Comic book illustrates ex-NSA analyst’s outlook on online security (Q&A)

Few comic book authors can literally draw from their personal experience as an employee of the National Security Agency. Oren Falkowitz isn’t your typical ex-NSA analyst, either.

Since leaving the agency in 2012, Falkowitz, now 34, has co-founded two startups: Sqrrl, which uses data analysis to track and stop advanced cyberattacks; and Area 1 Security, which focuses on using technology to stop phishing attacks. He’s also devoted time to giving back to his communities, as a mentor at CareerVillage, which connects high-school students with professionals to help them choose jobs, and at Techstars, which helps aspiring entrepreneurs move from ideas to IPOs.

He describes his latest venture, the comic book Pineapple Sparkle, as a way of making cybersecurity in general and phishing-attack resistance specifically “more accessible and more enjoyable.” The book is sponsored by Area One Security, written by Falkowitz with art by Canadian illustrator and comics artist François Vigneault.

Oren Falkowitz, CEO of Area 1 Security. Photo by Seth Rosenblatt/The Parallax

Phishing attacks have been a common form of cyberattack since 2005, but are in fact getting worse as a problem. Symantec’s annual 2016 Internet Security Report found that phishing attacks increased 55 percent over last year against companies, a severe and serious threat, given that 93 percent of all phishing attacks now try to infect you with ransomware.

Despite the growth in phishing, cybersecurity education is often ignored by companies, which  spend around 10 percent of their cybersecurity budget on informing employees about cybersecurity threats, according to a 2015 study by SANS. And as Falkowitz lampoons in his comic, cybersecurity compliance trainings are often mandatory but ineffective in giving employees the tools they need to handle basic, common threats like phishing.

In a conversation with The Parallax, Falkowitz recently discussed what he hopes to achieve with Pineapple Sparkle. He also gave his take on the state of the U.S. government, the cyberattacks lobbed against it, and the impact on the recent presidential election. What follows is an edited transcript of our conversation.

Pineapple Sparkle is not the typical way most security-minded executives go about educating people. What are you doing to make sure people see it?

We’ve printed it and made it available online. And it’s not dry like an e-book or a blog post. People resonate with its message: that users are the root cause of the problem. It’s somewhat based on my personal experience.

In Pineapple Sparkle, the CISO has come up with a 64-point plan to avoid getting phished. Humorous, yet it feels true to corporate security education.

There are a couple of things we were trying to point to. One is, people don’t want to feel forced into training. When they do, they go in saying, “Why am I here? I’m busy. This is silly.”

The second is that, if you only follow the 64 rules, none of this would happen. Which of course is not the case. It’s not practical for users to, one, be following this litany of rules, and it’s not consistent with the way attacks happen.

Users are motivated to click on links, to download files, to visit websites, to do their jobs. If I sent a CFO a financial spreadsheet that looked like it was coming from the CEO, she’d almost be forced to open it. She wouldn’t have the luxury not to. And that’s why you need technology to be in there to help them, to guide them.

We do that in almost every other part of our lives. We provide airbags and seat belts to protect users. We don’t just ask people to drive more safely.

And the third part of it is, as the story progresses, the same character revises the 64-point plan and adds more steps because there were a few things missing. They’re so stringent about that, about those types of solutions.

What’s lacking in employee education about phishing attacks?

I don’t think there’s anything lacking in the education. But users and the culture within an organization need to be sensitive to security constraints.

So users and employees within an organization, from the executive leadership down, need to from the get-go imagine what it is that people want from security. Today, end users fail to recognize why it is that they’re being attacked, so they can’t appreciate what the risk is.

A good example of this is, if you’re aware that people want credit card numbers, often the risk is associated with banks and credit card manufacturers. But attackers continuously show us that they’re imaginative enough to go after companies like Dairy Queen or the Michael’s, where the same information exists. People at Dairy Queen say, “I make ice cream,” and they don’t see themselves as a credit card processor. But they often are.

That culture and appreciation of the security problem needs to be built in up front. And as we showed in Pineapple Sparkle, you need to create a place where you’re not scolded or a burden to take on. Security education should be a part of protecting the brand; people take responsibility for it.

The second problem with the education piece is that it can’t be misplaced as a solution. It’s not a solution for any problem. There’s no example of any kind of human training, whether it’s sex education or driver’s training or security training, for users to change their behavior. And so misplacing these programs as the thing that stop attacks is setting people up for disaster.

So what do you recommend? If you say that education is needed, but education isn’t the solution, how do you prevent companies from getting phished?

It needs to be a technology solution. In almost every other discipline, we provide those technology solutions. When you drive on the road today, we’re pre-empting car accident fatalities not through all of the rules that come in through the driver’s manuals you get before you take the test, and not through driver’s education before you get on the road, but through guard rails on the highways, drift bumpers, seat belts, air bags, crash ratings, a whole series of things that create a sphere of technology around the driver to protect them.

