Nadya Bartol: Better cybersecurity starts with honesty and accountability | TED
35,911 views ・ 2021-06-01
請雙擊下方英文字幕播放視頻。
00:00
Transcriber:
0
0
7000
譯者: 傅寰 李
審譯者: Yi-Ping Cho (Marssi)
00:13
Today, I'm going to talk about
a shameful topic.
1
13063
3667
今天,我想談一個讓人汗顏的主題
00:17
This has happened to many of us,
and it's embarrassing,
2
17463
4034
我們大多數都碰過,讓我們很尷尬
00:21
but if we don't talk about it,
nothing will ever change.
3
21530
3367
但如果不討論
事情就沒有任何轉機
00:24
It's about being hacked.
4
24930
2067
那就是被駭
00:27
Some of us have clicked on a phishing link
and downloaded a computer virus.
5
27630
4600
有些人是點了釣魚連結
下載了電腦病毒
00:32
Some of us have had our identities stolen.
6
32263
2434
有人是個資被竊取
00:34
And those of us
who are software developers
7
34730
2000
而像我們程式設計師
00:36
might have written insecure code
with security bugs in it
8
36763
3367
可能寫了有漏洞的程式
00:40
without realizing it.
9
40163
1400
卻沒注意到
00:42
As a cybersecurity expert,
10
42530
1700
身為網路安全專家
00:44
I have worked with countless companies
on improving their cybersecurity.
11
44263
4334
我和許多公司合作
增進他們的網路安全
00:49
Cybersecurity experts like me
have advised companies
12
49063
3400
我們這些專家建議公司
00:52
on good cybersecurity practices,
13
52497
2600
要有良好的網路安全訓練
00:55
monitoring tools
14
55130
1133
監管工具
00:56
and proper user behaviors.
15
56297
1700
以及好的使用者行為
00:58
But I actually see a much bigger problem
that no tool can fix:
16
58030
4733
不過我看到更大的問題
而且沒有工具能修補
01:02
the shame associated with
the mistakes that we make.
17
62797
3300
就是我們犯錯後,伴隨而來的羞愧感
01:06
We like to think of ourselves
as competent and tech savvy,
18
66563
3867
我們認為自己很有能力
對科技也很熟悉
01:10
and when we make these mistakes
that can have a really bad impact
19
70463
3300
當我們犯的錯
帶來的影響可能很壞
01:13
on us and our companies --
20
73797
1400
對自己或公司都是
01:15
anything from a simple annoyance,
21
75230
1867
從小小的不愉快
01:17
to taking a lot of time to fix,
22
77130
2167
到花大把時間修補
01:19
to costing us and our employers
a lot of money.
23
79330
3633
到付出大筆金錢
01:23
Despite billions of dollars
that companies spend on cybersecurity,
24
83630
4467
雖然很多公司花了大錢做網路安全
01:28
practitioners like me see the same
problems over and over again.
25
88130
4500
我和同行們卻重複看到相同的問題
01:32
Let me give you some examples.
26
92663
1800
我講幾個例子給你聽
01:35
The 2015 hack of Ukrainian utilities
27
95330
3033
2015年烏克蘭電廠被駭
01:38
that disconnected power
for 225,000 customers
28
98397
3766
22萬5千名客戶無電可用
01:42
and took months to restore
back to full operations
29
102197
3666
電廠花了數個月才完全恢復營運
01:45
started with a phishing link.
30
105897
2100
起因是一個釣魚連結
01:48
By the way, 225,000 customers
is a lot more 225,000 people.
31
108030
5567
喔對了,22萬5千名客戶
遠不止22萬5千人而已
01:53
Customers can be anything
from an apartment building
32
113630
2700
客戶包含公寓大廈
01:56
to an industrial facility
33
116363
1400
工廠設施
01:57
to a shopping mall.
