Nadya Bartol: Better cybersecurity starts with honesty and accountability | TED

36,308 views ・ 2021-06-01

TED


Please double-click on the English subtitles below to play the video.

00:00
Transcriber:
0
0
7000
00:13
Today, I'm going to talk about a shameful topic.
1
13063
3667
00:17
This has happened to many of us, and it's embarrassing,
2
17463
4034
00:21
but if we don't talk about it, nothing will ever change.
3
21530
3367
00:24
It's about being hacked.
4
24930
2067
00:27
Some of us have clicked on a phishing link and downloaded a computer virus.
5
27630
4600
00:32
Some of us have had our identities stolen.
6
32263
2434
00:34
And those of us who are software developers
7
34730
2000
00:36
might have written insecure code with security bugs in it
8
36763
3367
00:40
without realizing it.
9
40163
1400
00:42
As a cybersecurity expert,
10
42530
1700
00:44
I have worked with countless companies on improving their cybersecurity.
11
44263
4334
00:49
Cybersecurity experts like me have advised companies
12
49063
3400
00:52
on good cybersecurity practices,
13
52497
2600
00:55
monitoring tools
14
55130
1133
00:56
and proper user behaviors.
15
56297
1700
00:58
But I actually see a much bigger problem that no tool can fix:
16
58030
4733
01:02
the shame associated with the mistakes that we make.
17
62797
3300
01:06
We like to think of ourselves as competent and tech savvy,
18
66563
3867
01:10
and when we make these mistakes that can have a really bad impact
19
70463
3300
01:13
on us and our companies --
20
73797
1400
01:15
anything from a simple annoyance,
21
75230
1867
01:17
to taking a lot of time to fix,
22
77130
2167
01:19
to costing us and our employers a lot of money.
23
79330
3633
01:23
Despite billions of dollars that companies spend on cybersecurity,
24
83630
4467
01:28
practitioners like me see the same problems over and over again.
25
88130
4500
01:32
Let me give you some examples.
26
92663
1800
01:35
The 2015 hack of Ukrainian utilities
27
95330
3033
01:38
that disconnected power for 225,000 customers
28
98397
3766
01:42
and took months to restore back to full operations
29
102197
3666
01:45
started with a phishing link.
30
105897
2100
01:48
By the way, 225,000 customers is a lot more 225,000 people.
31
108030
5567
01:53
Customers can be anything from an apartment building
32
113630
2700
01:56
to an industrial facility
33
116363
1400
01:57
to a shopping mall.
34
117797
1433
01:59
The 2017 data breach of Equifax
35
119263
3100
02:02
that exposed personally identifiable information
36
122363
2834
02:05
of 140 million people
37
125230
2433
02:07
and may ultimately cost Equifax something on the order of 1.4 billion dollars:
38
127663
6334
02:14
that was caused by an exploitation of a well-known vulnerability
39
134030
3500
02:17
in the company's customer consumer complaint portal.
40
137563
2934
02:21
Fundamentally, this is about technology and innovation.
41
141563
4100
02:25
Innovation is good; it makes our lives better.
42
145697
3000
02:28
Most of the modern cars we drive today are fundamentally computers on wheels.
43
148697
6033
02:34
They tell us where to go to avoid traffic, when to take them in for maintenance
44
154763
4834
02:39
and then give us all kinds of modern-day conveniences.
45
159630
3200
02:42
Many people use connected medical devices like pacemakers
46
162863
3434
02:46
and glucose monitors with insulin pumps.
47
166330
2300
02:49
These devices make these people's lives better
48
169197
2533
02:51
and sometimes even extend their lives.
49
171763
2534
02:54
But anything that can be interconnected can be hacked when it's connected.
50
174297
5533
03:00
Did you know that the former US Vice President Dick Cheney
51
180230
3067
03:03
kept his pacemaker disconnected from Wi-Fi before he received a heart transplant?
52
183330
4500
03:07
I will let you figure out why.
53
187863
2134
03:10
In a digitally interconnected world, cyber risks are literally everywhere.
54
190830
5033
03:16
For years, my colleagues and I have been talking about
55
196230
2800
03:19
this elusive notion of cybersecurity culture.
56
199063
2467
03:22
Cybersecurity culture is when everybody in the organization
57
202030
3367
03:25
believes that cybersecurity is their job,
58
205430
2733
03:28
knows what to do and what not to do
59
208197
1900
03:30
and does the right thing.
60
210097
1333
03:32
Unfortunately, I can't tell you which companies do this well,
61
212063
3500
