it’s impossible to extradite them back. So that’s why organizations like that operate in North Korea, Iran and where do—where don’t we have extradition treaties with? China, Russia, North Korea, and Iran.
TONY ROTH: So, let’s talk about Solar Winds, Morgan. Solar Winds was an attack on the U.S. government was it perpetrated by we think, our best idea at this stage is the Chinese?
MORGAN WRIGHT: No. It was the Russian, Russian intelligence most likely.
TONY ROTH: It was the Russians.
MORGAN WRIGHT: What’s called GRU, their military intelligence arm.
TONY ROTH: So, it was multiple departments of the U.S. government, and the media portrayed it as something that was really devastating, that could take years or decades for our government to recover from. And unlike the woman with the bag of gasoline, this is something that none of us feel directly. So, can you dimension this for us? How important was this, and how deep was the harm, and how long will it take us to recover?
MORGAN WRIGHT: Let me put it in perspective for you. I watched the Senate hearing on this when Russians, when Republicans and Democrats are all in agreement on the committee hearing. It was chaired by Senator Mark Warner. The co-chair was Senator Marco Rubio. They asked some of the best questions I’ve seen in a Congressional hearing, whether it be the Senate or the House. This was a real bipartisan issue of where they said this affected us. And why? Because it gets into the supply chain. It gets into—everybody fundamentally believed that the updates they were getting were fine, they were safe. And what Russia did, they actually exploited human vulnerability, the way we think, Tony.
What happens is that if you bring it in, it’s kind of like you bring this software in and there’s this area they call the sandbox, which is a very walled off area, and you watch this software operate for a few days. And if nothing bad happens, you say, hey, this software’s good. We’re going to put it into our production environment.
All Russia did was say, okay, comrades, how long do people normally keep it in the sandbox? Anywhere from three to five days. They made their software wait 14 days before it activated to make sure that it was safely into the production environment. What they did is they were able to penetrate into the company called Solar Winds. And I hate using their name because it—a lot of people got targeted. Pulse Secure VPN got targeted. Microsoft’s been targeted with a lot of the same stuff.
But they were able to get into their supply chain in terms of their update server. And when you get the updates, you just put them in there, because there’s no way to really go back and reverse engineer the patches and the software updates and go, okay, really what’s in here? So, there was this whole issue of trust that was exploited but the real problem was, Tony, it was the software that was being updated. It was called network management software. It allowed access too everything in your network.
So, they were reading emails. They were looking at messages. They were looking at communications. They were seeing documents. They had unfettered access. They were like 10,000 invisible flies on the wall watching everything that was going on and had—
TONY ROTH: How long did it take us to eliminate that access once we became aware of it?
MORGAN WRIGHT: Oh it—you won’t. It’ll take years. And the reason it’ll take years is because some of this malware we don’t even know where it’s at. I know some folks down at the Department of Justice. They say it’s just easier for us to throw the hardware away and start with new hardware than it is to spend all the time trying to find where the vulnerabilities are in the software.
TONY ROTH: Anybody that was affected or possibly affected, you just start over?
MORGAN WRIGHT: Yeah. This is the government. I mean they can’t. You know, this, these are the same people that bring you the Post Office, you know, the model of efficiency. They will not be able to ever replace everything because every agency is different. Every cabinet level agency is different. The State Department has some of the worst spending on cybersecurity in the federal government. Many times people are using computers. There’s a joke we had inside the DOJ in the intel community, yesterday’s technology tomorrow. There’s still places where they’re running software that hasn’t been officially supported by Microsoft for five or six years.
It’s the nature of bureaucracy and it’s the nature of procurement, which is the biggest offender, I think, here is the way we procure things. Now they, the DHS and CISA, called the Cybersecurity Infrastructure Security Agency, have put out a lot of rules and they’ve really done a good job of kind of tightening things down. But they will never be for sure that they’ve eliminated everything and the only way to make sure is to actually physically get rid of that piece of equipment, you know, and rebuild the code from scratch.
TONY ROTH: So, you’re saying I shouldn’t be running Windows 95 at home still?
MORGAN WRIGHT: Yeah. You could as long as you don’t put your 401K on there and all your important financial … If you’re playing games on it, have at it. Just don’t connect it to your home network.