34
117797
1433
還有購物中心
01:59
The 2017 data breach of Equifax
35
119263
3100
2017年易速傳真資料外洩
02:02
that exposed personally
identifiable information
36
122363
2834
遭外流的個資數量
02:05
of 140 million people
37
125230
2433
有1億4千萬人
02:07
and may ultimately cost Equifax something
on the order of 1.4 billion dollars:
38
127663
6334
為了處理這事,它們最後花了
差不多14億美元
02:14
that was caused by an exploitation
of a well-known vulnerability
39
134030
3500
起因是駭客攻擊了一個出名的弱點
02:17
in the company's customer
consumer complaint portal.
40
137563
2934
位置就在客訴系統裡
02:21
Fundamentally, this is about
technology and innovation.
41
141563
4100
網路安全基本上,和科技、創新有關
02:25
Innovation is good;
it makes our lives better.
42
145697
3000
創新是好事,讓生活更便利
02:28
Most of the modern cars we drive today
are fundamentally computers on wheels.
43
148697
6033
現在的車子,其實就是有輪子的電腦
02:34
They tell us where to go to avoid traffic,
when to take them in for maintenance
44
154763
4834
會告訴我們走哪不會塞車
什麼時候該保養
02:39
and then give us all kinds of
modern-day conveniences.
45
159630
3200
提供各種現代世界的便利
02:42
Many people use connected
medical devices like pacemakers
46
162863
3434
許多人用可連線醫療裝置
像是心律調節器
02:46
and glucose monitors with insulin pumps.
47
166330
2300
還有,搭配胰島素幫浦的血糖監測器
02:49
These devices make
these people's lives better
48
169197
2533
這些裝置讓病人日子更好過
02:51
and sometimes even extend their lives.
49
171763
2534
也可能延長壽命
02:54
But anything that can be interconnected
can be hacked when it's connected.
50
174297
5533
不過任何可連線裝置
只要連線都可能被駭
03:00
Did you know that the former
US Vice President Dick Cheney
51
180230
3067
你知道嗎?
美國前副總統迪克錢尼
03:03
kept his pacemaker disconnected from Wi-Fi
before he received a heart transplant?
52
183330
4500
在心臟移植前
總是不讓心律調節器連到wifi
03:07
I will let you figure out why.
53
187863
2134
原因我留給你自己想
03:10
In a digitally interconnected world,
cyber risks are literally everywhere.
54
190830
5033
數位互相連結的現在
網路危機無處不在
03:16
For years, my colleagues and I
have been talking about
55
196230
2800
幾年來,我和同事都有聊到
03:19
this elusive notion
of cybersecurity culture.
56
199063
2467
網路安全文化有多匱乏
03:22
Cybersecurity culture is when
everybody in the organization
57
202030
3367
網路安全文化,是同一組織的人
03:25
believes that cybersecurity is their job,
58
205430
2733
都視網路安全為己任
03:28
knows what to do and what not to do
59
208197
1900
知道什麼該做、什麼不該做
03:30
and does the right thing.
60
210097
1333
而且只做對的事
03:32
Unfortunately, I can't tell you
which companies do this well,
61
212063
3500
但我不能明講哪些公司做得不錯
03:35
because by doing so, I would put
a juicy target on their backs
62
215597
3500
如果講了,反而會讓他們
招來有心人士的攻擊
03:39
for ambitious attackers.
63
219097
1933
03:41
But what I can do is make
cybersecurity less mysterious,
64
221030
4267
我能做的,是讓網路安全更普及
03:45
bring it out into the open
and talk about it.
65
225297
2900
讓它不那麼神秘,大家一起討論
03:48
There should be no mystery or secrecy
within an organization.
66
228763
4600
組織中不該有任何謎團和秘密
03:54
When something is invisible
and it's working,
67
234197
3800
當一樣東西在運作
不過我們看不到
03:58
we don't know that it's there
until it's not there.
68
238030
3467
那只有在它停止運作時
我們才會注意到它
04:01
Kind of like toilet paper.
69
241530
2333
有點像衛生紙
04:04
When the COVID-19 pandemic began,
70
244663
2734
疫情爆發後
04:07
what has been there all of a sudden
became super important
71
247430
3167
本來常見的東西突然變得很重要
04:10
because we couldn't find it anywhere.