03:35
because by doing so, I would put a juicy target on their backs
62
215597
3500
03:39
for ambitious attackers.
63
219097
1933
03:41
But what I can do is make cybersecurity less mysterious,
64
221030
4267
03:45
bring it out into the open and talk about it.
65
225297
2900
03:48
There should be no mystery or secrecy within an organization.
66
228763
4600
03:54
When something is invisible and it's working,
67
234197
3800
03:58
we don't know that it's there until it's not there.
68
238030
3467
04:01
Kind of like toilet paper.
69
241530
2333
04:04
When the COVID-19 pandemic began,
70
244663
2734
04:07
what has been there all of a sudden became super important
71
247430
3167
04:10
because we couldn't find it anywhere.
72
250597
1800
04:12
Cybersecurity is just like that:
73
252830
2167
04:15
when it's working, we don't know, and we don't care.
74
255030
3067
04:18
But when it's not working,
75
258130
1533
04:19
it can be really, really bad.
76
259697
2600
04:22
Toilet paper is pretty straightforward.
77
262797
2766
04:25
Cybersecurity is mysterious and complex.
78
265563
3034
04:28
And I actually think it starts with the notion of psychological safety.
79
268630
3867
04:33
This notion was popularized by an organizational behavior scientist,
80
273297
3900
04:37
Amy Edmondson.
81
277230
1733
04:38
Amy studied behavior of medical teams in high-stakes situations like hospitals,
82
278963
5167
04:44
where mistakes could be fatal.
83
284163
1734
04:45
And she found out that nurses were not comfortable
84
285930
2700
04:48
bringing up suggestions to the doctors
85
288630
2267
04:50
because of the fear of questioning authority.
86
290897
2233
04:53
Amy helped improve medical teams
87
293797
2600
04:56
to make nurses more comfortable bringing up suggestions to the doctors
88
296430
3700
05:00
for patient treatment
89
300130
1200
05:01
without the fear of being scolded or demeaned.
90
301330
3067
05:04
For that to happen, doctors needed to listen and be receptive --
91
304397
3566
05:07
without judging.
92
307997
1200
05:10
Psychological safety is when everybody is comfortable speaking up
93
310363
4134
05:14
and pointing things out.
94
314530
1700
05:17
I want cybersecurity to be the same.
95
317097
2733
05:19
And I want cybersecurity practitioners to be comfortable bringing suggestions up
96
319863
4034
05:23
to senior executives or software developers,
97
323930
2867
05:26
without being dismissed as those people who continue to talk about
98
326830
3900
05:30
horrors and errors,
99
330763
1334
05:32
and say no.
100
332130
1267
05:33
Not doing so is really hard
101
333963
3100
05:37
for the individuals who are responsible for the creation of digital products
102
337097
4100
05:41
because fundamentally, it's about their pride and joy in their creations.
103
341230
4800
05:46
I once tried talking to a senior software development executive
104
346597
3433
05:50
about the need to do better security.
105
350063
2034
05:52
You know what he said?
106
352097
1233
05:53
"Are you telling me we're developing insecure code?"
107
353363
2534
05:56
In other words, what he heard was, "Your baby is ugly."
108
356263
3434
06:00
What if instead of focusing on what not to do,
109
360330
4400
06:04
we focused on what to do?
110
364763
2267
06:07
Like, how do we develop better software
111
367063
3567
06:10
and protect our customer information at the same time?
112
370663
3534
06:14
Or how do we make sure that our organization is able to operate
113
374230
4433
06:18
in crisis, under attack or in an emergency?
114
378697
2766
06:21
And what if we reward good things that people do in cybersecurity in some way
115
381863
4067
06:25
and encourage them to do so,
116
385963
1600
06:27
like reporting security incidents,
117
387597
2166
06:29
reporting potential phishing emails,
118
389797
2566
06:32
or finding and fixing software security bugs
119
392363
3500
06:35
in the software that they develop?
120
395897
1866
06:37
And what if we tied these good security actions to performance evaluations
121
397797
3800
06:41
to make it really matter?
122
401630
1633
06:43
I would love for us to communicate these good cybersecurity things
123
403763
4267
06:48
and encourage them in some sort of company-wide communications
124
408063
2934
06:51
like newsletters, blogs, websites, microsites --
125
411030
2700
06:53
whatever we use to communicate to our organization.
126
413763
3267
06:57
