WEBVTT - Fortalice CEO on Security-Camera Data Hack

0:00:00.160 --> 0:00:04.160
<v Speaker 1>This is Bloomberg Business Week with Carol Masser and Bloomberg

0:00:04.240 --> 0:00:08.200
<v Speaker 1>Quick Takes Tim Stinovic from Bloomberg Radio. So I do

0:00:08.280 --> 0:00:10.320
<v Speaker 1>want to get to our next guest, because, as we

0:00:10.360 --> 0:00:13.760
<v Speaker 1>mentioned earlier, among our most read stories on the Bloomberg

0:00:13.800 --> 0:00:15.960
<v Speaker 1>in the past day is about the group of hackers

0:00:15.960 --> 0:00:18.880
<v Speaker 1>who breached a massive trove of security camera data. We

0:00:18.960 --> 0:00:22.200
<v Speaker 1>talked about it earlier with Bloomberg News reporter William Turton.

0:00:22.320 --> 0:00:24.520
<v Speaker 1>He broke that story. This is coming on the heels

0:00:24.560 --> 0:00:29.440
<v Speaker 1>of two other major hacks that we've already seen involving Microsoft,

0:00:29.720 --> 0:00:33.400
<v Speaker 1>and of course earlier we saw certainly the other one

0:00:33.440 --> 0:00:37.920
<v Speaker 1>that tapped into the government also tapped into the private sector.

0:00:38.159 --> 0:00:40.280
<v Speaker 1>So let's get into it and see what Teresa Peyton

0:00:40.360 --> 0:00:43.600
<v Speaker 1>has to say. She is former White House Chief Information Officer,

0:00:43.640 --> 0:00:46.680
<v Speaker 1>first woman to do so. She's CEO at the cybersecurity

0:00:46.680 --> 0:00:49.400
<v Speaker 1>advisory and strategy firm Ford List, and she joins us

0:00:49.400 --> 0:00:52.440
<v Speaker 1>on the phone from Charlotte, North Carolina. Teresa, so great

0:00:52.440 --> 0:00:55.520
<v Speaker 1>to have you back. I've been looking forward to this conversation.

0:00:55.600 --> 0:00:59.400
<v Speaker 1>How are you. I'm doing well, Carol, thanks for asking,

0:00:59.400 --> 0:01:01.760
<v Speaker 1>and I've been like forward to the conversation as well.

0:01:01.760 --> 0:01:04.240
<v Speaker 1>It's it's always a good one. You ask great questions

0:01:04.520 --> 0:01:08.080
<v Speaker 1>and the conversation hopefully is always really great for your

0:01:08.120 --> 0:01:11.080
<v Speaker 1>listeners to give them some points to take away back

0:01:11.080 --> 0:01:13.000
<v Speaker 1>in their business and personal life. Well, and I think

0:01:13.040 --> 0:01:15.319
<v Speaker 1>that's the that's such a great thing to bring up

0:01:15.360 --> 0:01:17.520
<v Speaker 1>because I think at this point, UM, I talked with

0:01:17.640 --> 0:01:22.280
<v Speaker 1>Tom Siebel yesterday of of founder of Sebel Systems UH

0:01:22.280 --> 0:01:24.840
<v Speaker 1>and A three C I or A A three AI.

0:01:24.959 --> 0:01:27.440
<v Speaker 1>Excuse me, C three AI, I'll get it out. What's

0:01:27.440 --> 0:01:33.039
<v Speaker 1>interesting is that we're seeing increasingly serious cybersecurity attacks come out.

