Boise State Cyber Expert On Wave Of Attacks: ‘No, I’m Not Surprised’
A seemingly constant stream of cyber attacks have put the world’s public and private sectors on edge – the latest cyber attack victim is JBS Foods, the world’s largest meat supplier. In early May, a cyber attack on the Colonial fuel pipeline sent tens of thousands of Americans on the east coast into a panic-buying frenzy of gasoline.
“Each year I say to audiences, as I speak around the nation, 'I hope that this is the game changer for the industry.' And so, I'm holding out hope and I'm being very optimistic that this is going to be a game changer,” said Edward Vasko, director of Boise State University’s Institute for Pervasive Cybersecurity. “Was I surprised by the attack? Unfortunately not.”
Vasko visiting with Morning Edition host George Prentice to talk about the troubling trend of attacks, and offers some real-world advice for businesses, big and small, and consumers.
“We find ourselves in a position where we have a new set of actors looking to do harm to our infrastructure, as well as to our commercial and governmental organizations.”Edward Vasko
Read the full transcript below:
GEORGE PRENTICE: It is Morning Edition on Boise State Public Radio News. Good morning. I'm George Prentice. When the Colonial Pipeline was hacked in early May, well…, it struck many of us… and it appeared as if it was hitting very close to home. We all watched as tens of thousands of Americans panicked and they created a rush to fill their gas tanks. Some gas stations had to shut down; and all of a sudden, once again, we had a renewed urgency for cyber security. So, we're going to talk a bit about that this morning and more with Edward Vasko. He's on the line. Mr. Vasko has three decades of experience as a cybersecurity business entrepreneur and owner of five companies. He is now director of Boise State University's Institute for Pervasive Cybersecurity. Mr. Vasko, good morning.
EDWARD VASKO: Good morning, George. Thank you so much for the opportunity to chat today. I really appreciate it.
PRENTICE: Can you share with me your initial reaction to the Colonial hack?
VASKO: I will say… I've been in the industry, as you said, three decades now. And almost every year of my time in the industry, there has been some wide, large scale cyber incident of some form or another. And each year I say to audiences as I speak around the nation, “I hope that this is the game changer for the industry.” And so I'm holding out hope and I'm being very optimistic that this is going to be a game changer. Was I surprised by the attack? Unfortunately not.
PRENTICE: The first thing… I have to admit… the first thing I thought of was our electrical grid… and our grids of power and fuel… our nuclear grids. Are our public grids at constant risk?
VASKO: When I started my career, I would say the risk levels to the grid and to our other critical infrastructure was far less so. With the advent of ease of use and the need to expand service and use traditional technologies, cellular technologies of connecting to the Internet and so forth, utilities have created opportunities for their workers to work from home - in light of COVID and some of the other needs. But in doing that, they've actually exposed themselves in many different ways to potential attacks, both from what has been the traditional role and the traditional bad actor, and that is the nation states that we know are actively probing and trying to find methods and ways to attack the infrastructure of the US. However, using Colonial as an example, this is representative of a new type of new type of group that has been growing in its abilities and growing in its sophistication. And that is a specific kind of group of criminal underground and criminal organizations that are cyber focused but are applying very modern business techniques to enabling a broadening of cyber attacks. So not only do we have to have the awareness and understanding of the traditional attackers that have been purposefully trying to find ways to attack our critical infrastructure, now, in light of Colonial and in light of the Florida attack that occurred - the water system attack that occurred earlier in the year - we find ourselves in a position where we have a new set of actors looking to do harm to our infrastructure, as well as to our commercial and governmental organizations
PRENTICE: Well, open up that part of the conversation for me. What is your takeaway then, for those governmental entities and public entities?