Technology needs to step in and provide that. And users need to have an appreciation for it.

When the airbag deploys, you don’t get annoyed that it happened because it probably saved your life. But oftentimes, users feel annoyed when they can’t get to a website or click on a link, because they see it just as friction. If the technology is good on that front, they’ll say, wow, that stepped in and helped me.

We often use cars as an analogy for computer security. But that fails at the end of the day, where if your car fails, you can die, but if you suffer a security breach, we generally don’t even see the barest of consequences.

I would make the same analogy with vaccines as cars. Ultimately, the users aren’t aware, but the companies are aware, which is why they’ve invested tremendous dollars in the space. They understand that there could be prime reputation damage and significant financial loss.  Executives have been put on the line. In political examples, there are more serious consequences.

Individuals often don’t feel this because there’s a lot of sleight of hand, in terms of what the impact is. When hundreds of millions of credit card numbers are lost, and you get a new card, you’re probably paying for that in fees or in other ways. Every time a bank increases its spending, that’s being passed down to the user.

Are we seeing a divergence in what corporations should do to protect employees and what home users should do, even as employees are encouraged to use their personal devices at work?

There’s a convergence between what I am at home and what I am at work. It’s not like when we were growing up, where there maybe was a LAN, but you went home and paid your BBS. What we see is that there’s a mismatch of solutions available to all ends. The costs are the same.

The attackers don’t care about this. They’re singularly motivated to achieve their campaign goals. If you’re interested in getting credit card numbers, you don’t have to be limited in thinking that credit card companies are the only ones who have them. You can go to all of the retail shops that process credit cards.

One of the things we’re trying to do is shrink the gap between what’s available to a Global 2,000 company and what’s available to everyone else.

How does that work for you? Appeal to home consumers?

To start, we’ll focus on organizations out of that top tier. Probably not home consumers today, but finding opportunities with the Dairy Queens, the small biotech companies developing revolutionary products.

There are many companies here in Silicon Valley and San Francisco that have tremendous market value but have never invested a dollar in the security of their technologies until a very late juncture. We want people to take steps earlier and earlier to protect themselves and their brands.

Can you point to the worst offenders?

There are companies in SF that have massive valuations, in the billions of dollars, and are five or seven years into their operation, that have just hired their first [executive-level] security person. Companies that are dealing with tremendous amounts of geolocation data, sensitive business communications, and credit card numbers.

What that says to me is that when people are just getting started, and they don’t work in a regulated space that has HIPAA or SOX forcing them into it, it’s not top of mind. That’s too late.

One of the more darkly humorous scenes in the comic is where the CISO, Kelly, is forced to commit seppuku. Where did that come from?

I think I was watching The Man in the High Castle.

I often talk to CISOs, and there’s a lot of movement from CISOs across organizations. They’re often relieved that nothing bad happened while they were there. It’s very much that presidential-economics thing. The economy is very good right now for Obama, but if it crashes as soon as somebody else comes in, he claims success whether or not his policies caused the crash. That’s an uncomfortable position to be in, hoping to get out before shit hits the fan.

Given the intervention of Russia in the U.S. election, what’s the role of your former employer, the NSA, in keeping tabs on foreign attempts to monitor and influence U.S. politics?

My perspective on it is that I don’t see anything new. Governments around the world always have an interest in the election processes of their competitors and allies on the global stage. Having insight into that is not a new thing. It helps them shape their worldview and figure out what they’re going to deal with over the next four years.

What’s frustrating is that the focus is on who’s committing the crimes, rather than focusing on what we’re going to do, moving forward.

From what I’ve seen, there’s been a lack of two-factor authentication, and little-to-no security for end users. Getting information on our elections or government processes is not confined to candidates. Hundreds of special-interest groups have the same access. The analogy between Visa and Dairy Queen holds here. We would do ourselves a disservice if we thought only about one actor or candidate, not on a more general approach, into gaining insights into what the outcome is going to be or omtp what policy is going to be.

That information can be gleaned from many places, and we need to be focused on what we are going to do to stop it. Those solutions are fairly straightforward.

Should there be government regulation or at least guidance maintaining how they should maintain their computer security?

No, candidates are not part of the government. They’re like clubs. There’s no role for our government to tell candidates how they should or shouldn’t protect their computers and networks.

Candidates in the future may choose to be totally transparent, and share all of their communications in an open format. That would be a choice. But in these cases, the impacted parties are not happy about the revelations that have gotten out there, and it’s incumbent upon them to take proactive steps.

