For decades, hackers fell squarely into two camps: “black hats” in it to show off their skills, and then later, for money, espionage and data theft, and “white hats” who breached systems to uncover flaws before the bad guys could find them and make sure companies promptly fix them.
Now, destruction for destruction’s sake has become a hallmark of the global cyberattack. The foremost example being the 2012 attack on Saudi Aramco, one of the world’s largest oil companies, that wiped or destroyed 35,000 computers before the devastation was halted. Or who can forget the Sony Pictures’ hack, which left the studio’s reputation in shambles and its co-chair fired. With malicious actors everywhere looking for any possible exploit, one key to surviving the constant escalation of threats is to keep reinventing how you stay ahead of the game.
A new Security Advisory Board organized by HP aims to do just that, by bringing a trio of outside security experts inside the company. All three initial members have unique first-hand expertise in the world of hacking and the latest developments in security technology and strategies.
The board builds on HP’s 40 years of leadership in cybersecurity. As the world’s largest PC manufacturer and leading maker of printers, HP has driven a slew of security innovations, from technology that provides cryptographically secure updates of a device’s BIOS to run-time intrusion detection, which checks for anomalies, automatically rebooting when an intrusion is detected.
These security experts will act as a reconnaissance team, providing insights from the front lines that the company will use to reinforce its own security work. The board will also generate strategic conversations about the rapidly shifting security landscape with HP executives and the market.
“We want to be the sharpest we can be on what the future holds, understanding the threat landscape today and being able to address the real problems of tomorrow,” says Boris Balacheff, HP’s chief technologist for system security research and innovation.
The person HP chose to lead the advisory board is far from your run-of-the-mill corporate security expert. The new chairman, security consultant Michael Calce, a.k.a. “Mafiaboy,” launched his public career in 2000 at the age of 15 by unleashing a massive cyberattack that brought down Yahoo!, eBay and Amazon. It led to an FBI manhunt and $1.7 billion in economic fallout.
Joining him is Robert Masse, a partner at Deloitte (acting independently in this instance), with more than 20 years of experience in cybersecurity, focusing on risk management and – ironically – a shared history with Calce. Following his own run-in with law enforcement over hacking when he was a teen, Masse provided guidance to Calce after his arrest.
A third member is Justine Bone, who began her career doing reverse engineering and vulnerability research at New Zealand’s version of the U.S. National Security Agency before leading security for companies, including Bloomberg LP. She’s now the CEO of MedSec, which analyzes technology security for healthcare companies.
The Security Advisory Board will work with HP to identify evolving threats and help companies adapt to the fundamental changes taking place in the security landscape. One of these changes is that inadequate security can’t be hidden anymore; the hackers’ armory is too deep and sophisticated and automated attack tools are constantly on the lookout for flaws to exploit. Bone says it takes only two and a half minutes after you plug in a smart camera or screw in a smart light bulb for an internet bot to compromise that device. Billions of connected devices span every inch of our economy and our lives, from supply chains and energy grids to connected cars.
That’s putting everyone under a microscope, from the top of the chain to the bottom. “Security has become an imperative for our customers,” says HP’s Balacheff. With the average U.S. breach costing $7 million and intensifying scrutiny from consumers and investors, it’s increasingly clear that C-suite execs must become involved in anticipating security threats.
Additionally, organizations need help understanding just how profoundly the thinking behind security strategy needs to change. Traditionally, companies felt that a secure firewall would be the answer, however with the continual evolution of how people work and the devices they use, it is no longer so cut and dry.
When baby monitors are conscripted into botnets to launch assaults that take down Twitter and Netflix, it’s clear that any connected device can be attacked.
And as the flood of network-connected gadgets continues to rise — 20 billion such devices are expected to be in service by 2020 — this challenge will only grow.
That’s why every device must be built from the ground up to be secure and able to adapt, says Calce. This principle is one the tech industry has always preached, but hasn’t always practiced. An example of this, Calce explains, is when a computer or printer boots up, a million lines of code are executed in what is known as a device’s ‘firmware.’ This occurs before the user is even able to see any kind of welcome screen. Protecting that deep into the system is how far HP has gone, which others haven’t.
“For years, software and hardware makers were able to rely on security by obscurity,” says Bone. There was no upside to building in this quality all the way through the product because nobody was asking questions. Now, though, people are definitely asking.”
That’s where HP has been focused for years. The security board members say it’s paying off — that’s why they’re eager to work with HP to get this message out.
“HP is looking to implement security on anything and everything they develop,” says Calce. “That’s the type of mindset we need if we ever want to have some level of security in this world.”
For more information on how HP is creating the most secure business devices in the world visit www.hp.com/reinventsecurity.
Have news to share? We want to help you spread the word. Submit your media releases to firstname.lastname@example.org. Please submit releases in Word or text docs or in the body of an email. Please do NOT send PDF documents.