TONY ROTH: I want to ask you about one more hack and then I want to talk about some of the issues that come out of all these incidences and that is the Chinese hack on Microsoft 365. Given that the Chinese generally aren’t looking for money and they’re probably not even looking to directly disrupt our government, were they looking for IP? What was that one about?
MORGAN WRIGHT: North Korea really is the one country that looks for money, followed by Iran. China doesn’t need that as much as what they need is the theft of intellectual property to accelerate the research and development and they’re looking for information. They have a philosophy called the thousand grains of sand. It’s not important, you know, how big the information is. They collect all of it and they put it and if you get enough grains of sand, eventually you see the mosaic of information that’s out there. And that’s what they do.
So, they harvest everything. They vacuum up everything that they can. And with 365, because 365 is what? It’s a staple in the U.S. government. And now, you don’t get a disk or a CD and up-, update your software. It’s all cloud-based now. Everything is done over the cloud.
So, they’re able now to at scale find these vulnerabilities, infect them with the malware, and be able to watch the communication. Their goal is in those cases, Tony, it’s not to disrupt. It’s to monitor and collect.
TONY ROTH: You’ve said, Morgan, that every day you wake up and it’s a new set of threats. It’s a new world we have to defend against. And it would seem to me that as you pour billions into this you would narrow the threat, you would minimize the threat. And every time there was a successful transgression, you would have learned how to close that type of transgression off such that it wouldn’t recur. Yet, they always recur. And is it because we have a fragmented, disorganized defense system in the cybersecurity ecosystem? Or is it because there are so many almost innumerable ways to get through the system that there’s always going to be new threats, you’re always going to have to be constantly reacting to the latest threat, it doesn’t matter how much money you spend?
MORGAN WRIGHT: Yeah. That’s been an issue with we have spent more and more on cybersecurity and become less and less secure. And one of the reasons was I think we’re spending it in the wrong way. So, I think we’re addressing the wrong problem.
I’m actually going to be speaking at a security conference in Michigan here in a couple days. Title of my topic was, you know, hey, what can Elon Musk and SpaceX teach us about cybersecurity? And it’s because we are asking the wrong questions. We are framing the issues wrong.
We’re saying how do we respond to these things as opposed to how do we stop them. Anytime you say how do we respond to them, you are automatically implying we have no cap-, capacity to stop them. And, yes, we do actually. With things like artificial intelligence, machine learning, we are getting better and better at stopping these threats without even allowing them to happen.
The real question is to take kind of a page out of Albert Einstein, he said the problems of today cannot be solved at the same level of thinking at which they were created. Elon Musk changed the paradigm in the space field by simply saying why can’t we reuse rockets? Now you’ve got these rockets that actually they take off and then they come back down. You can actually reuse the most expensive piece of the orbiting vehicle, which is the rockets, the boosters.
And so, that’s what I keep saying is, Tony, the reason we don’t learn our lessons is because everything changes quite frankly. We have new technologies that come out. We have new phones. We have new operating systems. So, it is a constant battle. But I think, if we step back and simply say what’s the problem we’re trying to solve, what are the technologies that show the most promise to do that and I will tell you it’s looking at the behavior of things. It’s not about I have a signature. It’s like I have a fingerprint and I’m going to look for this fingerprint and if it’s there, we’re going to stop it and if not, well, they change their fingerprint. So, all of your effort is wasted.
Instead, we have to start looking to say what is bad behavior inside of a system or software, what does it look like, and how do we stop it? And it was effective. There were companies, you know, full disclosure, I’m the chief security advisor for SentinelOne. We stopped the Solar Winds attack from happening and, in fact, the software was specifically written to say if you see SentinelOne inside the environment, do not operate. Why? Because we weren’t looking at signatures. We were looking at behaviors and what are bad behaviors inside of systems.
And so, that’s where I think it’s going to take us a long time to get there. You take the world as you find it, not as you wish it was. I mean every day you’re right, you wake up, it’s—if I hear the use of the word new normal again.
It’s an overused phrase and it means absolutely nothing. The real question is what’s the reality today? What am I dealing with? But the real question is firefighters, if you want effective firefighting, it’s to go out and clear the bad areas before the fire gets there, not responding to the fire afterwards.
