Power

Why the security industry can't fix the ransomware problem

Ransomware is one of the most pressing cybersecurity problems, but there's no high-tech fix.

Christopher Krebs

Ransomware is "the scourge of the Internet," said Christopher Krebs, pictured here at the U.S Conference of Mayors 88th Winter Meeting in January.

Photo: Tom Williams/CQ-Roll Call, Inc via Getty Images

Schools shutting down. Hospitals turning patients away. City governments paralyzed. Businesses racking up nine-figure losses.

Ransomware has grown to one of the biggest cybersecurity threats facing organizations, but the security industry might only be able to do so much to help. At the RSA security conference in San Francisco this week, the Department of Homeland Security's top cybersecurity official Christopher Krebs called it "the scourge of the Internet," and CrowdStrike co-founder Dmitri Alperovitch dubbed 2019 "the year of ransomware."

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

But people who came hoping to learn about some high-tech fix for one of cybersecurity's fastest-growing problems are going to be disappointed. Almost none of the conference's hundreds of panels focuses on ransomware, which locks up data and devices until victims pay a demand, typically in bitcoin. Firms that claimed to have sophisticated technology to counter the problem have been exposed for simply paying the ransom demand.

That's because one of the biggest cybersecurity threats pummeling organizations happens to have a pretty boring solution.

Brett Arsenault, Microsoft's chief information security officer, said that it's not a mystery how to protect an organization from ransomware. The first step is not letting it in, which can be accomplished through basic measures such as regularly patching your systems and teaching employees not to fall for phishing emails, he said. The second step is to have backups in place to restore your systems in case they are infected.

"People still underestimate and undervalue the pedestrian part of this job," he said. "Hygiene is still key. I see people spending all this money on widgets that are akin to having a massively awesome alarm system on the front of your house, but it means nothing if you leave your back door open all the time."

Out of more than 500 panels being held throughout the week at the RSA security conference in San Francisco, only one on the agenda was explicitly focused on ransomware (a second, about the city of Atlanta's ransomware recovery efforts, was canceled). The panel, sponsored by network security firm SonicWall, was in a packed 70-seat makeshift briefing room on the expo floor, with dozens of people sitting on the ground. SonicWall Senior Product Marketing Manager Brook Chelmo spent the 30-minute talk sharing insights from his conversations with two ransomware attackers. Their advice to companies trying to protect themselves: Use proper passwords, enable multifactor authentication, hire good cybersecurity employees, and watch out for misconfigured firewalls.

In other words, to protect yourself from one the most dangerous threats, you have to cover the basics.

That explains why so many ransomware victims have been municipal governments, school districts and hospitals, said Ryan Lasalle, North America lead at Accenture Security. These organizations often lack the budget and personnel to keep computer networks up-to-date and protected. In many cases, these organizations don't have a trained employee dedicated to cybersecurity.

That's not to say that large savvy organizations don't need to think about ransomware. The threat is particularly serious because of the massive damage it can cost, both in terms of financial losses and safety risks, Lasalle said. One manufacturer that Accenture works with has determined that a ransomware attack would cost them $1 million an hour in lost revenue, he said. "Even if you're a Fortune 500 company, you don't want to be losing $25 million a day," he said.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

But for organizations that have the basics covered, there's little else they can do besides plan for the worst-case scenario. The questions then become things like do you pay the demand or ignore it? Do you buy cyber insurance to help cover the costs?

Arsenault said his team at Microsoft went so far as to consider if they should stockpile bitcoin, the preferred ransom currency of attackers. "A thought was should we buy a bunch of bitcoin now, because if we had to pay a ransom in the future, the price of bitcoin is going up. We thought about it and talked to our CFO, and she was like … 'No. You should make sure we have a process and know how to do it and invoke it at the time, but we're not going to hedge,'" he said.

Fintech

Apple's new payments tech won't kill Square

It could be used in place of the Square dongle, but it's far short of a full-fledged payments service.

The Apple system would reportedly only handle contactless payments.

Photo: Nathan Dumlao/Unsplash

Apple is preparing a product to enable merchants to accept contactless payments via iPhones without additional hardware, according to Bloomberg.

While this may seem like a move to compete with Block and its Square merchant unit in point-of-sale payments, that’s unlikely. The Apple service is using technology from its acquisition of Mobeewave in 2020 that enables contactless payments using NFC technology.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Sponsored Content

A CCO’s viewpoint on top enterprise priorities in 2022

The 2022 non-predictions guide to what your enterprise is working on starting this week

As Honeywell’s global chief commercial officer, I am privileged to have the vantage point of seeing the demands, challenges and dynamics that customers across the many sectors we cater to are experiencing and sharing.

