In a closed-door briefing with Senate aides, the companies described how hacking outfits linked to Iran, criminal groups and other adversaries are growing more sophisticated — and how they could take advantage of a complex web of vulnerable US targets to sow chaos, according to several people familiar with the Jan. 16 meeting.
Some of the hypothetical scenarios could have fit into a James Bond plot. By compromising the power grid, for example, skilled attackers could try to bring down oil and gas facilities that depend on electricity, Sergio Caltagirone, vice president of threat intelligence at Dragos, told the group.
It’s a volatile mix that portends a very good year for the multibillion-dollar cybersecurity industry.
“We are seeing huge growth,” Caltagirone said in an interview with CNN. “We’re servicing more calls than we can handle, which is actually a problem.” Dragos has hired more than 100 additional employees in the past 18 months and is still having trouble keeping up with demand, he added.
Chaos, Inc, or When chaos is good for business
But the enormous demand for cybersecurity know-how is also creating opportunities for fly-by-night operators with dubious track records, said James Lewis, a senior vice president at the Center for Strategic and International Studies, a security think tank.
“Everyone has a marketing department,” said Lewis. “Not everyone has the skills to do the good analysis.”
For the uninitiated, the line between self-promotion and cold, sober analysis can be difficult to find. A routine practice across the industry is to label hacking collectives using catchy aliases like Fancy Bear and Ocean Lotus. The naming conventions typically follow a pattern — for example, CrowdStrike refers to Iranian-linked hacking groups as “kittens” and Chinese-based groups as “pandas.”
Though the practice may have originated out of necessity to differentiate anonymous hacking groups, it’s become a successful branding technique for security companies of all kinds, said Lewis.
“If you have a name out there that sticks, it leads people back to your company,” he said. “Chief information officers or boards, when they realize they need to do something, they think about you.”
That can result in situations where a company driven by marketing, not knowledge, wins an unwarranted amount of attention, said Yossi Appleboum, a former Israeli army intelligence officer and the CEO of Sepio Systems, a company specializing in defenses against hardware hackers.
“The problem is that many people in the industry are talking about things they don’t really have a clue about,” said Appleboum.
In particular, the report betrayed a lack of familiarity with the specialized field of mobile forensics, said Sarah Edwards, an instructor at the SANS Institute, a security training and research group. It had principally relied on an iTunes backup of Bezos’s phone, Edwards said, citing the consultant report, which provided only a limited range of evidence.
“My recommendation would have been to bring it to people who truly deal with this kind of work,” she said.
Other experts panned the report for relying on circumstantial evidence to make confident claims about who may have been responsible. The team that did the analysis, FTI Consulting, declined to comment at the time.
Repeated questions about a firm’s credibility or expertise can trigger a more serious loss of trust.
Preparing for the 2020 election
Just as cybersecurity firms can undermine their credibility by getting things wrong and appearing to get in the way of the public interest, though, many are pitching themselves as defenders of the public good.
While it won’t make them any money directly, said Lewis, it’s a smart strategy that’ll likely mean even more growth down the road.
“It’s a sweet spot,” he said. “They get both marketing value and they get to do some good.”