How do we stop the fire from spreading? And it’s doing the work upfront, clearing bush, taking down dead trees, doing those types of things. We’re not doing that. Instead, we are so far behind the curve. We’re spending all of our time responding as opposed to stopping these events that are happening.
TONY ROTH: So, when you say we in this context, who is the we, and do you include our esteemed financial institutions? So, specifically, do I need to worry if I have a bank account at Morgan Stanley and I have a bank account at Wilmington Trust, and I have a bank account at J.P. Morgan, and maybe even a couple others, that I’m going to wake up one day and I’m going to find out that all of this value that I’ve worked so hard to create my whole life, which basically exists as an entry in an electronic bank account someplace, that information is going to have disappeared, and no one will be able to reconstitute that I had X amount in my account and the money will effectively be gone. Something of that nature, do I need to worry about that? I mean I’m paranoid, but should I be that paranoid?
MORGAN WRIGHT: You know, look. Just because you’re paranoid doesn’t mean they’re not out to get you. But it doesn’t mean that they’re targeting you specifically. And when I say we, I, you know, collectively we.
TONY ROTH: Can they wipe out your whole financial record?
MORGAN WRIGHT: Financial institutions are tougher targets for two reasons. One, they spend more of their budget on cybersecurity than probably any other critical infrastructure sector. Second of all, banking has a reputation issue that they focus on, which is if you are deemed to not be secure and you lose money all the time, nobody’s going to do business with you. Banks will spend, financial institutions will spend $10 million to solve a $1 million problem because it’s about reputation and it’s about trust. And so, they have spent proportionally for that.
But I will tell you this. I sat in a National Security briefing with the Assistant Attorney General for National Security, a guy at that time named John Carlin. Every Fortune 500 company has been hacked, every single one. And, all it takes is one exposure. It takes one problem.
So, to answer your question is it possible? Yes, it’s possible. If a determined adversary wants to wipe out something and go after something, if they spend enough time and money, they have a good chance of succeeding. However, though, when we look at financial institutions, when we look at now more and more some of the critical infrastructures are spending the right amount of money. This is about like a firesafe. It’s not designed to last forever. It’s designed to last long enough to detect the bad behavior and bring resources to bear to stop the attack from happening.
So, is it possible? With cybersecurity in ones and zeroes, anything’s possible. However, the probability of it goes down the more that you effectively spend money on your cybersecurity as a percentage of your overall IT budget. So, if you spend very little on it, you will be a target and it will be easy to take you down.
But, again, Tony, the other thing too, all it takes is one mistake. All it took is—was one server that wasn’t secured with two factor authentication out of 250 for bad actors to come and steal several hundred million dollars out of banks. So, you know, that’s an actual case. It goes back to are we taking all the right steps to secure our systems, our passwords, you know, shutting off accounts and making sure that we’ve got all the proper controls in place?
So, I wouldn’t say that you’re going to wake up and everything’s going to be gone with J.P. Morgan, you know, or Wilmington Trust. But if you don’t have the proper controls, if you aren’t spending effectively the right amount of money, it will cost you far more than that to recover from an attack.
TONY ROTH: So, Morgan, what should we do as individuals to protect ourselves? I probably have, as we all do, passwords for hundreds of different websites. I mean at any given time I I probably know or identify the password for some fraction of them, although probably pretty many because I tend to use the same password for most. What I have done is any financial institution that I work with, I have a special password which is a little bit more complicated and I only use it for those four or five different institutions so that it won’t be in circulation as much, won’t be appropriated and then, you know, at some lower-security institution and then reused there. That’s my approach. It’s probably a horrible approach.
What do you think? What should we do as individuals to protect ourselves?
MORGAN WRIGHT: When I was a state trooper, one of the things I got a lot of training on was driving emergency vehicle operations. And one of the things I found is all the skills I developed in my professional job translated over to my personal driving and helped me avoid some accidents. So, you can’t change your world up to say, well, there’s my personal life and there’s my professional life. No. There is just life now.
So, to your point, one of the things I created and it’s a free thing, folks. If you use it, that’s fine. If you don’t, that’s fine too. It’s called freepasswordcourse.com. I have a lot of passwords. I have none of them written down here. If you searched my house, you wouldn’t find a single password written down because it goes back to human behavior.
