IRA FLATOW: This is Science Friday. I’m Ira Flatow coming up later in the hour, a trial of some of the nation’s largest opioid distributors, and a look into the physics of baseball. But first, if you were in the Southeastern US last week, you may have seen or been in a long line at the gas pump, all resulting from a temporary shutdown of a major gas pipeline. And as you know by now, that shutdown was caused by a ransomware attack that took billing computers of the pipeline operator offline.

And it got us thinking about the vulnerability of the nation’s infrastructure and whether more attacks like this are on the horizon. What is causing the surge in ransomware attacks? Joining me now to talk about computer security issues is Katie Moussouris, founder and CEO of Luta Security and visiting fellow at George Mason University’s National Security Institute. Welcome to Science Friday.

KATIE MOUSSOURIS: Thanks so much for having me, Ira.

IRA FLATOW: You’re Welcome. We were all watching the effects of the Colonial Pipeline ransomware attack last week. My question is, is this vulnerability emblematic of the state of infrastructure security in general?

KATIE MOUSSOURIS: Well, you know, it’s a complex problem. One that we in the cybersecurity profession have been wrestling with for over 20 years. And honestly, the state of cybersecurity is about the same as it was 20 years ago, with some pockets of hope, but other pockets of despair as we saw with this attack on the pipeline. And you got it exactly right, it actually wasn’t an attack on the computing infrastructure of the pipeline itself, it ended up being an attack that crippled their ability to make money on that pipeline, which is why they shut it down.

IRA FLATOW: When they stop making money things get serious?

KATIE MOUSSOURIS: Yeah. Apparently, cash flow is almost as important or more important than gasoline and oil flow.

IRA FLATOW: Let’s talk about this because you said something alarming about we’re still at the state of vulnerability we were 20 years ago. Why has nothing advanced?

KATIE MOUSSOURIS: You know, It is a combination of factors, right. If we look at the technological advances that we’ve seen over the last half-century in computing, it’s quite a lot. You know, from computers that used to take up entire rooms and had to have reinforced floors, to my handheld device that’s more powerful than the computers that got us to the moon. So we’re seeing super-fast evolution of technology without our ability to keep pace with securing it. And that’s where we are today, which is shortages in people, process, and technology needed to secure the infrastructure we’ve grown dependent on.

IRA FLATOW: Well, before we get into those shortages, let’s talk about the people or processes that are behind the ransomware. It seems like there have been more of these ransomware attacks in recent years. We’ve heard about them at hospitals and other places. Are criminals getting better at breaking into places or is it just a growth industry?

KATIE MOUSSOURIS: You know, criminals are just as good as their targets. You know, they are only as good as they have to be. And unfortunately, with this particular ransomware attack, those criminals took advantage of human nature and got someone to click on something in a production environment that they shouldn’t have. So there’s that element. But then there’s the other element which has made it a lot easier to directly monetize cybercrime. And that particular thing that’s grown in value and popularity over the last few years is cryptocurrency.

IRA FLATOW: Cryptocurrency itself though can’t be the root cause of all these ransomware attacks could it be?

KATIE MOUSSOURIS: It kind of is. I hate to say it, but it kind of is. Because before there was a really hard way to directly monetize compromising computers, right. You would have to do some other convoluted way to get the money if you were going to extort someone or blackmail someone with threats of publicly releasing their data. But with cryptocurrency, there is an option, especially in areas of the world where banking regulations might not be as strict as they are here in the United States and that combination is, unfortunately, a deadly combination for the increase in ransomware.

IRA FLATOW: So you’re saying there are now nation-states that are harboring the cybercrime and are just looking the other way?

KATIE MOUSSOURIS: That’s exactly right. We’ve definitely seen this particular ransomware group is reported to live in Russia and you know, I know that several other crime gangs going back from before the ransomware craze, back when stealing credit card information was the major financial fraud that could be carried out online, those crime networks and those crime businesses often were housed in countries like Russia that would turn it to their advantage when it suited them and certainly would turn the other direction and ignore those crimes when it suited them, especially if they were against their adversaries like the United States.

IRA FLATOW: Do you think the government sees this as a national security issue?

KATIE MOUSSOURIS: The government absolutely sees ransomware as a national security issue. And there was recently a report that came out from a group known as the Ransomware Task Force, that took 60 different industry experts, pulled them together and they were from governments and also from private industry to come up with a list of recommendations that governments and private industry folks can all do to combat ransomware. But it is a global approach that is necessary.

IRA FLATOW: Well, you’re in the security business, can you tell us how to overcome this, what are some of the solutions?

KATIE MOUSSOURIS: You know, it’s a broad swath of solutions that need to be put in place. One thing that we have trouble with is that as I mentioned, we’re creating technology faster than we can secure it. And part of that problem is we’re not teaching cybersecurity principles even to computer scientists. Most computer science programs in the United States you can graduate with a degree in computer science having never taken a single cybersecurity course.

