Companies Are Seeing How Vulnerable They Are to Hacks

To examine the topic, and how companies should deal with it, The Wall Street Journal’s editor in chief, Gerard Baker, spoke with Theresia Gouw, founding partner of investment firm Aspect Ventures; George Kurtz, chief executive of cybersecurity firm CrowdStrike; and Chris Roberts, chief security architect of cybersecurity firm Acalvio Technologies.

Here are edited excerpts of the conversation.

A new era

MR. BAKER: Are we seeing a bleeding over into nonstate actors of the kind of skills and equipment of incredibly powerful state actors?

MR. ROBERTS: There is definitely a huge bleed-over. The other thing to add is that years ago, if we wanted to break into your environments, we had to do the intelligence, the gathering of the data, the analytics, the attack vectors, and then understand how to execute.

Nowadays all I do is go online and buy half of those tools. I buy that as a service. So the only difference now between the nation-states and somebody like ourselves is the financial resources at hand.

MR. BAKER: This is obviously an area where there’s a tremendous amount of activity going on in startups. Given the scale of the threats, is there a commensurate increase in investment opportunities in defensive technology?

MS. GOUW: What people are investing in has moved from companies that are defending enterprises to companies that are providing intelligence and analytics so that enterprises can more quickly identify the breaches, whether they’re breaches or patches that weren’t made that make you susceptible.

The doomsday question

MR. BAKER: How vulnerable are the core elements of infrastructure in this country? It has been put to me that if North Korea or China or Russia wants to take down the grid or cause havoc in the U.S. financial system, it has the capability to do it. Do you think that’s true?

MR. ROBERTS: I’ve done a bunch of work abroad—Ukraine and a couple of other places. Taking something down, that’s fairly easy to do. Keeping it down is where the hard work comes in.

Feeling Vulnerable

Fewer than a quarter of surveyed CIOs and other technology leaders feel their organization is very well positioned to identify and deal with current and near-future cyberattacks, and the proportion has fallen in recent years.

Source: Harvey Nash/KPMG global survey of 4,498 CIOs and other technology leaders, conducted December 2016 to April 2017

MR. BAKER: Just how vulnerable are we, in the context perhaps of a broader conflict, a broader war? We used to think about the razing of cities by aerial bombing. Is now the taking down of our industrial or energy or financial infrastructure a plausible consideration in these circumstances?

MR. KURTZ: Let’s put this into context—the NotPetya [cyberattack that affected the computer systems of multinational corporations]. You can’t use videoconferencing. Your phone call doesn’t work. It’s really, really bad. So if you look at that attack, that’s an attack that went sideways or collateral damage spread.

I look at it and go, “OK, that’s really a wake-up call for a lot of companies.” There is a fine line between being one of those companies in the headlines and not. There are a lot of companies, I guarantee you, because we talk to them a lot, that basically wiped their brow and said, “That could have been us.”

Even Merck was down for months. Your email doesn’t work for months at a time. It’s one where boards of directors have really woken up and when we look at the issue, it’s no longer just stealing data and looking around the network.

If your entire operation is now taken out, that’s a massive risk, particularly from a shareholder perspective. And we’re seeing a lot more attention at the board level on this because of those attacks.

MR. BAKER: Equifax was obviously a big story. What made that company so vulnerable? What were the mistakes it made that CIOs can learn from?

MR. KURTZ: If you look at the attacks, a lot of them used something called a web shell, which is a basic 101 sort of attack. You get on. You put up a web shell. Then you can move laterally.

If no one looks at the system, or you don’t have any instrumentation on those systems, they’re going to be in there for 200 days plus.

You have to mind the shop or have someone mind it for you. The level of sophistication of that attack was low. But you have to care. You have to be involved. You have to take some action.

And what we saw is a lot of companies a number of years ago before this became sort of more popular were like, “Eh, you know, if we don’t know what’s going on, it’s better not to know.” And they didn’t bother to look at it.

The political question

MR. BAKER: CrowdStrike investigated the hack into the Democratic National Committee in 2016, the implications of which continue to reverberate in politics and around the world. How vulnerable still is the U.S. political system?

MR. KURTZ: There’s not a lot of sophistication or protection. So I think it’s a real big challenge both in that arena around elections, that general topic. And we also see a lot of activity around the think tanks constantly getting attacked and hammered.

So overall, I think there’s going to be a heightened awareness of what’s happening. But with all the bickering and lack of funding, I don’t know that anything’s going to change.