Russ: Welcome back to The BusinessMakers Show coming to you today from IHS CERAWeek, and my guest is Dr. Michael Siegel, Principle Research Scientist at the Sloan School of Management, and a specialist in cyber security. Michael, welcome to The BusinessMakers Show.

Michael: Thank you, Russ. Thank you for having me today.

Russ: You bet. So, here we are at IHS CERAWeek, a major league, global event, mostly focused on energy. What got you here?

Michael: Well, I’m actually speaking here. It turns out cyber security is a tremendous focus of many of these corporations nowadays. You know we have cyber threats regularly in the newspaper, and a lot of those issues have boiled to the top in these industries, and they’ve put quite a number of resources through for research and development of ways in order to protect the critical infrastructure. So, I’m at the Sloan School of Management at MIT, and there we have a consortium; it’s the interdisciplinary consortium on improving critical infrastructure cyber security. Now, that’s a mouthful (

Russ: It is.), but we say, we can also, it is, I see, I see, oh, I see, or I see, cubed. So, I see, cubed the easier way to refer to the consortium. And as part of that consortium, a number of energy companies, a number of them here: Exxon Mobile, Schneider Electric, Yokogawa, are members of our organization and are working with us, and some of the other oil companies too.

Russ: Ok, so I guess, you know, consumers generally think of cyber security as identity theft, losing their credit card, their credit card being stolen from a Target, per se, but in this world it’s different in, like, these giant energy companies. I guess it’s almost anti-terrorism, anti-intellectual property. Do I have that right, am I close?

Michael: Absolutely. You’re hitting that right on the nose. If we think about cybersecurity say, let’s say from a financial point of view, financial institutions like banks and so on, they’re worried about criminal organizations stealing money. That’s the main target because, you know, why do you rob a bank? That’s where the money is. In the energy industry it’s very different. Many of the threats are political in nature, and they’re against things that we refer to as critical infrastructure, and so all you need to do is, take the cyber-attack in the Ukraine from a few weeks ago which shut down the power grid. And that would be a good example of a typical cyber or, not typical because it was a major event, but the type of thing that we might expect in the energy industry where you’re using cyber for political purposes against, say, a pipeline or a energy, a power grid, or a refinery or something on that order.

Russ: It’s interesting times where people want to make a political statement by doing that kind of harm, isn’t it?

Michael: Yes, it is, Russ, unfortunately it is a little bit of a sad situation. I guess though it doesn’t, it has sort of a corollary in what people have been willing to do previously. We have a long history in energy industry of a very strong safety culture and so it’s important to realize in this cyber security world that we are, in a way, our own worst enemy. They estimate somewhere between 60-80% of all major attacks were aided and abetted by insiders, knowingly or unknowingly. And so, we really have to think about our culture and our cyber security or cyber safety culture. And the reason I refer back to the safety is because this is an industry that’s tremendous on safety. You go into a refinery, a factory, you see signs, how many days since the last accident? Right? Do we see signs on how many days since the last, or how many minutes since the last cyber breach?

Russ: No we don’t.

Michael: So, maybe we need to build that culture, and maybe that cyber safety culture is really what we need to do, and many of these organizations are realizing that and taking on the problem head on.

Russ: Ok, so in this world, in these big corporations, are there companies that have perfect cyber security that keeps everybody out and others that don’t? Or, what’s the landscape like?

Michael: So, Russ, I’m afraid the words perfect and cyber security probably never go together, if you don’t mind. The general saying in the world of cyber security is, there’s those who know they’ve been hacked and those who have been hacked but just don’t know it yet, and various forms of that type of thing.

Russ: Right. So you just fall in one category or the other.

Michael: You fall in one category or the other. So, what we’re finding is that—I’ll give you a surprise that came to me. I actually heard some time ago, someone senior in the Israeli forces, and they actually even acknowledge that there are times that people get in their systems, and the Israelis are particularly known for their cyber security. So, it really is everyone who is exposed to this and everyone can have hackers or people who shouldn’t be in their system in their systems. I guess a lot of the effort now is around protecting the crown jewels, making sure those big disasters don’t happen, understanding how to recognize when you’re having an attack or a failure, having a plan for recovery. Plan for recovery is of tremendous importance, and you’d be surprised how many organizations do not have a plan for recovery.

Russ: Wow. Well, it seems to me, and once again this is probably more from the financial world and the retail world even, that a lot of times these items break on the news, and as they’re telling the story it might be February, but the event actually happened in November. And you realize, well why didn’t they tell us in November, and I think you get this feeling, because they didn’t know in November, and they didn’t know in December, and they didn’t know in January. Is that right?