72
250597
1800
因為供貨不足,其他地方找不到
04:12
Cybersecurity is just like that:
73
252830
2167
網路安全也是這個概念
04:15
when it's working, we don't know,
and we don't care.
74
255030
3067
正常運作時我們沒感覺,也不在意
04:18
But when it's not working,
75
258130
1533
但失靈的時候
04:19
it can be really, really bad.
76
259697
2600
情況就可能很慘
04:22
Toilet paper is pretty straightforward.
77
262797
2766
衛生紙很好懂
04:25
Cybersecurity is mysterious and complex.
78
265563
3034
網路安全很神祕複雜
04:28
And I actually think it starts
with the notion of psychological safety.
79
268630
3867
不過我想能從心理安全感開始
04:33
This notion was popularized
by an organizational behavior scientist,
80
273297
3900
這概念最早
由一位組織行為學家提出
04:37
Amy Edmondson.
81
277230
1733
她叫艾美艾德蒙森
04:38
Amy studied behavior of medical teams
in high-stakes situations like hospitals,
82
278963
5167
她研究醫療團隊在高風險情境中的行為
像是在醫院,一出錯就會要人命
04:44
where mistakes could be fatal.
83
284163
1734
04:45
And she found out
that nurses were not comfortable
84
285930
2700
她發現護理師
不太好意思給醫生建議
04:48
bringing up suggestions to the doctors
85
288630
2267
04:50
because of the fear
of questioning authority.
86
290897
2233
因為護理師不敢質疑有權威的人
04:53
Amy helped improve medical teams
87
293797
2600
艾美幫助醫療團隊
04:56
to make nurses more comfortable
bringing up suggestions to the doctors
88
296430
3700
讓護理師能更放心地給醫生治療建議
05:00
for patient treatment
89
300130
1200
05:01
without the fear of being
scolded or demeaned.
90
301330
3067
不用怕被罵、被羞辱
05:04
For that to happen, doctors needed
to listen and be receptive --
91
304397
3566
要做到這點,醫生得願意傾聽
虛心接受建言,不批評
05:07
without judging.
92
307997
1200
05:10
Psychological safety is when everybody
is comfortable speaking up
93
310363
4134
要有心理安全感
就要讓大家都敢發言
05:14
and pointing things out.
94
314530
1700
敢指出問題
05:17
I want cybersecurity to be the same.
95
317097
2733
我希望網路安全也能如此
05:19
And I want cybersecurity practitioners
to be comfortable bringing suggestions up
96
319863
4034
我希望網路安全從業人員
都能放心提意見
05:23
to senior executives
or software developers,
97
323930
2867
給主管、軟體開發師建議
05:26
without being dismissed as those people
who continue to talk about
98
326830
3900
而不是被當成危言聳聽的人
而被草草打發
05:30
horrors and errors,
99
330763
1334
05:32
and say no.
100
332130
1267
05:33
Not doing so is really hard
101
333963
3100
要這些負責創造數位產品的人
05:37
for the individuals who are responsible
for the creation of digital products
102
337097
4100
接受意見是很難的
05:41
because fundamentally, it's about
their pride and joy in their creations.
103
341230
4800
基本上,產品就是
他們的驕傲、喜悅和創造
05:46
I once tried talking to a senior
software development executive
104
346597
3433
我曾經試著建議一位高階開發主管
05:50
about the need to do better security.
105
350063
2034
提出安全措施要加強
05:52
You know what he said?
106
352097
1233
你知道怎麼回我嗎?
05:53
"Are you telling me
we're developing insecure code?"
107
353363
2534
「你的意思是我們的東西不安全嗎?」
05:56
In other words, what he heard
was, "Your baby is ugly."
108
356263
3434
換句話說,我的建議
在他耳裡聽起來像「你的小孩很醜」
06:00
What if instead of focusing on
what not to do,
109
360330
4400
相較於專注在「哪些事不該做」
06:04
we focused on what to do?
