In the last several years, a series of high-profile cybercrimes have brought attention to the precariousness of private information in a globally connected economy. In late 2013, hackers gained access to Target’s network and made off with about 40 million customer credit card numbers. A year later, an attack at Home Depot resulted in the exposure of 56 million credit card numbers. In 2015, hackers stole nearly 80 million records from the health insurer Anthem.
Some of the recent online attacks have had real-world impacts beyond financial losses. In 2014, an attack on Sony Pictures Entertainment, prompted by the release of the film The Interview and believed to be sponsored by the North Korean government, exposed a trove of emails and other confidential information, leading to the resignation of Amy Pascal, the studio’s co-chair. After the hackers threatened terrorist attacks against theaters screening the film, its theatrical release was canceled. A 2015 breach at the website Ashley Madison, which enables extramarital affairs, exposed the identities of its members. The same year, hackers in China stole more than 20 million records from the U.S. Office of Personnel Management, including fingerprints and information from security clearance background checks.
Yale Insights spoke with Deepak Jeevan Kumar ’10, a partner at General Catalyst Partners who invests in cybersecurity, big data, and other technology ventures, about the evolution of cybercrime and why an effective response will require greater trust and collaboration among stakeholders.
Q: How much is cybercrime a global issue? How much is it a result of increased connectivity across borders?
I think it has been a global issue for many decades, from the beginning of the Cold War, frankly and we have not explicitly recognized it. But in the last two decades internet connectivity, the portability of mobile devices, wireless internet, have democratized cybercrime. And just as the internet is a powerful tool for us, it can be used to fight against us.
I think what we haven't quite realized is the connection that has happened recently between what I call physical terrorism and cyber terrorism. Typically in the old days, cybercrimes were mostly restricted to identity thefts, thefts of credit card data—data used for financial benefit. Recent attacks experienced by Sony, Ashley Madison, and the Office of Personnel Management of the federal government are not about financial information thefts, but rather disruptive at a personal level to the customers and employees of these organizations.
The Office of Personnel Management holds the records of all federal government employees and more importantly, it holds all information that all the highly cleared Defense Department employees have given to the federal government. So the hackers—we think it's a state actor—have access to information that the federal government has on all their secret service employees, their defense contractors, their defense employees, and so on. That is nothing short of a full-fledged terrorist attack on the American government. You just don't think of it that way because it's happened in the cyber world.
In some ways, I think that the attack on the OPM is a defining moment in history. We should recognize that we are actually in a cyber Cold War. And the difference is that we do not know who the enemies are in this case. Imagine if some bad actors could use this to selectively target contractors and employees who work for the Marine Corps or for the Navy Seals or work for the Air Force. People get information through a cyber war and they could use it for a physical attack.
The Sony attack was another example, where the cyber terrorists say, "Hey we have this data. If you do not do what we say, we're going to bomb a cinema." That connection between cyber and physical is happening today, and I think we should recognize we're in a cyber Cold War.
Q: You invest in companies that are coming up with solutions for these kinds of problems. Is this something that the private sector is best equipped to respond to, or is this something that the Pentagon should be responding to or the UN?
I think everyone has some kind of responsibility here. In the physical defense world, you have a set of private manufacturers of airplanes, tanks, machine guns, bombs. You have a lot of government research happening and private R&D happening across the private sector as well. And you also have international organizations that coordinate to defend. I think we need to have the equivalent of that inside the cyber world, which we do not have, unfortunately, today.
Everyone needs to understand they're part of the same ecosystem. And today there is complete lack of trust in different parts of the ecosystem. There are three stakeholders: the general public, the private sector, and the public sector. And because of a lot of incidents, including the Snowden incident that happened a few years ago, these three stakeholders do not trust each other.
Q: Does it complicate that process that this is a global phenomenon and the bad actors are operating across borders? How do you create trust when you're not all operating within the same national system?
It is hard. But let me tell you what we've seen today. Let's take an analogy from the physical world. Let us say you're in country X and you are comprised of an army, navy, and air force. And the country you're fighting against is country Y and they have the same structure. Let's say in country X, the different forces do not like each other and they've never communicated with each other. And in country Y, they communicate with each other and are highly coordinated. Even if they do not trust each other, they're highly coordinated and they'll figure out how to work in a manner that benefits them.
That is a situation we are facing now today. We do not know who country Y is in this case, but the bad guys have so many ways of communicating with each other—dark web portals and other avenues where they can share data. But the good guys do not share data with each other because they don't trust each other due to a lot of historical reasons—spying without each other’s knowledge, overstretching the rules.
And at this point, even in the private sector, it's so hard for us to share information with the government unless it's absolutely necessary, because there can be a backlash from consumers. Let's say a big company like Apple and Google start liberally sharing data with the government. The consumers are going to rise up and they're going to stop using their products. Definitely, some people are glad that Apple stood up for its principles publicly in the recent high-profile case against the FBI. The argument for Apple’s side is that if they help the U.S government, they would also need to help governments of other countries to create a backdoor entry in to encrypted data. So where does that trend stop? This incident could only have aggravated the mistrust between the stakeholders.
The government and the private sector have to acknowledge that, you know what, we need to trust each other. We need to share data with each other. There's no other option because the bad guys are sharing data with each other on how to attack us.