Michael: That’s right. And, in fact, the numbers with regard to knowing about breaches or vulnerabilities haven’t gotten a lot better. We have reports going back almost 10 years now: assessments of the industry, our readiness, our ability to fix vulnerabilities, our ability to react to them, and really nothing has changed. In fact, we’ve seen a decline over 10 years. So, that part of the story isn’t very good. The good part of the story is there’s a lot of attention, a lot of research being done, things being done to perhaps improve the architecture of our systems, the level of the software coding and reduce the abilities to have vulnerabilities, the management of the process, the change of the culture. It’s really important, governments and organizations, corporations are realizing that cyber security is a social responsibility. We will not all become engineers and computer scientists, though.

Being from MIT, I have that hope, a little bit, but we will not all become computer scientists and engineers but we all will use computers, and cyber security is a social responsibility, and I’m working with some governments now and private organizations to find the best ways to teach people that level of responsibility. And there’s actually been tremendous reaction. A number of corporations that I work with are teaching or working with people on their personal cyber security issues, like you’re, you know, home online banking and so on, and issues around that. And after that type of involvement with them on the personal level, they’re seeing a tremendous improvement in the workplace. So, we have the ability to affect who we are and how we deal with cyber security, both in our personal and our workspace, and that can change things quite a bit.

We’re also working at the other end of it with board level members, and understanding what executives and board level individuals need to know with regard to cyber security. Clearly their main concern is avoiding that major accident, and limiting their liability, because as board members that’s become quite a serious issue. The capability of them to do that is sort of highly dependent on the information that’s available to them, and that’s just starting to be understood, translated so that boards can understand it and can act in ways that are necessary to protect corporations.

Russ: Wow. You know, I’ve talked to others in this space, not from MIT, but I got the feeling that upfront the thing that separates good cyber security companies vs bad cyber security companies is just that fact of recognizing, wow, we’ve been violated. And I assume that means some can do that better than others, but what can you possibly do to know that?

Michael: Well, I think you had two issues. There’s the management, strategic and organizational issues around recognizing it’s a real threat, recognizing that your executives, your workers, your organization has to be prepared and has to be diligent. Ill give you an example: you’re familiar with phishing in email, right?

Russ: Yes.

Michael: You get the mail that says you’ve just won the lottery and you really want to cli— (

Russ: You’re excited), and you’re excited. You want to click on that link and bring that multi-million dollars home. In fact, it’s a bad idea. Let’s just make clear, it’s a bad idea. Organizations, corporations, financial organizations that I talk with do internal testing for phishing, and they have low double digit click through. That means 10, 12, 11, 12% of employees…

Russ: So of their employees, 12% might click on that.

Michael: Might actually still click through on some of that. In fact, I talked to one financial organization who sent executives a phishing email, and in the email it said, this is a phishing email. If you click the link you will harm the computer. Ok, you will do harm. One person actually clicked the link. Now, they asked him, why did you click the link? And he said, I wanted to see what would happen. Now, imagine, imagine in these energy corporations, someone in a refinery with a big valve that says, ‘Do not close. Danger.’ Walking up and closing it just to see what would happen. So, we have to do a lot to change the culture, there’s no question, and that’s why we’re at a management school and we’re approaching it from that direction. And then there are technologies that are advancing our capability to detect and to react.

Russ: Meaning, if somebody in your company did click on it, there are ways, there are pieces of software that are always looking in the company and see suspicious things and report it back.

Michael: That’s correct. We are getting better at doing that, but realize, of course, as we get better, they get better.

Russ: So it’s like a contest.

Michael: It’s a contest.

Russ: So I also remember learning that if you discover that you have been breached, there are companies that have an action plan in place to implement that’s kinda, from what I heard, pretty extensive, and then there are other companies that don’t. They have a meeting instead and say, what are we going to do, and, so that’s one extreme to the other. Is that still the way it is today?

Michael: That is still the way it is. There are organizations, we work with a number of companies, or are involved with them, that are specifically focused on that action plan; that ability to be resilient, that ability to react to failure, and to have a plan not only technologically and to protect the data, which is extremely important, but as we’ve seen by so many failures, the ability to do the correct public relations, PR. You mentioned earlier some companies not finding out for months. Actually, some companies just don’t tell you for months.

Russ: And I guess there’s companies that don’t know.

Michael: There’s companies that don’t know.

Russ: It might have happened a year ago.