What if a company announced a competition for who finds the most security bugs
127
417063
5467
07:02
and fixes them in a two-week development sprint
128
422530
3267
07:05
and then announces the winner of the competition for the quarter
129
425830
3333
07:09
at a large company virtual town hall,
130
429197
2766
07:11
and then rewards these people, these winners, with something meaningful,
131
431963
4234
07:16
like a week's vacation or a bonus.
132
436230
2167
07:18
Others will see the celebration and recognition,
133
438763
2834
07:21
and they'll want to do the same.
134
441630
1933
07:23
In the energy industry,
135
443563
1400
07:24
there is a really strong culture of safety.
136
444997
2833
07:27
People care about this culture, are proud of it,
137
447830
2967
07:30
and there is a collective reinforcement of this culture
138
450797
3466
07:34
to make sure that nobody gets hurt.
139
454297
1933
07:36
One of the ways they exhibit and keep this safety conscious culture going
140
456230
4533
07:40
is by counting and visibly displaying days since the last safety incident.
141
460797
6233
07:47
And then everybody works really hard not to have that count go back to zero
142
467663
4367
07:52
because that means that somebody did get hurt.
143
472063
2500
07:54
Cybersecurity is the same as safety.
144
474597
3133
07:57
What if we all agree
145
477763
1634
07:59
to keep that count of days since the last cybersecurity incident
146
479430
3267
08:02
going on forever
147
482730
1333
08:04
and then work really hard not to have it reset to zero?
148
484097
3200
08:08
And then certain things are a no-no,
149
488097
2033
08:10
and we need to clearly communicate to our organizations what they are
150
490163
3434
08:13
in an easily digestible and maybe even fun way,
151
493630
2867
08:16
like gamification or simulations,
152
496530
2667
08:19
to make sure that people can remember this.
153
499230
2467
08:21
And if somebody does something they're not supposed to do,
154
501730
2833
08:24
they should face some sort of consequences.
155
504597
2133
08:26
So, for example, if an employee buys equipment on Amazon or eBay
156
506763
4734
08:31
or uses personal Dropbox for their company business,
157
511530
3400
08:34
then they should face some sort of consequences.
158
514963
2467
08:37
And when this happens, executives should get the same treatment
159
517463
3134
08:40
as regular employees,
160
520630
1667
08:42
because if they don't, then people won't believe that it's real
161
522297
3000
08:45
and will go back to their old behaviors.
162
525330
1933
08:47
It's OK to talk about mistakes,
163
527297
2500
08:49
but just like a teenager who violates the rules tells us about it,
164
529830
4033
08:53
we appreciate that they told us about it,
165
533897
2066
08:55
but there should still be some sort of consequences.
166
535997
2433
09:00
Cybersecurity is a journey.
167
540263
2134
09:02
It's not a destination,
168
542430
1500
09:03
and we need to keep working on it.
169
543930
1933
09:06
I would love for us to celebrate cybersecurity people
170
546297
3133
09:09
like the heroes that they are.
171
549430
1933
09:11
If we think about it, they are firefighters,
172
551363
2967
09:14
emergency room doctors and nurses,
173
554330
1833
09:16
law enforcement, risk executives and business strategists
174
556197
3766
09:19
all in the same persona.
175
559963
1900
09:21
And they help us protect our modern life that we like so much.
176
561897
3800
09:25
They protect our identities, our inventions, our intellectual property,
177
565697
4333
09:30
our electric grid, medical devices,
178
570063
2400
09:32
connected cars and myriad other things.
179
572497
3500
09:35
And I'd like to be on that team.
180
575997
1600
09:38
So let's agree that this thing is with us to stay,
181
578097
4266
09:42
let's create a safe environment to learn from our mistakes,
182
582363
3600
09:45
and let's commit to making things better.
183
585963
2367
09:48
Thank you.
184
588363
1267
About this website

This site will introduce you to YouTube videos that are useful for learning English. You will see English lessons taught by top-notch teachers from around the world. Double-click on the English subtitles displayed on each video page to play the video from there. The subtitles scroll in sync with the video playback. If you have any comments or requests, please contact us using this contact form.

https://forms.gle/WvT1wiN1qDtmnspy7