0:01:33.560 --> 0:01:36.560
<v Speaker 1>UH and the one with the surveillance cameras was by

0:01:36.560 --> 0:01:38.360
<v Speaker 1>a group that kind of wanted to just raise the

0:01:38.400 --> 0:01:41.280
<v Speaker 1>attention of you know, how many surveillance cameras they're out

0:01:41.319 --> 0:01:43.840
<v Speaker 1>there and essentially how easy it is to tap. What

0:01:44.000 --> 0:01:45.880
<v Speaker 1>is the conversation that we're not having that you think

0:01:45.920 --> 0:01:49.360
<v Speaker 1>we need to be having around these attacks? Yeah, I

0:01:49.360 --> 0:01:55.400
<v Speaker 1>mean this particular attack, although it's incredibly unfortunate because personal

0:01:55.400 --> 0:02:00.120
<v Speaker 1>and confidential information was surveiled as these um hackers or

0:02:00.160 --> 0:02:03.720
<v Speaker 1>did everybody um and turned you know, most everything over?

0:02:04.320 --> 0:02:07.240
<v Speaker 1>But what does that mean for other hackers who potentially

0:02:07.320 --> 0:02:12.720
<v Speaker 1>took advantage of the super admin access this password that

0:02:12.880 --> 0:02:18.040
<v Speaker 1>was out in password dumps of past data breaches. They're

0:02:18.040 --> 0:02:20.120
<v Speaker 1>probably not the only ones who took advantage of that

0:02:20.200 --> 0:02:23.320
<v Speaker 1>type of access, and so what does that mean? Um?

0:02:23.360 --> 0:02:27.720
<v Speaker 1>So a couple of things. Um, this is an avoidable situation.

0:02:28.520 --> 0:02:31.840
<v Speaker 1>Having super admin accounts should be incredibly rare, and this

0:02:31.960 --> 0:02:36.320
<v Speaker 1>password should be changed very frequently. That can be a

0:02:36.320 --> 0:02:39.360
<v Speaker 1>great way to avoid something like this from happening, or

0:02:39.400 --> 0:02:43.360
<v Speaker 1>to at least minimize the damages from the surveillance. The

0:02:43.440 --> 0:02:46.880
<v Speaker 1>other thing that all companies can do, not just for cameras,

0:02:46.919 --> 0:02:51.880
<v Speaker 1>but for employee access and very like critical information access

0:02:52.480 --> 0:02:56.760
<v Speaker 1>is create a log in behavior analysis where you look

0:02:56.919 --> 0:03:01.320
<v Speaker 1>at behavioral patterns. What times of day does this particular

0:03:01.480 --> 0:03:05.480
<v Speaker 1>user or system log in, what's the Internet services provider

0:03:05.520 --> 0:03:09.680
<v Speaker 1>they usually log into you from? What operating system? What

0:03:09.800 --> 0:03:12.799
<v Speaker 1>type of devices being used? All of those can give

0:03:12.840 --> 0:03:15.239
<v Speaker 1>you some baselines and some clues. Because you and I

0:03:15.280 --> 0:03:18.080
<v Speaker 1>are a creatures of habit, and when you see an anomaly,

0:03:18.240 --> 0:03:21.240
<v Speaker 1>that could be a warning that that is not the

0:03:21.320 --> 0:03:25.200
<v Speaker 1>system or the person who's the authorized user. It could

0:03:25.200 --> 0:03:27.520
<v Speaker 1>be somebody else. You know. It's interesting too, because I

0:03:27.520 --> 0:03:30.200
<v Speaker 1>find if I log in on certain accounts and they're like, wait,

0:03:30.200 --> 0:03:32.280
<v Speaker 1>we don't recognize this device that you're on. I certainly

0:03:32.320 --> 0:03:35.000
<v Speaker 1>get a red flag. I feel like this should be

0:03:35.040 --> 0:03:37.200
<v Speaker 1>the norm. Is it not the norm? And you talk

0:03:37.240 --> 0:03:39.560
<v Speaker 1>about the you know, admin account, it just sounds like

0:03:39.600 --> 0:03:43.880
<v Speaker 1>these are basic cybersecurity steps to be taken, you know.

