Nadya Bartol: Better cybersecurity starts with honesty and accountability | TED

36,308 views ・ 2021-06-01

TED


请双击下面的英文字幕来播放视频。

00:00
Transcriber:
0
0
7000
翻译人员: Yuelin Li 校对人员: Jiasi Hao
00:13
Today, I'm going to talk about a shameful topic.
1
13063
3667
今天,我要谈一个难以启齿的话题。
00:17
This has happened to many of us, and it's embarrassing,
2
17463
4034
很多人都有这样令人尴尬的经历,
00:21
but if we don't talk about it, nothing will ever change.
3
21530
3367
但如果我们放着它不谈, 我们将永远不能改变现状。
00:24
It's about being hacked.
4
24930
2067
这个经历就是被黑客入侵。
00:27
Some of us have clicked on a phishing link and downloaded a computer virus.
5
27630
4600
有些人点击了网络钓鱼链接 并因此下载了电脑病毒,
00:32
Some of us have had our identities stolen.
6
32263
2434
还有些人的身份被盗取了。
00:34
And those of us who are software developers
7
34730
2000
那些软件开发工程师
00:36
might have written insecure code with security bugs in it
8
36763
3367
有可能写了不安全的 有安全漏洞的代码,
00:40
without realizing it.
9
40163
1400
却毫无意识。
00:42
As a cybersecurity expert,
10
42530
1700
作为一个网络安全专家,
00:44
I have worked with countless companies on improving their cybersecurity.
11
44263
4334
我为无数公司工作过, 帮他们提升网络安全性。
00:49
Cybersecurity experts like me have advised companies
12
49063
3400
像我这样的网络安全专家 建议过公司
00:52
on good cybersecurity practices,
13
52497
2600
采取良好的网络安全实践,
00:55
monitoring tools
14
55130
1133
监控工具,
00:56
and proper user behaviors.
15
56297
1700
以及正确的用户行为。
00:58
But I actually see a much bigger problem that no tool can fix:
16
58030
4733
但我其实认识到了一个更大的, 没有工具能够解决的问题:
01:02
the shame associated with the mistakes that we make.
17
62797
3300
伴随犯错出现的羞耻感。
01:06
We like to think of ourselves as competent and tech savvy,
18
66563
3867
我们喜欢将自己视为 有能力且精通技术的人,
01:10
and when we make these mistakes that can have a really bad impact
19
70463
3300
但当我们犯错时, 这些错误不管是对个人还是公司
01:13
on us and our companies --
20
73797
1400
可能会有很糟糕的影响——
01:15
anything from a simple annoyance,
21
75230
1867
其中包括一个简单的小麻烦
01:17
to taking a lot of time to fix,
22
77130
2167
到需要很长时间去解决
01:19
to costing us and our employers a lot of money.
23
79330
3633
且耗财耗力的大问题。
01:23
Despite billions of dollars that companies spend on cybersecurity,
24
83630
4467
虽然公司在网络安全上 花了几十亿的美元,
01:28
practitioners like me see the same problems over and over again.
25
88130
4500
像我这样的专业从业者 还是反复看到相同的问题。
01:32
Let me give you some examples.
26
92663
1800
让我给你几个例子。
01:35
The 2015 hack of Ukrainian utilities
27
95330
3033
2015 年, 一次乌克兰公共设施被黑事件
01:38
that disconnected power for 225,000 customers
28
98397
3766
导致 22.5 万客户的断电经历。
01:42
and took months to restore back to full operations
29
102197
3666
这场始于网络钓鱼链接的危机
01:45
started with a phishing link.
30
105897
2100
花了数月才恢复全面运行。
01:48
By the way, 225,000 customers is a lot more 225,000 people.
31
108030
5567
顺便一提,22.5 万位客户 可远多于 22.5 万名个体。
01:53
Customers can be anything from an apartment building
32
113630
2700
客户可以是任何形式——
从一栋公寓楼,到一处工厂设施,
01:56
to an industrial facility
33
116363
1400
01:57
to a shopping mall.