Michael: But we see very different reactions in the market if you, perhaps, sort of compare, historically, the Target breach vs the Home Depot breach. Target was sort of delayed in coming out with their information and did poorly, perhaps, as a result of that. Or other things; Home Depot was more immediate, corrective action, so on and so forth. So you can see in that retail world, some real differences in PR when these types of things occur.

Russ: So it looks like Home Depot did it a little bit better than Target did; handling it right.

Michael: From what we read in the papers. Yes.

Russ: Right, right. So, in a big company that’s not a retail thing, I mean, what can an action plan be? I mean, do you start immediately unplugging drives that have protected data? Do you change passwords? Do you shut the network down, or, I mean…

Michael: So, some of the above, and it depends. I think that’s really what these companies are, and I don’t know if you’re familiar with the, Russ, with the amount of money that’s gone into startup and development in the cyber security space (

Russ: I’m not.). It’s been tremendous. It’s actually peaked by now. It’s on its way down a little bit. I just read something today that it’s a bit of a burst of a bubble as far as funding of cyber security companies. Not to get off track from your question, but it’s interesting, many of these cyber security startups come to market and then the hackers or people who want to break into you are able to come up with a way around what you’ve developed, and so you’re a company that’s developed something and now all of the sudden it’s gone. Not too dissimilar to a phase II drug that doesn’t do what it’s supposed to do. So, you end up with the same problem in other industries.

But, a number of these companies are coming up with specific plans that get down to the level of what do you unplug, and what do you undo, and so on and so forth. And they’re focused around, you have to realize you keep your eye on the target; what really matters? Ok, you talk about the retail issue. Many organizations won’t name any of them. We’ll take the retail hit right now. I mean, think about the amount of money made in the digital economy; it’s very, very large. Think about the amount that’s lost in just a retail credit card breach; it’s very small compared to that. That’s not what we’re worried about. We’re worried about the power grid going down. We’re worried about our energy delivery systems not functioning. We’re worried about, you know, refineries going, platforms going, issues like that. And so for those, you have a material plan that not only involves cyber, but also involves safety and what you need to do.

How many have really good plans in place? How many have thought about, you know, as many contingencies as they can, because we’re in a new world. The amount of ways that cyber can go wrong is large.

Russ: Is limitless.

Michael: Thank you, Russ. Limitless is the right word, thank you very much.

Russ: You know, maybe I’m thinking maybe people like you should have an academy awards for cyber security, and every year announcing the best. The only problem is the minute you had the best, that would focus the other side on the winner (

Michael: On the winner, right.). Ok, so I guess this is like a subset of cyber security, but I heard last week about this ransomware process where somebody threatened to shut somebody’s network down unless they paid, it turned out to be a somewhat small ransom because they didn’t want to make it so big, and play with Bitcoin. Did you follow that?

Michael: To some extent. This was the hospital incident in Las Angeles, I believe? (

Russ: Yes.) I followed it to some extent. Ransomware has been a problem for some time (

Russ: Oh, wow.), and it may happen simply on a personal level, where you may all of the sudden see a flashing something on your screen and someone will try to extract some amount of funds, usually small, or simply destroy all your data. And, in many instances, it turns out that the amount is small enough that people or corporations decide that it may just be better to pay the ransom. The problem with many of these ransomware or other cyber-attacks is the people who are forming these intrusions into your system are not easy to find.

They’re anywhere in the world, protected by governments which may or not be cooperative with the United States, and attribution remains an issue in cyber security—let me make that clear: attribution is being able to identify the person and location that is the perpetrator of the particular attack. It’s very difficult because you may be one place but you can ghost yourself or make yourself look like you’re almost anywhere in the world by bouncing through other computers or other parts on the internet. So, attribution is very difficult. We saw the most interesting attribution incident occur with the Sony intrusion, where we were actually, the government was able to actually identify and say publicly that it was North Korea, which is interesting because it isn’t the kind of thing that a government would always say they have the ability to do. So, that was an interesting case on attribution.

So, the ransomware becomes quite an issue because we can’t necessarily identify the person, we can’t necessarily find them, and for a small amount of money, I’m not suggesting that one does this, but I’m saying in some, many cases that turns out to be the solution.

Russ: Might be worth it, right?

Michael: Might be worth it, yes.

Russ: All right, cool. Well, Michael I really appreciate you scaring us today.

Michael: Thank you, Russ.

Russ: But if we weren’t scared we’d be wrong.

Michael: We’d be wrong.

Russ: You bet. And that wraps up my discussion with Dr. Michael Siegel, the Principal Research Scientist at the Sloan School of Management, focused on cyber security at MIT, I might add. And this is The BusinessMakers Show.