VASKO: I think that one of the good things that came out of the Colonial attack very, very quickly was, that President Biden stepped forward with an executive order that really had seven key elements to it. And some of them, I would say, added to my optimism that with this particular event, things will begin to change. And I'll touch on a couple of those very quickly here. And first, there's a new interest in improving the supply chain of software that's used by companies and by governmental entities that has really arisen out of the Solar Winds attack that again occurred earlier in 2021. And that emphasis by the Biden administration is meant to put in place effectively, what we know as the Energy Star component and consumer products, and it's meant to provide consumers and businesses an understanding that that the software and the technologies that are used by different providers have met a certain level of security. That in and of itself is an interesting game changer for the industry. It is actually putting in place an appropriate set of standards that can be reported out and used as a differentiator in the marketplace to say a product from one company meets this Energy Star or the Security Energy Star need versus another that doesn't.
And so hopefully that will add to the ability for software manufacturers and technology manufacturers to enhance and improve the security that we use or the technology that we use. The other key item that I would touch on is that there was a push in the executive order to modernize and implement stronger types of cybersecurity standards. And this is a change in both how we approach technology and it's also a change in how the cybersecurity industry begins to look at itself. And it specifically goes to a component called zero trust. Coming into the industry is as far back as I did as many decades ago as I did. We used to have a kind of a moniker in the cyber industry, which was “trust but verify.” And that trust was kind of the inherent aspect of what how we would approach things. If you were inside, let's say, a corporate environment, there was an inherent level of trust. And what Colonial and what many of these specific kinds of cyber criminal actors have brought about is the ability to create profiles of both executives as well as line level managers within corporations or governmental entities.
And in doing that, they're able to spoof these people. And so we really have to shift the mindset of trust but verify to having zero trust. And the zero trust principle is really based upon four key things. The first sounds fairly reasonable: Never trust, but always verify. And then I think the other thing that really comes to bear is there's a need to assume that an organization has had a breach and making yourself aware of the fact that you probably have already been breached changes how you respond and how you plan for activities. And then the final aspect of that zero trust is verify explicitly. And in each of those elements are key aspects of cybersecurity knowledge and capabilities that really will bring about a change, a seismic shift in the industry and I think one for the better and one that's positive because it begins to put in place the type of activities and trainings that we need in order to thwart and combat those cyber criminals, as well as the nation states that are attacking us.
PRENTICE: We're talking with Edward Vasko, director of Boise State University's Institute for Pervasive Cybersecurity. Mr. Vasko, let's talk a little bit about how you spend your days: educating, shaping, mentoring the next generation of young men and women who, I'm hoping, will save our bacon in the future. What is your level of optimism as you're working with these pretty amazing young men and women?
VASKO: They are. And they really do amaze me every single day, George. I think the thing that drew me to Boise State was… I have been in the cybersecurity industry as an entrepreneur and as a professional for three decades now. In developing and growing my last company, I had a chance to establish some really great student-to-worker pipeline opportunities where we were taking in interns, we were growing new cyber professionals, and we were really helping ourselves, as a company, grow and achieve a higher level of growth faster. And that brought about a terrific opportunity for the sale of my company and the opportunity for me to give back what I saw. Boise State was just a phenomenal set of people, both students and faculty: they are mission driven to help the nation and help our state. And I think that that is a key principle that really differentiates us. And in joining Boise State about a year ago, as I look back over that year, I'm exceedingly pleased at the level of innovation and the level of support that's student- focused.
PRENTICE: And of course, that includes the new PhD program. Very impressive. So,… I love my smartphone, I can't function professionally without software. Our very conversation is taking place… and being broadcast and being shared via software. There are times, though, where I think there's too much software in my life. But that’s not going to change anytime soon. So, what can you tell a lay person? What should we be doing or not doing on a daily basis?