You know, you teach people a pass phrase. You teach them a template. You teach them that one time and I can plug anything into it. And I have a different password for each resource that I access. And if one gets compromised, that’s great. That’s the—that’s only one.
If you used passwords in combination with a second factor like a texting and SMS code to you using two factor authentication, something that, a username, password, and a second factor, that’s why they call it 2FA or MFA, multifactor authentication, you’re better than 95% of the computing public, you know. And I would make sure that any account you have that has two factor you use it, you turn it on.
In fact, there’s a site out there. It’s a free site called Two Factor Auth, T-W-O-F-A-C-T-O-R-A-U-T-H, twofactorauth.org. It lists all of the financial institutions, all of, whether it’s Amazon, Microsoft, lists all of these places that have two factor. And then it has a link there to show you how to go in and turn it on.
So, I have two factor for every social media account, for LinkedIn, for my Gmail, for my regular mail, for web resources. So, I’m not saying that I’m impervious to getting hacked. You know, it’s bad for business if I do. I’m just going to make you pay an economic price if you try and attack me. I’m going to extract a high economic price out of you because I’m going to make it as tough as possible to get in. And that starts with fundamentals, username, password, two factor authentication, and use encryption on everything, on your—anything that moves, any wireless, any data. Everything should be encrypted.
TONY ROTH: Well, it sounds like if I take your class, freepasswordcourse.com, in the next few nights I’m going to have a busy weekend probably redoing all my websites.
MORGAN WRIGHT: Oh, it’s easy. You can do it. You can do it in less than an hour. Yeah. But, yeah, changing your passwords. But I will tell you this, Tony, the one mistake a lot of people make. There is this fiction out there that if you have to, you need to change a password every 30 days or 90 days to be secure. Absolute fiction. There is not a piece of empirical data behind that says your passwords are more secure.
In fact, the research shows your passwords are less secure, because what do people do to their passwords? They add a one to it or a two or a pound sign or a question mark or they just flip it around. Everybody knows this game. Everybody knows what you’re doing.
So, if you have to change your passwords every 30 days—the only time you should ever change a password is when you have been given information that it has been compromised, because other, otherwise you take a very strong password and you dilute it over time by adding known characters to it. And if I can figure out that it’s a one-two-three-four at the end of your password, that allows me then on a broad scale to do cryptanalysis and start breaking passwords at scale.
TONY ROTH: I need to get you in touch with our IT administrator, because the day of the calendar quarter where I am the most grumpy is the day that I have to change my password, because I can guarantee you the day that I have to change my password, I can guarantee myself that I won’t be able to get into my computer, because it has to propagate throughout the system, and it doesn’t work.
MORGAN WRIGHT: Productivity goes down.
TONY ROTH: And it’s just it’s the worst day of the quarter for me.
MORGAN WRIGHT: Have your IT person just look this up. They can find it on the web. The guy from NIST, the National Institute of Standards and Technology, who, quote, came up with the standard, he came out with an admission later that says I just made it up. I had no idea. We just made it up about the password stuff because we had to come up with the standard.
There is zero proof that changing your password makes you more secure. There’s a lot of proof that changing your password unnecessarily decreases the security of your password and makes it easier to guess.
TONY ROTH: Yeah. It makes natural sense because you just can’t remember.
MORGAN WRIGHT: Well, and then you’ve got the help desk and then people are calling in to reset passwords and then productivity goes down. I mean don’t fix your car until it’s in an—I mean do your maintenance on it, but there’s no sense to go replace a fender on your car every 30 days saying, well, might have an accident. Well, you haven’t. Fix it when it’s broke. But un-, if it ain’t broke, don’t fix it.
TONY ROTH: Well, on that, I’m going to have to end our conversation and provide three takeaways as I always do. The first is that the most present risks are likely unknown when you wake up in the morning when it comes to cybersecurity. And so, having a security system that is multidimensional, flexible, and prepared for the attacks of the future is critical. And for any given organization, for our listeners that are business owners or executives in organizations need to take very seriously the need to invest in a smart and flexible way in the security of their technology infrastructure.