34
117797
1433
再到一个购物中心。
01:59
The 2017 data breach of Equifax
35
119263
3100
2017 年 艾可飞(Equifax)的信息泄漏事件
02:02
that exposed personally identifiable information
36
122363
2834
暴露了 1.4 亿人的
02:05
of 140 million people
37
125230
2433
个人身份信息,
02:07
and may ultimately cost Equifax something on the order of 1.4 billion dollars:
38
127663
6334
最终可能导致 公司 14 亿美元的损失。
02:14
that was caused by an exploitation of a well-known vulnerability
39
134030
3500
事件的起源是一个众所周知的
02:17
in the company's customer consumer complaint portal.
40
137563
2934
隐藏在客户投诉网站中的漏洞。
02:21
Fundamentally, this is about technology and innovation.
41
141563
4100
归根结底, 这一切与科技创新有关。
02:25
Innovation is good; it makes our lives better.
42
145697
3000
创新是好的, 能提升我们的生活水平。
02:28
Most of the modern cars we drive today are fundamentally computers on wheels.
43
148697
6033
今天,大多我们所驾驶的机动车 本质是车轮上的计算机。
02:34
They tell us where to go to avoid traffic, when to take them in for maintenance
44
154763
4834
它们告诉我们免堵车路线, 什么时候车子需要保修,
02:39
and then give us all kinds of modern-day conveniences.
45
159630
3200
给我们带来了很多现代化的便利。
02:42
Many people use connected medical devices like pacemakers
46
162863
3434
很多人使用互联医疗设施, 例如起搏器
02:46
and glucose monitors with insulin pumps.
47
166330
2300
和带有胰岛素泵的血糖监控器。
02:49
These devices make these people's lives better
48
169197
2533
这些设备让用户的生活更美好,
02:51
and sometimes even extend their lives.
49
171763
2534
有时甚至延长了他们的寿命。
02:54
But anything that can be interconnected can be hacked when it's connected.
50
174297
5533
但是,任何可互联的设备 在被连接时都有可能被黑。
03:00
Did you know that the former US Vice President Dick Cheney
51
180230
3067
你知道吗?前美国副总统 迪克 · 切尼(Dick Cheney)
03:03
kept his pacemaker disconnected from Wi-Fi before he received a heart transplant?
52
183330
4500
在做心脏移植手术前 切断了他的起搏器的网络连接。
03:07
I will let you figure out why.
53
187863
2134
我想让你自己品味其中缘由。
03:10
In a digitally interconnected world, cyber risks are literally everywhere.
54
190830
5033
在一个数字互联世界里, 网络危险真的无处不在。
03:16
For years, my colleagues and I have been talking about
55
196230
2800
多年来,我和我的同事们 都在谈论
03:19
this elusive notion of cybersecurity culture.
56
199063
2467
一个难以捉摸的概念—— 网络安全文化。
03:22
Cybersecurity culture is when everybody in the organization
57
202030
3367
网络安全文化 是指当组织的每个人
03:25
believes that cybersecurity is their job,
58
205430
2733
都视网络安全为己任,
03:28
knows what to do and what not to do
59
208197
1900
知道该做什么和不该做什么
03:30
and does the right thing.
60
210097
1333
并且做正确的事。
03:32
Unfortunately, I can't tell you which companies do this well,
61
212063
3500
虽然我不能告诉你 哪些公司在这方面做得很好,
03:35
because by doing so, I would put a juicy target on their backs
62
215597
3500
因为这么做 会吸引那些雄心勃勃的黑客们,
03:39
for ambitious attackers.
63
219097
1933
从而给那些公司招来麻烦。
03:41
But what I can do is make cybersecurity less mysterious,
64
221030
4267
但是我能做的 是使网络安全变得不那么神秘:
03:45
bring it out into the open and talk about it.
65
225297
2900
把它带到公众面前,并公开谈论它。
03:48
There should be no mystery or secrecy within an organization.
66
228763
4600
一个组织里不应该有秘密。
03:54
When something is invisible and it's working,
67
234197
3800
当一个隐形的东西正在产生影响,
在它消失之前, 我们不会知道它的存在。
03:58
we don't know that it's there until it's not there.
68
238030
3467
04:01
Kind of like toilet paper.
69
241530
2333
这有点像厕纸。
04:04
When the COVID-19 pandemic began,
70
244663
2734
当新冠大流行病开始时,
04:07
what has been there all of a sudden became super important
71
247430
3167
平凡的厕纸 因为我们无法随处可见它的存在
04:10
because we couldn't find it anywhere.