0:03:43.920 --> 0:03:45.760
<v Speaker 1>But if you look across the country, are we not

0:03:45.840 --> 0:03:48.120
<v Speaker 1>doing it? If we look across government, are these not

0:03:48.200 --> 0:03:53.680
<v Speaker 1>being kind of normally done? Yea. Oftentimes it's not being done,

0:03:53.840 --> 0:03:58.440
<v Speaker 1>and the burden rests squarely on the shoulders of businesses,

0:03:58.560 --> 0:04:02.640
<v Speaker 1>government organizations, and users. I mean, in this particular instance,

0:04:02.800 --> 0:04:06.960
<v Speaker 1>you would think, if you're buying a security camera, it

0:04:06.960 --> 0:04:09.280
<v Speaker 1>should be secure out of the box, and but the

0:04:09.320 --> 0:04:12.160
<v Speaker 1>burden is actually on the business to say, well, wait

0:04:12.160 --> 0:04:14.120
<v Speaker 1>a minute, let's make sure it doesn't have a default password.

0:04:14.160 --> 0:04:16.120
<v Speaker 1>We'll wait a minute, let's let's make sure we have

0:04:16.200 --> 0:04:20.160
<v Speaker 1>logging behaviors, you know, all of those things. Many businesses

0:04:20.320 --> 0:04:23.400
<v Speaker 1>who don't do cybersecurity for a living expect that to

0:04:23.480 --> 0:04:26.279
<v Speaker 1>be in there out of the box. And I keep

0:04:26.320 --> 0:04:29.440
<v Speaker 1>asking the question, well, why isn't it, like, why do

0:04:29.560 --> 0:04:33.160
<v Speaker 1>we continue to put this burden on the purchaser of

0:04:33.200 --> 0:04:36.440
<v Speaker 1>the technology. So that's a big reason why it's still

0:04:36.560 --> 0:04:40.960
<v Speaker 1>missing from sort of daily operating routines of many organizations. Teresa,

0:04:41.240 --> 0:04:43.040
<v Speaker 1>when you look at in our world that I think

0:04:43.080 --> 0:04:45.760
<v Speaker 1>about even my home, these smart homes, right, and we

0:04:45.800 --> 0:04:48.600
<v Speaker 1>talk about smart cities and all these things that are

0:04:48.600 --> 0:04:53.120
<v Speaker 1>in many ways making our world more connected, easier in

0:04:53.160 --> 0:04:55.280
<v Speaker 1>some regards. But I wonder how much it's making it

0:04:55.320 --> 0:04:58.760
<v Speaker 1>more vulnerable to our world easily being shut down. How

0:04:58.760 --> 0:05:02.120
<v Speaker 1>do you see it? Yeah, I mean I I do

0:05:02.400 --> 0:05:06.120
<v Speaker 1>believe we have reached sort of this critical mass where

0:05:06.560 --> 0:05:10.640
<v Speaker 1>technology is truly ubiquitous. I mean to the point where

0:05:11.040 --> 0:05:14.680
<v Speaker 1>you don't even realize it's there. Between the smart devices

0:05:14.680 --> 0:05:19.040
<v Speaker 1>in your home, the cameras in your laptops, your tablets.

0:05:19.520 --> 0:05:21.640
<v Speaker 1>Maybe you have a camera on your door, maybe you

0:05:21.720 --> 0:05:25.239
<v Speaker 1>unlock your door using an app on your phone, all

0:05:25.279 --> 0:05:29.680
<v Speaker 1>of those different conveniences and advancements we have in our

0:05:29.720 --> 0:05:32.360
<v Speaker 1>lives that some of us have learned, you know, like

0:05:32.480 --> 0:05:35.440
<v Speaker 1>you can't live without them. For many people, um, they

0:05:35.480 --> 0:05:40.159
<v Speaker 1>are collecting patterns of life, and so that the challenge

0:05:40.200 --> 0:05:43.479
<v Speaker 1>that we have is is our inability to secure data.