110
364763
2267
我們不如專注在「該做什麼事?」
06:07
Like, how do we develop better software
111
367063
3567
像是,如何開發更好的軟體
06:10
and protect our customer
information at the same time?
112
370663
3534
同時也保護好顧客資料
06:14
Or how do we make sure
that our organization is able to operate
113
374230
4433
或是,怎麼做能確保組織妥善運行
06:18
in crisis, under attack
or in an emergency?
114
378697
2766
即便在危機時刻、遭攻擊的時候
06:21
And what if we reward good things that
people do in cybersecurity in some way
115
381863
4067
如果我們獎勵
人們在網路安全上做的好事
06:25
and encourage them to do so,
116
385963
1600
並鼓勵大家多做
06:27
like reporting security incidents,
117
387597
2166
像是,回報安全疑慮
06:29
reporting potential phishing emails,
118
389797
2566
檢舉可疑的釣魚郵件
06:32
or finding and fixing
software security bugs
119
392363
3500
或是找到、修補軟體漏洞
06:35
in the software that they develop?
120
395897
1866
各種自家軟體都算
06:37
And what if we tied these good security
actions to performance evaluations
121
397797
3800
然後把這些行為列入考績
06:41
to make it really matter?
122
401630
1633
讓大家都重視呢?
06:43
I would love for us to communicate
these good cybersecurity things
123
403763
4267
我很樂意為大家
討論這些關於網路安全的好事
06:48
and encourage them in some sort of
company-wide communications
124
408063
2934
也鼓勵更多公司內部溝通
06:51
like newsletters, blogs,
websites, microsites --
125
411030
2700
像是在通訊、部落格
網站、微型網站……等等
06:53
whatever we use to communicate
to our organization.
126
413763
3267
任何公司溝通的平台
06:57
What if a company announced a competition
for who finds the most security bugs
127
417063
5467
如果有公司舉辦找漏洞大賽呢?
07:02
and fixes them in a two-week
development sprint
128
422530
3267
比兩週,看誰能找出且修補最多漏洞
07:05
and then announces the winner
of the competition for the quarter
129
425830
3333
並在大廳公開表揚這一季的贏家
07:09
at a large company virtual town hall,
130
429197
2766
07:11
and then rewards these people,
these winners, with something meaningful,
131
431963
4234
而且給他們有意義的獎賞
07:16
like a week's vacation or a bonus.
132
436230
2167
像是讓他們休假一週或給獎金
07:18
Others will see
the celebration and recognition,
133
438763
2834
其他人看到這樣的表揚和認可之後
07:21
and they'll want to do the same.
134
441630
1933
就會想跟進和他們一樣
07:23
In the energy industry,
135
443563
1400
在能源產業
07:24
there is a really strong
culture of safety.
136
444997
2833
他們的職業安全文化很強
07:27
People care about this culture,
are proud of it,
137
447830
2967
他們很注重職安,也引以為傲
07:30
and there is a collective
reinforcement of this culture
138
450797
3466
大家一起維護這個文化
07:34
to make sure that nobody gets hurt.
139
454297
1933
確保沒有人受傷
07:36
One of the ways they exhibit and keep
this safety conscious culture going
140
456230
4533
讓職安觀念長存的其中一個方法
07:40
is by counting and visibly displaying days
since the last safety incident.
141
460797
6233
是計算、公開距離上一次意外的天數
07:47
And then everybody works really hard
not to have that count go back to zero
142
467663
4367
大家共同努力,不想讓數字歸零
07:52
because that means
that somebody did get hurt.
143
472063
2500
如果歸零,就是有人受傷了
07:54
Cybersecurity is the same as safety.
144
474597
3133
網路安全也同樣是安全
07:57
What if we all agree
145
477763
1634
如果我們達成共識
07:59
to keep that count of days
since the last cybersecurity incident
146
479430
3267
要讓距離上一次
網路安全危害的日子持續累積
08:02
going on forever
147
482730
1333
08:04
and then work really hard
not to have it reset to zero?
