What An Alleged NSA Hack Reveals About Payments Cybersecurity

What An NSA Breach Says About Cybersecurity

Not to ruin your holiday spirit, but let’s start this story with the cold and brutal truth: One of the largest risks that payments and commerce operators face in 2019 is being called to account by government officials, regulators or media about a failure to secure their organizations from cyberattacks. The past year brought a significantly increased focus on the security and privacy of online data, with not only consumers paying more attention to the issue but (much more importantly) lawmakers holding big tech executives accountable in political hearings.

Sure, much of that is political theater, but interesting theater often sparks change – one reason that many executives from companies that drive the digital economy are trying to get ahead of the privacy and security issue. In any case, it’s hard to deny that the winds are shifting, given the May enactment of the General Data Protection Regulation, or GDPR, in Europe, and the move to set similar laws in the U.S. and other places.

“When someone is called to the carpet by Congress, that can affect everyone,” said Ron Gula, a former white-hat hacker for the U.S. National Security Agency who, along with his wife, Cyndi, now runs Gula Tech Adventures, a venture capital firm that focuses on digital security. As well, if lawmakers and regulators are taking aim at Google and Facebook, that indicates that smaller members of the digital food chain are fair game, too, if they suffer a breach that catches the public’s attention.

PYMNTS recently caught up with Gula to learn more about reports of hackers stealing NSA’s own hacking tools, and to learn more about how payments and commerce players should focus their own cybersecurity efforts in 2019. Upon first glance, the picture is pretty dim. But if you look closer, as Gula did, you can certainly find some bright spots and reason for optimism – even with the knowledge that hackers are well-organized, work on a global scale and are becoming ever more sophisticated.

Hackers reportedly have stolen tools from the NSA that enables the agency (which certain estimates have said is, or recently has been, up to three times the size of the Central Intelligence Agency) to use digital back doors to access computers in search of signals intelligence. Now, “hundreds of thousands of computers are unpatched and vulnerable,” according to one recent report. It added that the stolen technology has been used so far for ransomware and cryptocurrency mining attacks, with the criminals behind the hack “using the leaked tools to create an even bigger malicious proxy network.”

Gula said the reports are just that — reports. And he cautioned that the NSA, like every other spy agency in the history of humanity, engages in deception (read into that what you will). And while the tools alleged to have been stolen are certainly powerful, it would seem foolish for the thieves to try to sell them on the Dark Web, a term that refers to digital black marketplaces where thieves fence their stolen goods, including consumer and payment data.

“If you or I were evil cybervillians, I don’t think our plans would be to go on the Dark Web and tell people about” the stolen NSA tools, Gula said. After all, that’s a surefire way to be caught, given the prominence of the alleged theft and the digital know-how and power of the alleged victims.

The larger use of the alleged NSA hacking theft is that all kinds of information is already circulating on the Dark Web, including data from pretty much every big financial institution and credit bureau information for virtually all U.S. adults (for starters). “The bigger you are, the more likely you are there,” Gula told PYMNTS.

The good news, in his view, is that organizations with large roles in the digital economy are in fact sharing information about security and breaches. The bad news — and the other contrary lesson of the alleged NSA theft — is that “you don’t need a cyberweapon to break into most companies today,” Gula said. “You just need two or three insiders.”

That, of course, provides an argument for stronger vetting of employees, but even honest people fall prey to temptation. That said, a strong cybersecurity program — one that keeps up with the technologies and tactics used by criminals — goes a long way. “If you don’t have a good cyberhygiene program, it makes it easier for people to come at you.”

In years past, such tools — which could often trace their origins to military or other pricey federal government programs — might have seemed out of reach for many companies not operating at the highest levels of payments and commerce. That is still true, at least to an extent, according to new PYMNTS research. A new report entitled “The AI Gap: Perception Versus Reality In Payments And Banking Services” found that larger banks are more often drawn to advanced machine learning technologies, along with other divides between smaller and large financial institutions when it comes to fraud prevention.

No matter the path and funding, however, doing nothing — or even doing the bare minimum — is clearly not an option, especially in 2019. The new year is certain to bring more lawmaker and regulator attention to online data and security, with more hearings to come, Gula said. “My main concern is that you have quick fixes,” he said. For instance, an effort to encrypt data will fail if the data collection process is full of holes that hackers can exploit. “You have to have a comprehensive approach to cybersecurity.”

And that stands as sound advice for the new year.