0:05:44.040 --> 0:05:48.720
<v Speaker 1>Allah this camera hacking, Allah, Solar winds, Microsoft, you know,

0:05:48.839 --> 0:05:53.840
<v Speaker 1>name the last fifteen organizations that have been victims of

0:05:53.960 --> 0:05:58.120
<v Speaker 1>a cybercrime. UM that data, as it gets collected, could

0:05:58.279 --> 0:06:00.560
<v Speaker 1>in fact, in the future be used to do a

0:06:00.640 --> 0:06:03.679
<v Speaker 1>digital walk in on your life or mine. Those those

0:06:03.720 --> 0:06:06.920
<v Speaker 1>patterns are things that are used to identify you and

0:06:06.960 --> 0:06:10.719
<v Speaker 1>I UM to give us health insurance, to create credit scores.

0:06:10.920 --> 0:06:13.159
<v Speaker 1>And the question is is when do you and I

0:06:13.200 --> 0:06:16.279
<v Speaker 1>get to opt in or opt out at that data

0:06:16.279 --> 0:06:19.520
<v Speaker 1>collection and have it be aggregated under our name. Well,

0:06:19.520 --> 0:06:22.760
<v Speaker 1>we don't write. I mean like you think about any

0:06:22.800 --> 0:06:25.040
<v Speaker 1>time you try to do something, if you don't opt

0:06:25.040 --> 0:06:29.480
<v Speaker 1>in or agree basically to those documents that nobody can read,

0:06:29.960 --> 0:06:33.000
<v Speaker 1>you know you can't access something. You know, you're increasingly

0:06:33.040 --> 0:06:35.279
<v Speaker 1>your hands are tied. In terms of society, I have

0:06:35.320 --> 0:06:37.760
<v Speaker 1>a question for you, and this is something that that's

0:06:37.760 --> 0:06:40.520
<v Speaker 1>stuck with me many times. I did panels with UM

0:06:40.880 --> 0:06:45.000
<v Speaker 1>tech leaders, tech CEOs who would be like, yeah, um

0:06:45.000 --> 0:06:47.279
<v Speaker 1>my kid, I limit how much they're on social media. Yeah,

0:06:47.320 --> 0:06:48.920
<v Speaker 1>I don't let my kid really spend a lot of

0:06:48.920 --> 0:06:53.920
<v Speaker 1>time on a laptop or something. Do you limit kind

0:06:53.920 --> 0:06:57.120
<v Speaker 1>of security access in your in your life, whether it's

0:06:57.200 --> 0:07:01.080
<v Speaker 1>cameras or smart homes or anything like? How because you're

0:07:01.120 --> 0:07:05.320
<v Speaker 1>concerned because you see the risk that's out there. I

0:07:05.360 --> 0:07:09.520
<v Speaker 1>do so for example, UM, we do have security cameras.

0:07:09.520 --> 0:07:13.520
<v Speaker 1>They're outside the house. Uh and and I managed them

0:07:13.560 --> 0:07:17.680
<v Speaker 1>and I specifically didn't want baby camps in the house.

0:07:17.920 --> 0:07:20.040
<v Speaker 1>Um when my children were small, and I didn't want

0:07:20.080 --> 0:07:22.480
<v Speaker 1>cameras inside the house. As a matter of fact, we

0:07:22.520 --> 0:07:27.280
<v Speaker 1>actually have, um, a couple of smart home devices, you know,

0:07:27.320 --> 0:07:31.000
<v Speaker 1>those assistants like Alexa and Google Home. And we're very

0:07:31.040 --> 0:07:32.920
<v Speaker 1>specific where they are. As a matter of fact, they're

0:07:32.960 --> 0:07:36.000
<v Speaker 1>located near our two rescue Great Pyrenees And when we

0:07:36.080 --> 0:07:39.040
<v Speaker 1>leave the house, they the Pyrenees like to listen to

0:07:39.040 --> 0:07:41.760
<v Speaker 1>Ella Fitzgerald when we're gon. So who doesn't like to

0:07:41.800 --> 0:07:44.920
<v Speaker 1>listen to Ella? I mean, right that they have good case.

