(Miss this week’s Leadership Brief? This interview below was delivered to the inbox of Leadership Brief subscribers on Sunday morning, May 16. To receive weekly emails of conversations with the world’s top CEOs and business decisionmakers, click here.)
The ransomware attack on the owner of America’s largest fuel pipeline on May 7 underscored the vulnerability of the nation’s infrastructure to crippling cyberattacks. Although the chaos and disruption began to dissipate by week’s end, after unconfirmed reports that Colonial Pipeline paid nearly $5 million in ransom to regain access to its system, my colleague William Hennigan reported that the attack is “considered the most impactful hack against U.S. critical infrastructure in history” and one of a growing number of such incidents. Darktrace, a cybersecurity firm, said that across its global customer base, it detected 52% more ransomware attacks in the second half of 2020, compared to the first. It’s part of a wave of cybercrime prompted by work-from-home edicts, which punched countless holes in corporate firewalls and the increased overall reliance on digital connections in all aspects of business and society.
Darktrace, which went public in late April on the London Stock Exchange—its market cap is around $3.6 billion—uses AI and machine learning to help more than 4,700 organizations around the world defend against digital attacks. CEO Poppy Gustafsson recently joined TIME for a video conversation from her home office in Cambridge, England, where Darktrace is located.
(This interview has been condensed and edited for clarity.)
Darktrace has more than 450 energy and utility organizations as clients. Have you gotten a panicked call from each one of them this week?
We have made a point of sort of quietly talking to all of them and making sure that they feel that they’re secured and protected.
Beyond the real-world impacts, what is most striking about the cyber attack on the Colonial Pipeline, linked to the hacking group DarkSide?
What I find really interesting is the commercialization of the attackers. It’s such big business, like the [statement] they sent out, saying, “I’m terribly sorry that we haven’t done appropriate due diligence on our customers. And in the future, we’ll do a better job of making sure that we do it in a socially responsible way.” This is an organized criminal gang with a corporate social responsibility [code]! They’re going to be having marketing teams, graphics teams.
Should companies pay ransomware?
I would never come down in a position to judge an individual business, but on the whole, you would want to avoid paying these ransomware costs. All you’re doing is financing the next generation, and there’s no evidence that even if you pay that you’re going to have your data unlocked.
Should governments be doing more to fight cybercrime? If North Korea sent a missile and blew up Sony’s Hollywood’s office, the U.S. government would probably respond, right?
It would be so easy to bring a city to a grinding standstill.It’s not akin to North Korea firing a missile because when North Korea fires a missile, you can see where that missile came from. When it comes to the business of attribution, it is not actually very easy. It’s possible to make an attribution appear that it comes from one place when in reality, it doesn’t. So the risk of getting that attribution wrong and potentially aggravating difficult geopolitical tensions is pretty high.
How much of the increased level of hacking is linked to work from home?
A criminal is always going to be there to exploit the weakest part of any chain. What the pandemic has done is stretched the chain harder. Without your tech, there is no business. So the importance of it has also been amplified.
Any surprising weak links?
CEOs are terrible, because they say, “Oh, I’ve got a problem with my personal laptop; I’ve just brought it into the IT guy in the office. ‘Can you just take a look at it?’” We often have seen examples of personal devices coming into organizations that bring in breaches.
Any particularly creative attacks stand out?
We’ve seen Teslas parked in the office car park—they’re constantly feeding back to Tesla to say, This is how the car is performing. And they often need an Internet connection to be able to do that. We found one where they’d connected to the office wi-fi to be able to do their updates, except an attacker had used that as a jumping point to get into that organization. Your IT guy would never think, “Yeah, I need to defend myself from the Tesla that’s parked out in the office car park.”
What type of attacks do you personally worry about the most?
Critical national infrastructure. It would be so easy to bring a city to a grinding standstill.
Why are hospitals such a tempting target for cybercriminals?
The reality is that hospitals are often underresourced. Their priority is saving patients, not making sure that their computers are updated rather than still running Windows 95.
Who is a bigger threat to companies: The 17-year-old in his bedroom in Florida, or Fancy Bear, Russia’s state-backed cyberespionage group?
We spend very little time thinking about this, because the whole premise of our approach and technology is that the next risk, the next threat and the consequences of that risk, no matter how big or small, is unimaginable. The only thing we know for sure is that we’re definitely going to get it wrong. So we spend absolutely no time looking at the threat or understanding where the threat of tomorrow is going to be from. Instead, we focus on the business. What is their ebb and flow? What does their digital fingerprint look like to them, and by understanding the organization, you can always then spot the consequences of a cyberbreach or any sort of anomalous behavior. We’ve created an immune system for your organization.
TIME’s annual Best Inventions list recognizes products, software and services that are solving compelling problems in creative ways. Submit your invention for consideration here.
Where does the AI come in?
What we’re doing is unsupervised machine learning, which means you’re not teaching it, you’re not going in and saying, “This is what a threat looks like. This is what bad behavior looks like.” It goes in, and it learns for itself. So what you’re not doing is, you’re not making any assumptions about what you think good behavior should be and what you think bad behavior should be. It simply goes into an organization and learns the digital heartbeat for that organization.
What does that look like?
Imagine that someone stole your car and they’ve got the keys so they had legitimate access to your car. But then they’re driving around, and they’ve got the seat in a different position, the rearview mirror is in a different place, they’re listening to a different radio session; maybe they’re a bit driving a bit slower than you normally do or maybe a bit faster. It’s all these small little changes. And despite the fact that the alarm hasn’t gone off, I can tell that’s not you driving you because there’s just so many little indicators that say, This isn’t in keeping with the way that you normally behave.
What kind of background and previous work experience does your staff have?
We’ve got the most brilliant sort of double-Ph.D. mathematicians that are probably not necessarily the best company at the Christmas party, but they are really good at mathematics. And we’ve set them alongside people that are microbiologists, historians and linguists.
Who’s winning in this back and forth, the good guys or the bad guys?
This is where the conversation gets really interesting, when we start imagining that the bad guys have AI within their armory. Right now, it’s a bit of a smash and grab, and people are taking advantage of the fact that humans are underresourced. When it starts to get quite terrifying is thinking about how the attackers can leverage AI to their advantage. You could notionally create a completely unique cyberattack software that was able to sort of morph and change when it got within an organization. So, for example, if I spotted that attack, and said it looks like this, and then you’re hunting for that attack within your organization, it could then very subtly change itself, so that no longer match that signature that you’ve created for it, and it could evade any of those sort of security tools. And that’s when you’re gonna start seeing AI vs. AI. And it’s just got to be who’s got the best AI is going to be the winner.
Are the bad guys using AI currently?
No, not at scale. It feels more experimental. You see hints and clues—the way that some of these email attacks are starting to show the signs of being able to change in transit and sort of redesign themselves as they move on.
Do you have secret government clearances?
Within the organization, we have people that have secret government clearances, because if you’re going in and protecting a government organization, it’s necessary. But personally, no.
Are tech bros the same the world over? Do you have your own type in England that are different from the ones we have in San Francisco?
To be honest, I think it’s much more of a U.S phenomenon.