The National Security Agency may have been getting the bad press following Edward Snowden's damning leaks a few years back, but the intelligence agency seems to be going strong. Every now and then we see some documents or even fully programmed malware leaked from the agency that is then used by cybercriminals. Should the NSA be considered as a state-sponsored threat actor just the way the United States looks at the Russian or Chinese state-backed hacking groups?
Heather Adkins, Google's Manager of Information Security, confirms that yes, NSA is indeed a state sponsored threat and should be treated as such. Adkins was talking at TechCrunch Disrupt SF 2017 earlier today. "Does she worry about the NSA?" she was asked. She does and says that it’s good to worry about them and to wonder about what they could do because "if they could do [attack / hack] something, then anybody in the world could do something too."
She, however, added that she doesn't think of these specific actors like NSA or Russian state-sponsored hacking groups as individual threats, but rather the "attack surface and how it's vulnerable and to address that vulnerability as a common cause."
"A technique the NSA could use could easily be used by a Mexican drug cartel against our users or by the Russian organized crime [group]," she said. "All of these actors have these tools available to them."
Adkins has been working at Google for over a decade now, primarily responsible for the company's Security Team.
"Everybody is probably going to get hacked!"
Adkins also said that "at some point in the history of your company, you’re probably going to get hacked. The question is not whether or not you’re going to get hacked, but are you ready?" Adkins warned. "Are you going to be able to very quickly make decisions about what to do next?"
Her precaution-filled talk was nothing but a confirmation of what the internet actually has become - a headache. She warned that if you don't need some data, just don't keep it. "I delete all the love letters from my husband," she said.
Adkins wants everyone to start thinking of their emergency strategy while they are not actually in that situation (otherwise you might find yourself stumbling like Equifax's c-suite and its shares). "Even if you’re just two people in a garage, one of you need to be in charge of security, whether it’s part time as an IT person or as a lead software developer," she said.
"Rather than spending tons and tons of money on technology, put a little bit of money on talent and have them do nothing but patching."