0:07:45.240 --> 0:07:47.920
<v Speaker 1>But we'll actually just to make it a point with

0:07:47.960 --> 0:07:51.760
<v Speaker 1>my children, UM, when we're talking about family matters or

0:07:51.800 --> 0:07:54.760
<v Speaker 1>school or anything in particular that you wouldn't want to

0:07:54.800 --> 0:07:57.440
<v Speaker 1>broadcast out on the internet, we make it a point

0:07:57.440 --> 0:08:00.600
<v Speaker 1>as a family to unplug those devices. We make it

0:08:00.640 --> 0:08:03.160
<v Speaker 1>a point to make sure that those Internet of Things

0:08:03.160 --> 0:08:06.600
<v Speaker 1>devices are not as part of the family conversation. I mean,

0:08:06.640 --> 0:08:09.880
<v Speaker 1>how many times have you said something to somebody and

0:08:10.080 --> 0:08:12.640
<v Speaker 1>Serie wakes up and says, I'm sorry, I didn't understand

0:08:12.680 --> 0:08:17.240
<v Speaker 1>you too many too often exactly exactly. So there is

0:08:17.280 --> 0:08:20.840
<v Speaker 1>a way to integrate this technology to make it work

0:08:20.880 --> 0:08:26.160
<v Speaker 1>on your behalf. Just always understand that everything is hackable,

0:08:26.480 --> 0:08:28.880
<v Speaker 1>and so you just have to be thinking about when

0:08:28.880 --> 0:08:33.120
<v Speaker 1>this is compromised, what did it have access to? How

0:08:33.240 --> 0:08:35.800
<v Speaker 1>could it be damaging to my family and friends who

0:08:35.880 --> 0:08:38.559
<v Speaker 1>may have come in contact with it, And you'll operate

0:08:38.600 --> 0:08:41.240
<v Speaker 1>a little differently and you'll be able to mitigate the

0:08:41.360 --> 0:08:43.840
<v Speaker 1>damages that happen. And it's the same thing for business.

0:08:44.040 --> 0:08:47.880
<v Speaker 1>Just thinking about that technology. It's great to have just

0:08:48.000 --> 0:08:50.800
<v Speaker 1>assume it will be compromised. So what would the downstream

0:08:50.840 --> 0:08:55.280
<v Speaker 1>impacts be if it were. It's like something to really

0:08:55.320 --> 0:08:57.000
<v Speaker 1>really think about. Well, so then do you think like

0:08:57.040 --> 0:09:00.440
<v Speaker 1>the story that are William Turton did um you know

0:09:00.520 --> 0:09:04.240
<v Speaker 1>about these group of hackers that say they breached all

0:09:04.280 --> 0:09:09.080
<v Speaker 1>these security camera uh you know, security cameras uh and

0:09:09.120 --> 0:09:12.280
<v Speaker 1>their data collection to kind of show and remind the

0:09:12.280 --> 0:09:14.400
<v Speaker 1>world or show the world kind of in an expose

0:09:14.600 --> 0:09:18.000
<v Speaker 1>of like look at how easily you can be exposed?

0:09:18.200 --> 0:09:20.200
<v Speaker 1>Are they in many ways do you think doing us

0:09:20.200 --> 0:09:22.839
<v Speaker 1>a service? And will people kind of wake up because

0:09:22.880 --> 0:09:27.199
<v Speaker 1>of this. I wish I could say this would be

0:09:27.240 --> 0:09:31.559
<v Speaker 1>everybody's wake up called, but everybody is so stressed and dizzy,

0:09:31.640 --> 0:09:34.600
<v Speaker 1>and during this time of pandemic, we're all told to

0:09:34.600 --> 0:09:36.800
<v Speaker 1>be away from each other. You know, before the pandemic,