Second takeaway is don’t ignore, don’t outsource your data protection. Easy practices like ensuring that you have a—what should we call it actually, Morgan? What should we call good password hygiene? Is it to say that you have complicated passwords, that you have smart passwords?
MORGAN WRIGHT: People make it too complex. They say you need to have a complex password, squirrel chirp, you know, DNA. No. You just need to have a structured methodology for creating a secure password for every resource so it’s, you know, it’s a routine. If you know—if you have your routine, keep one part of it secret, which is your pass phrase. You can create a secure password for every site using a…
MORGAN WRIGHT: Standard methodology.
TONY ROTH: So, you need to have a good approach to passwords. It needs to be smart and go to freepasswordcourse.com. And then last is we actually at Wilmington Trust spend a lot of time evaluating the cybersecurity practices of the companies we invest in. It’s even for our values-based practice, which we call ESG, it’s a feature that we think allows the company to be rated more highly from an ESG standpoint because it protects the privacy of their clients’ information, which is something that I didn’t initially appreciate and just learned.
So, we think that it’s a good criterion as investors to look at, along with many others of course, like price to book and free cash flow and all those kinds of more traditional metrics in deciding what kind of companies to invest in. It’s that important.
So, thank you again, Morgan, for your insights today. It’s been a really fascinating conversation and it’s one that I’m sure we’re going to want to revisit at some point in the future.
MORGAN WRIGHT: Thank you, Tony. And good luck to everybody out there. And remember, do not use your birth date or your dog’s name as your password. That’s the best piece of advice I can give you.
TONY ROTH: That’s right. You don’t want you dog going in and hacking your financial account. I encourage everyone to visit wilmingtontrust.com for a roundup of our investment and planning ideas. You can subscribe to Capital Considerations on Apple Podcast, Spotify, Stitcher, or your favorite podcast channel. Thank you all again for listening today.
Disclosures:
This podcast is for information purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or recommendation or determination that any investment strategy is suitable for a specific investor.
Investors should seek financial advice regarding the suitability of any investment strategy based on the investor’s objectives, financial situation, and particular needs. The information on Wilmington Trust’s Capital Considerations with Tony Roth has been obtained from sources believed to be reliable, but its accuracy and completeness are not guaranteed. The opinions, estimates, and projections constitute the judgment of Wilmington Trust as of the date of this podcast and are subject to change without notice.
Wilmington Trust is not authorized to and does not provide legal or tax advice. Our advice and recommendations provided to you is illustrative only and subject to the opinions and advice of your own attorney, tax advisor, or other professional advisor.
Diversification does not ensure a profit or guarantee against a loss. There is no assurance that any investment strategy will be successful. Past performance cannot guarantee future results. Investing involves a risk and you may incur a profit or a loss.
Any reference to company names mentioned in the podcast should not be constructed as investment advice or investment recommendations of those companies.
Facts and views presented in this report have not been reviewed by and may not reflect information known to professionals in other business areas of Wilmington Trust or M&T Bank and may provide or seek to provide financial services to entities referred to in this report.
M&T Bank and Wilmington Trust have established information barriers between their various business groups. As a result, M&T Bank and Wilmington Trust do not disclose certain client relationships or compensation received from such entities in their reports. Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust, M&T Bank, or any other bank or entity, and are subject to risks including a possible loss of the principal amount invested.
Wilmington Trust is a registered service mark used in connection with various fiduciary and non-fiduciary services offered by certain subsidiaries of M&T Bank Corporation including, but not limited to, Manufacturers & Traders Trust Company (M&T Bank), Wilmington Trust Company (WTC) operating in Delaware only, Wilmington Trust, N.A. (WTNA), Wilmington Trust Investment Advisors, Inc. (WTIA), Wilmington Funds Management Corporation (WFMC), and Wilmington Trust Investment Management, LLC (WTIM). Such services include trustee, custodial, agency, investment management, and other services. International corporate and institutional services are offered through M&T Bank Corporation’s international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M&T Bank, member FDIC.
© 2021 M&T Bank Corporation and its subsidiaries. All rights reserved.
Private market investments are only available to investors that meet the U.S. Securities and Exchange Commission’s definition of qualified purchaser and accredited investor.
Morgan Wright
Chief Security Advisor, SentinelOne, Senior Fellow, Center for Digital Government
What can we help you with today