148
484097
3200
努力不讓數字歸零呢?
08:08
And then certain things are a no-no,
149
488097
2033
確立某些事不能做
08:10
and we need to clearly communicate
to our organizations what they are
150
490163
3434
我們也要跟組織溝通清楚
哪些事是大忌
08:13
in an easily digestible
and maybe even fun way,
151
493630
2867
溝通方法要好懂,甚至有趣
08:16
like gamification or simulations,
152
496530
2667
像是遊戲化、模擬器……等
08:19
to make sure that people
can remember this.
153
499230
2467
確保大家都能記得
08:21
And if somebody does something
they're not supposed to do,
154
501730
2833
如果有人做了不該做的事
08:24
they should face some sort
of consequences.
155
504597
2133
就該受到相對的懲處
08:26
So, for example, if an employee buys
equipment on Amazon or eBay
156
506763
4734
舉例來說,員工在亞馬遜、eBay上買器材
08:31
or uses personal Dropbox
for their company business,
157
511530
3400
或用個人Dropbox處理公司業務
08:34
then they should face
some sort of consequences.
158
514963
2467
那就該受處罰
08:37
And when this happens, executives
should get the same treatment
159
517463
3134
如果管理階層做了這些事
也一樣要受處罰
08:40
as regular employees,
160
520630
1667
08:42
because if they don't,
then people won't believe that it's real
161
522297
3000
如果他們可以免責
其他員工也就不會認真
08:45
and will go back to their old behaviors.
162
525330
1933
情況就不會改變
08:47
It's OK to talk about mistakes,
163
527297
2500
談論錯誤是可以的
08:49
but just like a teenager who violates
the rules tells us about it,
164
529830
4033
但就像青少年自首犯錯
08:53
we appreciate that they told us about it,
165
533897
2066
我們讚許他的誠實
08:55
but there should still be
some sort of consequences.
166
535997
2433
但處罰還是要有
09:00
Cybersecurity is a journey.
167
540263
2134
網路安全是一趟旅程
09:02
It's not a destination,
168
542430
1500
不是一個目的地
09:03
and we need to keep working on it.
169
543930
1933
我們要不停地努力
09:06
I would love for us to celebrate
cybersecurity people
170
546297
3133
我想看到大家稱讚網路安全人員
就像在稱讚其他英雄一樣
09:09
like the heroes that they are.
171
549430
1933
09:11
If we think about it,
they are firefighters,
172
551363
2967
你想想,他們是消防員
09:14
emergency room doctors and nurses,
173
554330
1833
急診室的醫護人員
09:16
law enforcement, risk executives
and business strategists
174
556197
3766
執法單位、風險管理師、商業策略家
09:19
all in the same persona.
175
559963
1900
集於一身
09:21
And they help us protect our modern life
that we like so much.
176
561897
3800
他們幫助我們
保護我們所熱愛的現代生活
09:25
They protect our identities,
our inventions, our intellectual property,
177
565697
4333
保護我們的個資、發明和智慧財產權
09:30
our electric grid, medical devices,
178
570063
2400
還有電力網路、醫療設備
09:32
connected cars and myriad other things.
179
572497
3500
智慧汽車等數不盡的東西
09:35
And I'd like to be on that team.
180
575997
1600
我希望自己也是一員
09:38
So let's agree that this thing
is with us to stay,
181
578097
4266
讓我們同意,這是我們都接受的
09:42
let's create a safe environment
to learn from our mistakes,
182
582363
3600
讓我們從錯誤學習,建立安全的環境
09:45
and let's commit to making things better.
183
585963
2367
一起讓事情變得更好
09:48
Thank you.
184
588363
1267
謝謝
New videos
Original video on YouTube.com
關於本網站
本網站將向您介紹對學習英語有用的 YouTube 視頻。 您將看到來自世界各地的一流教師教授的英語課程。 雙擊每個視頻頁面上顯示的英文字幕,從那裡播放視頻。 字幕與視頻播放同步滾動。 如果您有任何意見或要求,請使用此聯繫表與我們聯繫。