72
250597
1800
突然变得很重要。
04:12
Cybersecurity is just like that:
73
252830
2167
网络安全也是如此:
当它正常运作时, 我们不知道也不关心;
04:15
when it's working, we don't know, and we don't care.
74
255030
3067
04:18
But when it's not working,
75
258130
1533
但当它出现故障时,
04:19
it can be really, really bad.
76
259697
2600
事情可以变得非常,非常糟糕。
04:22
Toilet paper is pretty straightforward.
77
262797
2766
厕纸的例子相对直接易懂。
04:25
Cybersecurity is mysterious and complex.
78
265563
3034
网络安全神秘且复杂。
04:28
And I actually think it starts with the notion of psychological safety.
79
268630
3867
我其实觉得 网络安全始于心理安全感的概念。
04:33
This notion was popularized by an organizational behavior scientist,
80
273297
3900
这一概念 是由一位组织行为学家普及开的,
04:37
Amy Edmondson.
81
277230
1733
她叫艾美 · 埃德蒙森 (Amy Edmondson)。
04:38
Amy studied behavior of medical teams in high-stakes situations like hospitals,
82
278963
5167
艾美研究了医疗团队在 高危险环境(例如医院)中的行为。
04:44
where mistakes could be fatal.
83
284163
1734
在这一环境下,错误可以是致命的。
04:45
And she found out that nurses were not comfortable
84
285930
2700
她发现护士不愿意
04:48
bringing up suggestions to the doctors
85
288630
2267
对医生提出建议
04:50
because of the fear of questioning authority.
86
290897
2233
因为他们害怕质疑权威。
04:53
Amy helped improve medical teams
87
293797
2600
通过让护士们更愿意 向医生提出病人的治疗建议,
04:56
to make nurses more comfortable bringing up suggestions to the doctors
88
296430
3700
而不屈服于被训斥或轻视的恐惧,
05:00
for patient treatment
89
300130
1200
05:01
without the fear of being scolded or demeaned.
90
301330
3067
借此,艾美帮助医疗团队 提升团队行为表现。
05:04
For that to happen, doctors needed to listen and be receptive --
91
304397
3566
为了这一改变的发生,医生需要 学会聆听且善于接受意见——
05:07
without judging.
92
307997
1200
而不是批判。
05:10
Psychological safety is when everybody is comfortable speaking up
93
310363
4134
心理安全感指的就是 每个人都愿意发表自己的看法
05:14
and pointing things out.
94
314530
1700
并指出问题。
05:17
I want cybersecurity to be the same.
95
317097
2733
我希望网络安全也是如此。
05:19
And I want cybersecurity practitioners to be comfortable bringing suggestions up
96
319863
4034
而且我希望网络安全从业人员 也能对高管或软件开发者
05:23
to senior executives or software developers,
97
323930
2867
勇于提出建议,
05:26
without being dismissed as those people who continue to talk about
98
326830
3900
而不是被忽视为一群
一直谈起可怕事件与错误
05:30
horrors and errors,
99
330763
1334
并且只会说“不”的人。
05:32
and say no.
100
332130
1267
05:33
Not doing so is really hard
101
333963
3100
对那些数字产品的研发负责人来说,
05:37
for the individuals who are responsible for the creation of digital products
102
337097
4100
不勇于提议的后果很严重。
05:41
because fundamentally, it's about their pride and joy in their creations.
103
341230
4800
其根本原因是这些人 对自己创作成果的自豪和喜悦。
05:46
I once tried talking to a senior software development executive
104
346597
3433
我曾经试着告诉一个 软件开发高级管理人员
05:50
about the need to do better security.
105
350063
2034
他们需要提升安全性能。
05:52
You know what he said?
106
352097
1233
你猜他怎么说?
05:53
"Are you telling me we're developing insecure code?"
107
353363
2534
“你是在告诉我 我们的代码不安全吗?”
05:56
In other words, what he heard was, "Your baby is ugly."
108
356263
3434
换句话说,他听到的是 “你的孩子不好看”。
06:00
What if instead of focusing on what not to do,
109
360330
4400
如果相反,我们不强调“不做什么”,
06:04
we focused on what to do?
110
364763
2267
而是关注“做什么”呢?
