In cybersecurity circles, Mark Russinovich, the top technical gun in Microsoft’s Windows Azure cloud platform group, is a pretty famous guy. In 2005 he discovered a program that Sony deployed secretly to prevent users from copying its CDs. Unfortunately, the program contained a vulnerability that welcomed hackers into every computer into which a Sony disk was inserted, and Sony ultimately had to recall all those tainted CDs. A year later, Russinovich found a similar type of program — a so-called rootkit, which both opens an invisible door to a computer’s operating system and hides the malware that hackers can insert through it — in a Symantec antivirus tool.
Russinovich is to rootkits as Edison was to electricity, so it’s no surprise that a rootkit virus is the villain — along with Islamist jihadists, U.S. government bureaucrats, and Russian hackers — of his first novel, Zero Day (St. Martin’s Press, 328 pages, $24.99). A thriller in which the hero is handsome, the villains slimy, and the women gorgeous, Zero Day (a phrase referring to a cyberattack that begins working before anyone knows it exists) is notable for its vision of a world brought to the eve of destruction due to its dependence on computers and the Internet. Russinovich says he was inspired by all the viruses and worms unleashed by “kids in their parents’ basements” and wondered what might happen if someone, or some group, really wanted to cause serious harm. CFO spoke with Russinovich to ask how closely he believes his scenario mirrors reality.
Does the Internet make the world a more dangerous place?
It’s the complete dependence on the Internet. Even small businesses. Think about it. You go to your doctor or your dentist. What would happen if their computer wasn’t working? What would happen if their data was destroyed? They’d be out of business.
Does the cloud make everything worse?
I think of the cloud in two ways. On the application side, you end up potentially being less secure, as a vulnerability in an application in a multitenant environment, like Gmail or Microsoft 365, affects everyone using it. Penetrate the application and you have access to all the customers of that application.
On the infrastructure side, as a customer you’re dependent upon the provider’s security. Security is all about risk. In the cloud, the risk of penetration may be less because the provider has spent more money on security and has more expertise than you do. But if penetration occurs, the risk is greater overall because it’s affecting thousands of customers, not just one. Again, it’s a risk assessment. Security can never be 100%. And while security at a bank is lots better than at your house, the chance of your house being targeted by robbers looking for lots of money is probably lower.
How much damage can a virus realistically do?
It’s pretty well accepted that the Stuxnet virus, which was spread by USB keys, was created by Israel and the U.S. for the sole purpose of destroying the Iranian centrifuges that enriched uranium for its nuclear program. What was interesting was that the virus did not have instructions to hop from computer to computer to get into those systems; over the course of several months it managed to find its way into those systems and infect the centrifuges. Iran has admitted it’s set them back two years.
Does the government take cybersecurity seriously enough?
It’s beginning to. But one of the problems is that the government’s mandate is to protect government assets, not the critical infrastructure, which is mostly privately owned. It hasn’t been the government’s job to make sure these critical systems are secure from attack. There’s been very little auditing. We need to have the government work with the private sector on risk analysis and risk mitigation, and that’s very challenging.
Gartner predicts that by 2015, “a G20 nation’s critical infrastructure will be disrupted and damaged by online sabotage.” You agree?
By 2015? I would have predicted that it would have happened already.
What’s the endgame?
We’re not going to take cybersecurity seriously enough until something real bad happens, and then we’ll overreact. That’s the way things usually happen, isn’t it? When something real bad happens, the government will step in and say now we’ve got to do something, and they’ll put in all these bizarre regulations that won’t really do much and will result in a big loss of productivity.