VASKO: I think that's a great question, George. And I will fully admit, having been in technology as long as I have, I am my family's I.T. person and I'm also my family's cyber security person. So, there is double fun there. I would say that in order to protect yourself, you have to understand that you're likely a target. All too often I've seen people take a perspective that says, “Cybercrime can't happen to me. You know, I'm one person. I don't use my phone enough. I rarely use social media,” and so forth. But as you just outlined, the reality is that technology is pervasive to our lives. We have what would have been, a few decades ago, the equivalent of a supercomputer in our pockets and our phones. Today, that technology is something that can be leveraged against us; and being aware that you could be exposed and are likely being exposed to different kinds of attacks, both from an email standpoint, which is where about 85 percent of attacks occur through, to social media, and bank systems, and so forth. And then kind of the classic adage applies: “If it doesn't smell right, doesn't feel right and doesn't look right, it probably isn't right.” And well, we can say that in today's market and in historic physical markets where we used to get spam messages. from the “Prince” of some country looking to get some dollars for support, and so forth, those obvious opportunities are definite scams. What we have to become aware of, is the next level of scam that's going on: the next level of opportunity to steal our data. And those are becoming more and more prevalent… more and more realistic in their look and in their feel. You can see within your email system… you can see the first type of email that is being sent. And then look beyond that. There are ways to look at what are called the headers of emails, to see if the email address and the email lines up with the header information. And if they don't, then be suspicious.
PRENTICE: And asking you to do something as simple as clicking a link or opening up what appears to be a Word document.
VASKO: That's exactly right. And that if there's any one other thing I would say is: don't open attachments unless you know and can verify the source of the attachment. All too often, it's easy to embed malicious software that can take over your phone and not take over your phone right away. Malicious software, malware nowadays is actually embedding itself deeper and deeper and for longer periods of time within our phones and our corporate systems and government systems. And the Colonial attack, to bring it kind of full circle, is a good example of that. They were inside the Colonial environment for four months before they activated the ransomware that took over their systems. Don't click on links that you don't know. Check your email. Verify that the sender actually sent you this email. And then the other thing I would say is, if you have the opportunity in your phone to activate any type of biometric, so a facial recognition or thumbprint or fingerprint recognition, go ahead and do so. That helps… if nothing else, if your phone gets stolen or lost.
PRENTICE: So that's very interesting. So would you endorse things like facial recognition?
VASKO: I would… in the sense of protecting the data that's on the phone. Certainly from a privacy and general criminal justice standpoint, there are other issues that are balanced there. But as an individual that's attempting to protect the data that's on their phone, that's by far and away, one of the better ways to do so. That, in combination with the potential for some type of long password
PRENTICE: Without dropping any names or endorsing any product, and there are a handful of consumer security packages to check software, et cetera…that's worth the investment, isn't it?
VASKO: I would say, without a doubt, the platform that you choose for mobile, if we're talking specifically around mobile, let's say the platform that you choose for your mobile phone certainly has some differences, without going into detail, both from an ecosystem, an application development ecosystem, as well as from ability to be hacked and so forth. That said, none of the major phone system providers are 100 percent secure. Nothing ever is 100 percent secure. So, the ability to check where your data that you're providing is going, is certainly something that that I'm in full support of the ability to know that my data is being turned…the data that represents me… is being turned into a product… is something that I think now that we understand where that data is going, we as consumers can make better choices… and certainly relying upon the platform providers to check over software and check over application vendors that are on their ecosystem. There is a certain degree of trust that we're handing over to those providers. And so, I would stay alert and stay aware of different issues that are identified. And the fact that some vendors are telling us where that data is going and what it's being used for, helps us as consumers be better enabled to make appropriate market decisions.
PRENTICE: Are you a fan of real-time constant scanning on our laptops and desktops?
VASKO: That's a great question. I would say, from a consumer standpoint, the challenge that we used to have…. the amount of computing power, and the time that it took to scan a computer was always impactful. When I was trying to do something else, inevitably I'm trying to answer an email and the old antivirus systems would get in the way, so to speak; and they would cause my system to slow down and so forth. Nowadays, the amount of computing power that we have in laptops really gives us the ability to have those systems doing continual protection and continual scanning without causing significant amounts of delay to our normal work. So, I think the value provided in this, and the protection provided, it outweighs the type of challenges that used to be put in front of us by older software and older technologies.
PRENTICE: He is Edward Vasco, director of Boise State University's Institute for Pervasive Cybersecurity. And he and his colleagues are on the front lines for us. Mr. Vasco, thanks so very much for giving us some time this morning.
VASKO: And thank you, George, and thank you to all the listeners.
Find reporter George Prentice on Twitter @georgepren
Copyright 2021 Boise State Public Radio