Yahoo奇摩新聞 The U.S. is bringing ‘a knife to a gun fight’ in cybersecurity conversations: Prevailion CEO
Karim Hijazi, Prevailion CEO, joins Yahoo Finance to discuss President Biden’s meeting with tech and finance leaders on cybersecurity, threats facing the U.S. and its impact on the supply chain.
影片文字轉錄稿
[MUSIC PLAYING]
ALEXIS CHRISTOFOROUS: Welcome back. President Biden is holding a White House summit on cybersecurity today, with an A-list group of tech titans, including the CEOs of Amazon, Apple, and Microsoft. We know the stakes are high here, after a string of high-profile attacks this year alone, including the Colonial Pipeline hack, which threatened to cripple critical American infrastructure.
Here to talk about it is Karim Hijazi, CEO at Prevailion. Karim, good to see you again. Earlier today on Yahoo Finance Live, we had Deputy National Security Advisor for Cybersecurity Anne Neuberger on. And she was talking about today's summit, and said that the US government cannot mandate what private companies do with regards to cybersecurity. Given that, what do you expect to come from today's summit, if anything?
KARIM HIJAZI: Well, we all have hopes. And unfortunately, you know, I'm among many of my peers that sort of say that the playbook keeps getting repeated over and over again, that is a little bit old and tired. And it's focused on vulnerabilities and patching and things like that, which are absolutely essential.
But they're far from the actual problem, which is that the adversaries we're dealing with, the level of sophistication and how dynamic they are, has facilitated already a compromise effort. So rather than suggesting there's vulnerabilities that need to be patched, we should be addressing this latent embedding of these actors that are actually able to open doors whenever they want.
And unfortunately, we're screaming this from the private sector side. The government isn't leading us forward on this as I think we'd hope. And the kind of leadership they're bringing to the table understand it on a sort of broad level, but not on the technical detail that I think is necessary. So I'm a little bit reserved on what I think may come of this.
ALEXIS CHRISTOFOROUS: Does the current bipartisan-- it sounds like you don't think the current bipartisan infrastructure bill goes far enough in putting in place the tools that the public and private sector need to combat these attacks. If you were in that room today with all of these folks at the White House, how would you guide them?
KARIM HIJAZI: Absolutely. I think it's a good start, and I think the biggest problem that we're seeing here is, again, this misperception that we're still in a potentially vulnerable and yet to be attacked state. When in reality, from all the data that we collect from a Prevailion perspective, suggests that we're already in a compromised state. And now it's about rooting out that evil internally so that those doors can be shut from the inside.
Because the problem now is that it's no longer what it was 10 years ago, where there's hackers pounding on the outside of the gate to get their way in. They're using phishing attacks, they're using very sophisticated means, to hack the people of these companies and these governments, which then afford the adversary the means to act like they're authorized to be there. So there's very few defensive technologies that afford any defense against that. It takes a new breed, a new generation of looking at this from an insider threat perspective, meaning the malware is resident, let's find a way to root this out.
So my hope is that this can be kind of accelerated, and the sophistication of the conversation can move to the level that the adversaries are at. So we're literally bringing a knife to a gunfight in these conversations. And I really wish we could get on par with what's really going on out there.
ALEXIS CHRISTOFOROUS: Yeah, good analogy. So let's break down what some of these bad actors are up to. Because when it comes to disruptive malware, you say ransomware is not the only game in town. There's something called wipers. Please tell us what that is.
KARIM HIJAZI: Certainly. It's a very concerning situation, because ransomware was very alarming. And I think it kind of hit everyone like a ton of bricks, because it was going to be extortive and it was going to get people to pay money if they didn't do certain things within a certain amount of time. Now what they're doing is they're going further to either steal the information, which is extortion as well.
But even worse, nation-state actors like Iran that are a little bit more emotionally motivated in their attacking, they're not as cunning and as calculating, they'll simply just destroy the data. They'll destroy the machinery upon which it resides, and they'll do things simply to disrupt and destroy. They won't be financially motivated, like what we've seen so far.