06:07
Like, how do we develop better software
111
367063
3567
例如,我们怎样开发更好的软件
06:10
and protect our customer information at the same time?
112
370663
3534
并同时保护我们的用户信息?
06:14
Or how do we make sure that our organization is able to operate
113
374230
4433
或者如何确保 在面临危机、攻击或紧急情况下
06:18
in crisis, under attack or in an emergency?
114
378697
2766
我们的组织能够正常运作?
06:21
And what if we reward good things that people do in cybersecurity in some way
115
381863
4067
如果我们通过某种方式奖励 在网络安全方面人们做得不错的地方
06:25
and encourage them to do so,
116
385963
1600
并鼓励他们这么做,
06:27
like reporting security incidents,
117
387597
2166
例如汇报安全事件,
06:29
reporting potential phishing emails,
118
389797
2566
报告潜在的网络钓鱼邮件,
06:32
or finding and fixing software security bugs
119
392363
3500
或是识别并修复 他们研发软件中的安全漏洞,
06:35
in the software that they develop?
120
395897
1866
事情又会怎么样?
06:37
And what if we tied these good security actions to performance evaluations
121
397797
3800
如果我们将这些优秀的安全行为 与绩效评估联系起来
06:41
to make it really matter?
122
401630
1633
使网络安全成为一个值得认真对待的问题 又会发生什么?
06:43
I would love for us to communicate these good cybersecurity things
123
403763
4267
我非常愿意大家交流 这些好的网络安全事例
06:48
and encourage them in some sort of company-wide communications
124
408063
2934
并在公司范围的交流中 鼓励网络安全规范,
例如简报、博客、网站, 和微网站——
06:51
like newsletters, blogs, websites, microsites --
125
411030
2700
06:53
whatever we use to communicate to our organization.
126
413763
3267
任何我们用来和内部组织交流的平台。
06:57
What if a company announced a competition for who finds the most security bugs
127
417063
5467
或许公司可以举办一场比赛,
比拼谁找到的安全漏洞最多 并能在两周的开发冲刺中修复它们,
07:02
and fixes them in a two-week development sprint
128
422530
3267
07:05
and then announces the winner of the competition for the quarter
129
425830
3333
之后在一个巨大的公司虚拟大厅
07:09
at a large company virtual town hall,
130
429197
2766
宣布这一季度比赛的冠军。
07:11
and then rewards these people, these winners, with something meaningful,
131
431963
4234
随后公司可以用一些有意义的东西 奖励这些获奖者,
07:16
like a week's vacation or a bonus.
132
436230
2167
像是一个星期的休假或奖金。
07:18
Others will see the celebration and recognition,
133
438763
2834
其他人对这样的表扬和认可 有目共睹,
07:21
and they'll want to do the same.
134
441630
1933
因此也会跃跃欲试,想赢得比赛。
07:23
In the energy industry,
135
443563
1400
在能源行业,
07:24
there is a really strong culture of safety.
136
444997
2833
有一种很强的安全文化。
07:27
People care about this culture, are proud of it,
137
447830
2967
人们很关心这种文化, 并为此感到骄傲。
07:30
and there is a collective reinforcement of this culture
138
450797
3466
这种安全文化存在集体强化
07:34
to make sure that nobody gets hurt.
139
454297
1933
来保障没有人受伤。
07:36
One of the ways they exhibit and keep this safety conscious culture going
140
456230
4533
人们展现并维持这种安全意识文化的 其中一种方式
07:40
is by counting and visibly displaying days since the last safety incident.
141
460797
6233
就是计算并可视化 距离上次安全事故已经过去了多少天。
07:47
And then everybody works really hard not to have that count go back to zero
142
467663
4367
于是,每个人都非常努力地 避免这个数字归零,
07:52
because that means that somebody did get hurt.
143
472063
2500
因为归零意味着有人受伤了。
07:54
Cybersecurity is the same as safety.
144
474597
3133
网络安全和人身安全一样。
07:57
What if we all agree
145
477763
1634
如果我们齐心协力
07:59
to keep that count of days since the last cybersecurity incident
146
479430
3267
将自上次网络安全事件后 过去的日子
08:02
going on forever
147
482730
1333
一直计算下去 并努力不让其归零,
08:04
and then work really hard not to have it reset to zero?