0:09:36.840 --> 0:09:39.520
<v Speaker 1>we were worried about screen time, and now we're worried

0:09:39.520 --> 0:09:42.920
<v Speaker 1>about being within six feet of other people. UM. The

0:09:43.000 --> 0:09:46.760
<v Speaker 1>other thing that I would say is I researchers who

0:09:46.840 --> 0:09:51.760
<v Speaker 1>do UM ethical hacking and produce the results. It does

0:09:51.880 --> 0:09:56.560
<v Speaker 1>provide the greater good a good service. My caution to

0:09:56.760 --> 0:09:59.720
<v Speaker 1>this group and other groups like them is used to

0:09:59.760 --> 0:10:02.240
<v Speaker 1>really we do it with the right rules of engagement

0:10:02.440 --> 0:10:07.160
<v Speaker 1>and approach, because you could have unintended consequences when you

0:10:07.240 --> 0:10:10.520
<v Speaker 1>jump into something like this, where you could have actually

0:10:10.520 --> 0:10:14.400
<v Speaker 1>taken very important cameras by accident offline while you were

0:10:14.440 --> 0:10:17.200
<v Speaker 1>doing what you were doing, and what if those cameras

0:10:17.200 --> 0:10:20.800
<v Speaker 1>were vital and important to national security and safety. So

0:10:20.840 --> 0:10:24.760
<v Speaker 1>I always caution just because you can and you've got

0:10:24.760 --> 0:10:28.320
<v Speaker 1>good intent, doesn't mean you should like really understand the

0:10:28.360 --> 0:10:32.240
<v Speaker 1>rules of engagement before you engage in ethical white hack hacking.

0:10:32.480 --> 0:10:34.760
<v Speaker 1>I know it's a good interview when our head of

0:10:34.760 --> 0:10:37.760
<v Speaker 1>technical operations here at radio is like sending me messages

0:10:37.800 --> 0:10:41.120
<v Speaker 1>and like commenting on things you're saying, Like, I just

0:10:41.160 --> 0:10:44.520
<v Speaker 1>know people in general are just listening. So what's your advice?

0:10:44.600 --> 0:10:47.360
<v Speaker 1>Just got about forty seconds, Um, Theresa, you know you

0:10:47.440 --> 0:10:50.480
<v Speaker 1>understand this world. You're talking to companies, you're talking to individuals.

0:10:50.840 --> 0:10:52.880
<v Speaker 1>What can we all do or at least, what's one

0:10:52.920 --> 0:10:54.800
<v Speaker 1>step that we should be taking when it comes to

0:10:55.480 --> 0:11:00.160
<v Speaker 1>cybersecurity and concerns? Yeah? I think one step is have

0:11:00.360 --> 0:11:04.320
<v Speaker 1>a playbook. Assume you could be breached or your technology

0:11:04.360 --> 0:11:08.320
<v Speaker 1>could fail you, and practice a digital disaster. It's the

0:11:08.360 --> 0:11:10.840
<v Speaker 1>best thing that you can do to understand what your gaps,

0:11:11.240 --> 0:11:14.199
<v Speaker 1>your holes are. And hopefully you'll never need the playbook,

0:11:14.440 --> 0:11:16.000
<v Speaker 1>but it can be a great way to just sort

0:11:16.040 --> 0:11:19.520
<v Speaker 1>of get everybody rallied around trying to prevent that event

0:11:19.559 --> 0:11:23.160
<v Speaker 1>from happening. Thank you so much, UM, really appreciate it, Teresa.

0:11:23.280 --> 0:11:26.400
<v Speaker 1>Take care of yourself. Teresa Peyton, chief executive officer at

0:11:26.400 --> 0:11:29.800
<v Speaker 1>fort Alis, former White House Chief Information Officer, joining us

0:11:30.080 --> 0:11:31.119
<v Speaker 1>from North Carolina.