And what that represents for us in the longer run are things that have actors that have very little motivation for financial gain. They don't really care about getting caught. They're there to essentially to be-- a brutal analogy here, but they're on a bit of a suicide mission, to simply deploy something that can destroy infrastructure, critical infrastructure, water treatment facilities, electrical grids, and then just watch the carnage ensue. And that's the part I think that we haven't seen yet.
And my hope, desperately, is that we get ahead of that before it gets to that point. Money loss is bad enough. Cyber-attacks that manifest into physical or kinetic attacks is far worse.
ALEXIS CHRISTOFOROUS: What about the ongoing impact these are having on our supply chain? I mean, we saw it with SolarWinds, we saw with Microsoft Exchange. A whole bunch of other companies are going through this. Are we just at the tip of the iceberg there in what these hackers can do, the damage that they can cause to our critical supply chain?
KARIM HIJAZI: Very much so, Alexis. The bigger challenge here is that we've relied on a very old modality for figuring out how secure our partners are, which is to ask them and essentially get some sort of assessment from them directly, or maybe scan them. And what I mean by that is assess whether they've got vulnerabilities that could be exploited.
The real issue is much deeper and ingrained, which is that the actors, these threat actors, know exactly what these ecosystems look like. They'll know exactly which supply chain partners exist as sort of a hub-and-spoke approach. So if you get that one supply chain partner, that will afford you access to many prime contractors that you might want to get to. So it's sort of a one-to-many ratio that they can use [INAUDIBLE] saw that as one attack that manifested into many.
And so the reality here is that we've got to change our paradigm and our perspective, that these supply chain partners are these weak points that can be leveraged and exploited by these bad guys, and then they can sit and wait until the right time exists for them to move in, when vigilance has waned, and there isn't quite the level of vigilance that needs to be there. You can't constantly be vigilant. We all know that.
So unfortunately, they wait for that moment. They wait for holidays. We saw the situation happen with, I think, during the 4th of July weekend. It's all strategized, it's. All planned they know exactly when there's skeleton crews on site. So we've got to change our perspective that this is going to be an attack that will find its way in magically one day, and think about it that it's already here. When are they going to activate it? And how are they getting that communication into this company to give directives to this malware, what I like to call electronic spies that are already resident there? That's what we've got to catch and remove before things get worse.
ALEXIS CHRISTOFOROUS: Right. And another playground for these bad actors could be the emergence of 5G, because the capacity for higher, faster wireless speeds also has a downside. And we know the telecom companies, including our parent company Verizon, continuing to roll out 5G. What are some things they should be thinking about as they continue that push?
KARIM HIJAZI: Absolutely. I mean, with any kind of efficiency and speed comes additional security problems. Because again, the problem is that the effectiveness of the product for our convenience is exactly what the adversary exploits to their advantage. So the speed by which they can deploy malware, the speed by which they can extract information from huge, broad swaths of environments that were otherwise unavailable, 5G and space internet.
Phone services were terribly slow in the old days. Remember, we'd have to run home to our cable modems to get a decent connection. Now, arguably, our phones are faster than our home networks. And 5G will actually accelerate that even more. Same with some of the more modern satellite technologies. So that provides a much broader method for attack surface for the adversary. And then it also allows the adversary to use other victims as another launching point for an attack. So it becomes a force multiplier for them to get to everyone and anything they want to get into.
So what they need to be thinking about is essentially how to throttle connectivity to some of these groups, understand where these groups are, understand who's infected so they can, to use the term that we've been hearing about for two years, quarantine effectively some of these infected parties so the contagion can be limited. I know it sounds biological, but it's identical in cyber.
ALEXIS CHRISTOFOROUS: All right. Karim Hijazi, CEO of Prevailion. Thanks for being with us today.
