Reinventing cybersecurity with the help of hackers

For decades, hackers fell squarely into two camps: “black hats” in it to show off their skills, and then later, for money, espionage and data theft, and “white hats” who breached systems to uncover flaws before the bad guys could find them and make sure companies promptly fix them.

Now, destruction for destruction’s sake has become a hallmark of the global cyberattack.  The foremost example being the 2012 Shamoon attack in Saudi Arabia on one of the world's largest oil companies, that wiped or destroyed 35,000 computers before the devastation was halted. Similar attacks aiming to render PC hardware inoperable have continued since, with Shamoon 2.0 earlier this year or even some of the NotPetya variants more recently. With malicious actors everywhere looking for any possible exploit, one key to surviving the constant escalation of threats is to keep reinventing how you stay ahead of the game.

A new Security Advisory Board organized by HP aims to do just that, by bringing a trio of outside security experts inside the company. All three initial members have unique first-hand expertise in the world of hacking and the latest developments in security technology and strategies.  

The board builds on over two decades of HP leadership in cybersecurity for endpoint devices. As the world’s largest PC manufacturer and leading maker of printers, HP has driven a slew of security innovations, from technology that provides cryptographically secure updates of a device’s BIOS to run-time intrusion detection, which checks for anomalies, automatically rebooting when an intrusion is detected.

These security experts will act as a reconnaissance team, providing insights from the front lines that the company will use to reinforce its own security work. The board will also generate strategic conversations about the rapidly shifting security landscape with HP executives and the market. 

“We want to be the sharpest we can be on what the future holds, understanding the threat landscape today and being able to address the real problems of tomorrow,” says Boris Balacheff, HP’s chief technologist for system security research and innovation.

The person HP chose to lead the advisory board is far from your run-of-the-mill corporate security expert. The new chairman, security consultant Michael Calce, a.k.a. “Mafiaboy,” launched his public career in 2000 at the age of 15 by unleashing a massive cyberattack that brought down Yahoo!, eBay and Amazon. It led to an FBI manhunt and $1.7 billion in economic fallout.  

Joining him is Robert Masse, a partner at a major consulting firm (acting independently in this instance), with more than 20 years of experience in cybersecurity, focusing on risk management and—ironically—a shared history with Calce. Following his own run-in with law enforcement over hacking when he was a teen, Masse provided guidance to Calce after his arrest.

A third member is Justine Bone, who began her career doing reverse engineering and vulnerability research at New Zealand’s version of the U.S. National Security Agency before leading security for companies, including Bloomberg LP. She’s now the CEO of MedSec, which analyzes technology security for healthcare companies.

The Security Advisory Board will work with HP to identify evolving threats and help companies adapt to the fundamental changes taking place in the security landscape. One of these changes is that inadequate security can’t be hidden anymore; the hackers’ armory is too deep and sophisticated and automated attack tools are constantly on the lookout for flaws to exploit. Bone says it takes only two and a half minutes after you plug in a smart camera or screw in a smart light bulb for an internet bot to compromise that device. Billions of connected devices span every inch of our economy and our lives, from supply chains and energy grids to connected cars.

That’s putting everyone under a microscope, from the top of the chain to the bottom. “Security has become an imperative for our customers,” says HP’s Balacheff.  With the average U.S. breach costing $7 million and intensifying scrutiny from consumers and investors, it’s increasingly clear that everyone throughout an organization, from a company’s security group up to the board, needs to be involved in anticipating security threats. “Originally cybersecurity was an IT problem. What we’re seeing is now it's being heavily looked at by the board and the audit and risk committee and treated like any other risk,” says Masse. “I think now's the time where we really have the opportunity to improve things at a much better level than before.”

Additionally, organizations need help understanding just how profoundly the thinking behind security strategy needs to change. Traditionally, companies felt that software or network security solutions would be the answer, however with the evolution of attacker sophistication and our increased dependency on devices for everything we do, it is no longer that simple. Security needs to start at the lowest level of hardware and firmware design.

When baby monitors are conscripted into botnets to launch assaults that take down Twitter and Netflix, it’s clear that any connected device can be attacked. And as the flood of network-connected gadgets continues to rise — 20 billion such devices are expected to be in service by 2020 — this challenge will only grow.

That’s why every device must be built from the ground up to be secure and able to adapt, says Calce. This principle is one the tech industry has always preached, but hasn’t always practiced. An example of this, Calce explains, is when a computer or printer boots up: up to a million lines of code can be executed before the device’s operating system is even loaded, in what is known the device's 'firmware' (often still referred to as BIOS in PCs). This occurs before the user is even able to see any kind of welcome screen. Designing protections, but also the ability to detect attack and recover a compromised device, that is how far HP has gone, trailblazing the future of endpoint security by designing hardware-enforced cyber-resilient devices.

“For years,” says Bone, “software and hardware makers were able to rely on security by obscurity. There was no upside to building in this quality all the way through the product because nobody was asking questions. Now, though, people are definitely asking.”

That’s where HP has been focused for years. The security board members say it’s paying off — that’s why they’re eager to work with HP to get this message out. 

“HP is looking to implement security on anything and everything they develop,” says Calce. “That’s the type of mindset we need if we ever want to have some level of security in this world.”

Learn how HP is creating the most secure business devices in the world.