148
484097
3200
会怎么样呢?
08:08
And then certain things are a no-no,
149
488097
2033
同时,有些事情是绝对不允许的,
08:10
and we need to clearly communicate to our organizations what they are
150
490163
3434
我们需要用一种简单易懂的方式, 甚至是有趣的方式,
08:13
in an easily digestible and maybe even fun way,
151
493630
2867
例如通过游戏或模拟,
08:16
like gamification or simulations,
152
496530
2667
在组织内 明确告知哪些事是被禁止的
08:19
to make sure that people can remember this.
153
499230
2467
以确保人们将其铭记于心。
08:21
And if somebody does something they're not supposed to do,
154
501730
2833
如果有人做了不该做的事,
08:24
they should face some sort of consequences.
155
504597
2133
他们应该面对某种后果。
08:26
So, for example, if an employee buys equipment on Amazon or eBay
156
506763
4734
举个例子来说,如果一个员工 用亚马逊或 eBay 购买了设备,
08:31
or uses personal Dropbox for their company business,
157
511530
3400
或用个人云存储服务账号 处理了公司业务,
08:34
then they should face some sort of consequences.
158
514963
2467
他们就应该面对惩罚。
08:37
And when this happens, executives should get the same treatment
159
517463
3134
同时,经理也应像普通员工一样
08:40
as regular employees,
160
520630
1667
受到同样的处置,
08:42
because if they don't, then people won't believe that it's real
161
522297
3000
因为如果不这么做, 人们不会认真对待这件事
08:45
and will go back to their old behaviors.
162
525330
1933
并且会重拾恶习。
08:47
It's OK to talk about mistakes,
163
527297
2500
谈论错误是可以接受的,
08:49
but just like a teenager who violates the rules tells us about it,
164
529830
4033
但就像违反规则的青少年 对此坦白一样,
08:53
we appreciate that they told us about it,
165
533897
2066
我们应该感谢他们的诚实,
08:55
but there should still be some sort of consequences.
166
535997
2433
但他们依然应该面对后果, 为自己的行为负责。
09:00
Cybersecurity is a journey.
167
540263
2134
网络安全是一段旅程。
09:02
It's not a destination,
168
542430
1500
它不是一个目的地,
09:03
and we need to keep working on it.
169
543930
1933
所以我们要持续为之奋斗。
09:06
I would love for us to celebrate cybersecurity people
170
546297
3133
我希望我们能够赞颂 英雄般的网络安全从业人员。
09:09
like the heroes that they are.
171
549430
1933
09:11
If we think about it, they are firefighters,
172
551363
2967
如果我们仔细想想, 他们其实集消防员、
09:14
emergency room doctors and nurses,
173
554330
1833
急诊医生和护士、
09:16
law enforcement, risk executives and business strategists
174
556197
3766
执法人员,风险主管, 和商业战略家
09:19
all in the same persona.
175
559963
1900
于一身。
09:21
And they help us protect our modern life that we like so much.
176
561897
3800
他们帮我们保护着 我们如此喜爱的现代生活。
09:25
They protect our identities, our inventions, our intellectual property,
177
565697
4333
他们保护我们的身份、 发明、知识产权、
09:30
our electric grid, medical devices,
178
570063
2400
电网、医疗设施、
09:32
connected cars and myriad other things.
179
572497
3500
联网车辆,和很多其它东西。
09:35
And I'd like to be on that team.
180
575997
1600
我很愿意做这个队伍的一员。
09:38
So let's agree that this thing is with us to stay,
181
578097
4266
所以,让我们一致同意: 网络安全与我们同在。
09:42
let's create a safe environment to learn from our mistakes,
182
582363
3600
让我们创造一个 可以从错误中吸取教训的安全环境,
09:45
and let's commit to making things better.
183
585963
2367
并共同致力于创造更好的世界。
09:48
Thank you.
184
588363
1267
谢谢。
关于本网站

这个网站将向你介绍对学习英语有用的YouTube视频。你将看到来自世界各地的一流教师教授的英语课程。双击每个视频页面上显示的英文字幕,即可从那里播放视频。字幕会随着视频的播放而同步滚动。如果你有任何意见或要求,请使用此联系表与我们联系。

https://forms.gle/WvT1wiN1qDtmnspy7