So rather than creating technologists to build our powerful future enabled by the technology that we create and work on together, we’re actually creating a whole bunch of new writers of vulnerabilities. They’re not code writers, they are vulnerability writers. And on the flip-side of that equation, we don’t have enough cybersecurity professionals to fill all of the open job roles, and especially so many of them are looking for senior-level cybersecurity folks, where are the entry-level jobs? And we need those to formulate a healthy labor pipeline.

IRA FLATOW: That’s very interesting. Are these infrastructure attacks using new vulnerabilities or are they just making use of what’s out there already?

KATIE MOUSSOURIS: You know, actually a lot of the ransomware attacks and other criminal cyber behavior is not using vulnerabilities for which you’d need a super hacker to find, such that there are no patches for it, otherwise known as a zero-day vulnerability. You usually don’t need zero-day vulnerabilities to carry on these attacks. These criminals will use vulnerabilities for which a patch is already available but yet hasn’t been applied to that particular infrastructure yet. So again, it goes back to the people, process, and technology. And if you don’t have the people to apply those patches in a reasonable time frame, you then find yourselves victims to crimes that could have been prevented.

IRA FLATOW: Sometimes it takes being hit over the head with a two-by-four to get your attention. Maybe the pipeline is not a big enough piece of wood. I’m thinking about maybe the stock market or some of the banks or something like that, where people’s livelihoods are at play. Could that kind of thing still be possible, somebody hacking in and holding the stock market for ransom?

KATIE MOUSSOURIS: In an interconnected world technically anything is possible. But most cybercriminals still do need the internet to function somewhat, right, to carry out their crimes. So the bolder the crime, the more attention it draws. I think that this particular ransomware group would have been perfectly happy to just continue hitting organizations that were less visible and continue to make money.

I think a recent report showed that that particular ransomware group, they had gotten somewhere on the order of $90 million from various victims, and Colonial Pipeline being one of them. So could the stock market be held up by ransomware? Absolutely it could. But the criminals do have to weigh that effect on what potential countermeasures governments and organizations will take to combat that crime.

IRA FLATOW: In other words, you don’t want to go over the top, you’ll put yourself out of business if you shoot so to speak to high?

KATIE MOUSSOURIS: Exactly.

IRA FLATOW: So what’s your advice to companies looking to protect themselves?

KATIE MOUSSOURIS: Well, as companies grow in their personnel and also in their mission and what data they have to protect, it’s my hope that companies will grow their cybersecurity capabilities in proportion to that responsibility. We see companies that are unfortunately incentivized to put growth first and security and privacy way later if at all. And you see that in social media companies.

In fact, we just saw that with the popular new app Clubhouse, which is the audio-only app. And I found a bunch of vulnerabilities that were serious security and privacy violations in that app and when I went to report it to them not only did I have to struggle, but I also found out that they had fewer employees at their company than I have at mine. And to me, that speaks to a company that has grown way outside of its capability to secure its users.

And unfortunately, the markets keep rewarding that behavior. So advice I would have is try to grow in proportion to the responsibility that you have to your users and the type of data that you have, and try not to get too far over your skis in terms of growth and operations before you have the internal personnel with the expertise and the tools to secure it.

IRA FLATOW: You know, it sounds to me like you’re talking insurance companies. Maybe insurance companies would not insure you against attack if you don’t have the right security installed?

KATIE MOUSSOURIS: Yeah, cybersecurity insurers have struggled with the right actuarial tables for assessing their risk of taking on customers. Unfortunately, because this industry is so new relatively speaking, it’s one that people are spending money and effort in cybersecurity somewhere between the basement of compliance and the ceiling of who’s got the best marketing strategy. So when cyber insurers go and look to try and evaluate, they can kind of check off that you’re doing certain things. But it’s how you do them and when you do them that actually matter more in terms of cybersecurity. And cyber insurers just don’t have that depth of understanding yet, they just haven’t built it.

IRA FLATOW: This is astounding that this is almost the Wild West now of cybersecurity.

KATIE MOUSSOURIS: Well, I am a middle-aged hacker and I can tell you it’s been wild for over 20 years. So I don’t see it getting tamed anytime soon. But one, that’s job security for those of us who fight the good fight for cybersecurity, but it’s also job opportunities as other industries fade and as we come to reckoning with the deep social inequalities and income inequalities across the world, cybersecurity is an important option for people and new workers coming into the workforce. And I can tell you from my experience, you do not need a college degree to get into cybersecurity and really make a difference.

IRA FLATOW: Well, those are encouraging words to end our interview and a disappointing state of where we are. Thank you very much, Katie.

KATIE MOUSSOURIS: Thanks so much, Ira. This was fun.

IRA FLATOW: Katie Moussouris, founder and CEO of Luta Security, visiting fellow at George Mason University’s National Security Institute.

Copyright © 2021 Science Friday Initiative. All rights reserved. Science Friday transcripts are produced on a tight deadline by 3Play Media. Fidelity to the original aired/published audio or video file might vary, and text might be updated or amended in the future. For the authoritative record of Science Friday’s programming, please visit the original aired/published recording. For terms of use and more information, visit our policies pages at http://www.sciencefriday.com/about/policies/