This past year has brought upon all businesses and enterprises an unparalleled change and challenge. This was the case at Honeywell, for example, a company with a legacy in innovation and technology for over a century. When I joined the company just months before the pandemic hit we were already in the midst of an intense transformation under the leadership of CEO Darius Adamczyk. This transformation spanned our portfolio and business units. We were already actively working on products and solutions in advanced phases of rollouts that the world has shown a need and demand for pre-pandemic. Those included solutions in edge intelligence, remote operations, quantum computing, warehouse automation, building technologies, safety and health monitoring and of course ESG and climate tech which was based on our exceptional success over the previous decade.

Keep Reading Show less
Jeff Kimbell
Jeff Kimbell is Senior Vice President and Chief Commercial Officer at Honeywell. In this role, he has broad responsibilities to drive organic growth by enhancing global sales and marketing capabilities. Jeff has nearly three decades of leadership experience. Prior to joining Honeywell in 2019, Jeff served as a Partner in the Transformation Practice at McKinsey & Company, where he worked with companies facing operational and financial challenges and undergoing “good to great” transformations. Before that, he was an Operating Partner at Silver Lake Partners, a global leader in technology and held a similar position at Cerberus Capital LP. Jeff started his career as a Manufacturing Team Manager and Engineering Project Manager at Procter & Gamble before becoming a strategy consultant at Bain & Company and holding executive roles at Dell EMC and Transamerica Corporation. Jeff earned a B.S. in electrical engineering at Kansas State University and an M.B.A. at Dartmouth College.
China

Why does China's '996' overtime culture persist?

A Tencent worker’s open criticism shows why this work schedule is hard to change in Chinese tech.

Excessive overtime is one of the plights Chinese workers are grappling with across sectors.

Photo: VCG/VCG via Getty Images

Workers were skeptical when Chinese Big Tech called off its notorious and prevalent overtime policy: “996,” a 12-hour, six-day work schedule. They were right to be: A recent incident at gaming and social media giant Tencent proves that a deep-rooted overtime culture is hard to change, new policy or not.

Defiant Tencent worker Zhang Yifei, who openly challenged the company’s overtime culture, reignited wide discussion of the touchy topic this week. What triggered Zhang's criticism, according to his own account, was his team’s positive attitude toward overtime. His team, which falls under WeCom — a business communication and office collaboration tool similar to Slack — announced its in-house Breakthrough Awards. The judges’ comments to one winner highly praised them for logging “over 20 hours of intense work nonstop,” to help meet the deadline for launching a marketing page.

Keep Reading Show less
Shen Lu

Shen Lu covers China's tech industry.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Entertainment

Spoiler alert: We’re already in the beta-metaverse

300 million people use metaverse-like platforms — Fortnite, Roblox and Minecraft — every month. That equals the total user base of the internet in 1999.

A lot of us are using platforms that can be considered metaverse prototypes.

Illustration: Christopher T. Fong/Protocol

What does it take to build the metaverse? What building blocks do we need, how can companies ensure that the metaverse is going to be inclusive, and how do we know that we have arrived in the 'verse?

This week, we convened a panel of experts for Protocol Entertainment’s first virtual live event, including Epic Games Unreal Engine VP and GM Marc Petit, Oasis Consortium co-founder and President Tiffany Xingyu Wang and Emerge co-founder and CEO Sly Lee.

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Enterprise

Lyin’ AI: OpenAI launches new language model despite toxic tendencies

Research company OpenAI says this year’s language model is less toxic than GPT-3. But the new default, InstructGPT, still has tendencies to make discriminatory comments and generate false information.

The new default, called InstructGPT, still has tendencies to make discriminatory comments and generate false information.

Illustration: Pixabay; Protocol

OpenAI knows its text generators have had their fair share of problems. Now the research company has shifted to a new deep-learning model it says works better to produce “fewer toxic outputs” than GPT-3, its flawed but widely-used system.

Starting Thursday, a new model called InstructGPT will be the default technology served up through OpenAI’s API, which delivers foundational AI into all sorts of chatbots, automatic writing tools and other text-based applications. Consider the new system, which has been in beta testing for the past year, to be a work in progress toward an automatic text generator that OpenAI hopes is closer to what humans actually want.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins