Modern field guide to security and privacy

Is Wall Street bad for cybersecurity?

After an investment firm released apparent digital flaws in a company's products to profit on Wall Street, experts worry that security researchers may prioritize quick gains over public safety.

Brendan McDermid/Reuters
The New York Stock Exchange in New York City.

Mistakes are costly, especially in software or critical computer systems.

So when medical technology startup MedSec discovered the possibility of "troubling cybersecurity flaws" in pacemakers made by St. Jude Medical Inc., it turned the research over to activist investment firm Muddy Waters. There, the duo saw a chance to boost their fortunes.

Muddy Waters unveiled the findings, and St. Jude stock dropped 5 percent. That's good news for Muddy Waters, a firm that makes money by betting against, or short selling, stocks – and for MedSec since it garners a piece of that gain.

But it could be bad news for everyone else.

If Muddy Waters' disclosure sets a precedent for other researchers to reveal their findings first to Wall Street instead of affected companies or regulatory agencies, it could eventually harm legitimate research into the emerging field of internet-connected medical devices, say many cybersecurity experts and practitioners.

Mark Lanterman went so far as to call Muddy Waters' approach "kind of like cyberterrorism." The chief technology officer at the firm Computer Forensics Services compared Muddy Waters and MedSec's actions to ransomware, the malicious software that locks up a computer's data until its owner pays a fee. 

"Only instead of holding your data hostage, I’m going to hold your stock price hostage," he said. "There are acceptable ways of getting these bugs fixed before they can cause anyone harm.”

This isn’t it, he says.

Other researchers say hackers who follow Muddy Waters' example will put a significant amount of money (dollars spent on research) on the line for a strategy that may not pay off or result in more secure devices.

"I anticipate that now that the bridge has been crossed, other security researchers will attempt to work with similar investment companies to monetize the vulnerabilities and research they have conducted," said Gunter Ollmann, chief security officer at the cybersecurity firm Vectra Networks.

"However, it is yet to be determined whether the economics of such a disclosure process are worthwhile," he said. After all, there's a "very narrow range of exposed companies" for which a stock bet could be lucrative.

St. Jude just happened to be one of those.

Cybersecurity researchers have the means to follow in MedSec's footsteps, but that doesn't mean the strategy will play out as fruitfully, said Lillian Ablon, an information scientist at the RAND Corp. There's no guarantee a vulnerability disclosure will tank a stock, she told Passcode.

"This particular disclosure [regarding St. Jude's pacemakers] appeared to have very good, reliable, and predictable timing in the sense the stock dropped relatively quickly after the release," she said. "But, in general, big data breaches haven’t necessarily caused a drop in stock prices with such quick or predictable timing."

In 2013, Target stock toppled by double digits after thieves breached its point-of-sale systems, compromising some 40 million credit cards. But as the headlines disappeared, so, too, did Target's stock losses. Shares have recovered 9 percent since then.

Josh Shaul, vice president of web security at the online content delivery firm Akamai Technologies, noted this phenomenon.

"Disclosure of security flaws does not tend to drive significant changes in valuation," he said. "In fact, I've seen many cases where disclosure of major vulnerabilities in an organization's products has been quickly followed by meaningful gains in their stock price."

That’s because the public is largely desensitized to hacks, Mr. Ollmann of Vectra said. In 2015, the US suffered breaches at the US Office of Personnel Management, Anthem, and BlueCross BlueShield, to name a few. Each fostered weeks' worth of headlines.

"Such vulnerabilities are uncovered several times a day within products of the world's largest software companies and infrastructure manufacturers," he said. "Historically, the industry is quickly desensitized to related public disclosures."

A more reliable, and increasingly accepted, way for researchers to profit from computer vulnerabilities is via "bug bounties," which are payments for the disclosure of potential vulnerabilities, Ms. Ablon of RAND pointed out. Companies such as Apple, Facebook, and Google, and many more, currently pay researchers who uncover flaws in their products. 

In Ablon’s research on zero-day vulnerabilities, which are unseen holes in software that can be catastrophic to businesses, bug bounties are thriving.

Bug bounties are guaranteed and immediate, whereas Muddy Waters' investment approach is likely to reap greater riches. But the investment route is a gamble.

Still, people are now thinking about vulnerabilities differently, says Ablon. "There’s a whole new option out there."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.