So how do we start? We need to probably put some frameworks in place on what data can be shared and what cannot be shared and in what situations data can be shared. We have to acknowledge that trust is broken and have some kind of neutral third-party organization that acts as a mediator between the major parts of the ecosystem and starts rebuilding trust.
Q: How does cloud technology change the threat?
Let us assume that all the wealth in America is held in a single bank somewhere in New York City in gold or currency or whatever; if that building is attacked and breached, all that wealth could disappear. The cloud has basically concentrated the places where data is stored in a few places. The number of single points of concentration have drastically come down to just a few major providers: Apple, Amazon, Google, Netflix, and others. And if any of these providers has an issue, then millions, if not hundreds of millions of people, can be affected.
Recently, there was a breach on the Internal Revenue Service and a lot of tax records of Americans were stolen. And that happened because they all were stored in one place. But the cloud has actually made it even a much bigger problem. For example, a cloud provider like Amazon runs Netflix and Dropbox and multiple hundreds of other websites. If there is even a service-level degradation there, not even a data loss, it affects a huge part of the tech economy today.
It is like if the entire electric grid were completely connected, without having the air gaps that we have in place today—if there was a major fault in Texas, the whole country could potentially go down. Today we have regional public grids that have effective isolation capabilities.
Here’s another issue: let us say I'm a Fortune 500 company and the government wants, for good intentions or bad intentions, to get hold of my data. It used to be that the only way the government could acquire an individual’s data was to contact him or her directly. But today because our data is stored by a public provider, they don't need to contact the individual. They can just go and contact the public provider. So people and organizations and corporations are completely losing control of their data. Once the data goes onto the internet, cloud or not, you have no control over it.
Q: Was there a point earlier in the history of the internet when things were more secure because they were more diffuse?
Yes, you could say that. The best form of security is not to share anything, right? But we're living in a world where that's not possible. We need to communicate with each other. We need to share things with each other, and we need to bring the cost of doing all of this down. So all the innovation from the internet and mobile have these dangerous side effects, but they also make the world a much better connected place.
Before wireless networks existed, the only way you could hack a company’s corporate network was to somehow get access to the wired network. But today you can sit on a laptop next to the company's premises and hack into the wireless network without ever having to set foot in the building.
Another thing that is going to start happening more is the whole industrial internet and the Internet of Things. The smart grid initiative is about making the whole electric grid smarter and able to respond faster to demand and supply changes, but that also means it has to be more internet connected. Today the electricity grid is completely isolated from the general public internet. But as the electricity grid becomes smarter, there could be more points of contact with the general public internet.
So you can imagine in the not-so-distant future that hackers could be able to get into the electricity grid, airports being shut down by hackers, a traffic light being hacked on streets, air traffic control systems being hacked. As the world gets more interconnected, whatever Hollywood has shown in the last 20 years could actually become reality.
Q: Who do you think is winning? Do you think that the curve is moving toward solving this problem or away from solving this problem?
I think the world is getting more complicated in the sense that it's always a catch-up game with cyber criminals.
You know, it takes one terrorist attack to make a whole country feel insecure. The same way, cyber terrorists just need to attack one spot and they can create a lot of fear in the whole system. And on the defense side, you have to defend everyone. You don't know when the next attack is going to happen.
Even if the attack is not highly sophisticated, all they need to find is one point of vulnerability that exists for a period of time to just get into an organization's cyber network. So I think the deck is always stacked against the defense. It's always stacked in favor of the offense and in favor of the cyber criminals because of the nature of the attack surface and the number of points that need to be defended.
It's not a question of if a Fortune 500 company or a university is going to get attacked. The answer is yes. It's not a question of when. The answer is always. There's only one question left: How bad can that attack be? The faster we can detect a breach happening and the faster we can plug it and the faster we know what is being exposed, the less damage will be done. If you take an analogy from the healthcare world, you don't have vaccines for all diseases, but you need to have good primary care, you need to have good emergency care.
So I think we have to recognize that the way in which we should play the game is not just by building better defenses, but also building good processes and putting the technologies in place so that once the detection has happened, we can actually solve the problem sooner than later. With most of the attacks that we have seen in the last few years, the attackers were in the organization for months without being detected.
Q: What kinds of innovations are you seeing that can help?
Many VC firms in Silicon Valley and Boston have invested in multiple sub-sectors of the security industry. There has been the beginning of a resurgence in investment in sharing platforms, which give different organizations the ability to communicate what threats they’re seeing in a manner that doesn't compromise any of their identities while maintaining trust. There is an increase in security automation tools—once a breach has been detected, how do you automatically configure different parts of the security infrastructure to understand this new trend?
There are investments happening in what is called incident response companies—you call them and it's like a cleanup system to come in and clean up the damage. We're also seeing lots of investments happening in new cloud security products. How do you defend your own data, defend your computing infrastructure, that is not in your premises—it's in the cloud provider's premises?
We have seen quite a bit of investment in mobile security. People have started using smartphones both for their private and business use. How do you safeguard those phones against attacks? Security has been one of the biggest investments in the VC industry in the last few years, and we don't expect this to change, because the attacks are getting worse and worse.
Interview conducted and edited by Ben Mattison.