I can imagine a world where my cousin, who’s 20 today, chooses to run for president in 20 years, and all of her emails get exposed. It could include all sorts of things that have nothing to do with foreign policy, or the person that she is. It’s a problem that doesn’t start or end in an election—it’s more general.

The timing of the release is years after the attacks happened. The attack that’s happening today won’t be revealed until next year. They’re not happening in real time. We’re still talking about email attacks from two years ago, and we’ve neglected to address the challenges faced by all parties today.

What we should expect as a U.S. government response to a cyberattack against a government function, such as an election?

Depends on what the scenario is. I’m hopeful we’re making progress on this front. The U.S. and China have been sitting down together over the last couple years to talk about this issue, and have made quite a good amount of progress on that front.

To make an analogy with the Cold War, we didn’t start with START III, we started with START, then we got to START II, and finally START III. We started with limitations on testing, and certain types of weapons. That world moves at a slower pace than this one does, so there’s maybe a new approach at the speed in which diplomacy matches up to technology.

The laws governing a lot of cybersecurity today were written before there was the form of the Internet that we know today, not to mention cell phones. That’s part of it, but there are economic things to do, diplomatic things to do, military things to do.

It’s very difficult to start pointing fingers when you engage in similar activities. That’s what the U.S.-China relationship is about. There are types of cyberattacks that are used for economic competitiveness that the U.S. sees as a bright line, but the Chinese will say that economics are a form of our national power. Hacking to steal IP to give yourself an advantage on the world stage is an issue. They’re focused on that, but we should expect that will change over time.

What’s your take on what the role of the NSA should be in a world where government and corporate computers are regularly targeted?

The role of the NSA is to build codes that protect U.S. secrets, and gather foreign intelligence that helps our policy makers frame their world views in diplomatic, economic, military, and other settings. It doesn’t have a role in protecting U.S. companies or in fighting this battle in a commercial sense.

It’s a mistake to look to the NSA to do that, even though it is the most sophisticated, most advanced, and most intelligent group on the subject matter. It’s not what the agency was designed to do. The NSA does a great job of gathering intelligence for the president and others, but it’s not in the role of protecting private business.

What’s the biggest weak spot in the U.S. government’s approach to cybersecurity?

Our policy-making process today is poor, and we’re not keeping up. The rate of change is not what you see from the Model T to the Mustang to the Corsair to the Tesla. It’s not happening over 100 years; it’s happening over 100 days.

There are steps the government can take to make guidelines. I think the first one is that the government needs to make a decision on whether its role is to strengthen the World Wide Web, or keep its options open for a variety of purposes. Earlier this year, President Obama set out in an op-ed to the Wall Street Journal a set of principles where making the Internet safer was good for our economy and our national security.

But since that time, the government has also taken very specific action to leave open options that would essentially weaken the Internet. You see this in the Apple iPhone case, in some of their seeking of new rules for evidence collection, in some of their aggressive action toward data gathering through the judicial process. These things just become inconsistent with that overall goal. They need to be in more lockstep with themselves.

The second step is that we’re probably 20 or 30 years behind in the legislative process in having the mechanisms in place to effectively deal with these problems. In the Oracle v. Google copyright case, the judge got a lot of credit in that case and was recognized for his technical understanding of the code, and teaching himself some of these things, and taking the issue much more seriously than just the law. That’s an extreme anomaly.

But in more cases that are brought before courts, both patents and copyright issues, technical and cybersecurity issues, we don’t have people who are trained or are thinking about it. That could have a chilling effect for many decades. In the patent system, we have a special patent court where people are trained in dealing with patents, and we need to be thinking about whether we need that for technology and computer security.

The third is keeping pace. We shouldn’t have 30-year-old laws that don’t consider laptops, cell phones, basic things.

I would tie the first and the third together. The issue, as I see it, is that policy makers are confused about whether they want to be all in on security on the Internet, or if they want to leave options open. And that’s what’s creating a less safe environment.

Speaking of a less safe environment, experts I’ve spoken with predict that Mirai, the Internet of Things botnet, will get worse before it gets better. Should the government mandate minimum safety standards for IOT devices?

People look for a silver bullet, and there needs to be a much more comprehensive approach. What’s unhelpful is to think it’s just the manufacturer’s challenge. Is being knocked off the Internet for a half a day or a day enough of a disruption for people to want action? Attackers are extremely imaginative in their ability to achieve their end-goal results.

And for all the talk over the last couple years of the sophistication of bad guys, it remains that phishing and low-tech attacks caused the greatest damage. The vast majority of attacks are very simple: phish the users, and get their usernames and passwords. We need to have honest talk with ourselves about the root cause of the problem, and not create this fear that there’s a Mossad agent with a Pringles can and a laser aimed at the moon.

When I talk with people, that’s what they’re worried about, but it’s not consistent with what’s happening.