O P I N I O N
CYBER DEFENDER
By Chris Plummer
It has been a busy month for those of us defending hospitals against cyber threats. The news cycle is relentless, so you may or may not have seen the story about Stryker a few weeks ago.
Stryker is a medical device manufacturer and healthcare supply chain partner to many many hospitals around the world. By revenue, it is somewhere in the middle of the world’s Top10 medical device manufacturers, and situated in the top 20 in terms of overall suppliers to hospitals. Stryker‘s product catalog is pretty diverse, ranging from operating room equipment, hospital beds (probably where most of us have seen this name before), communication platforms, AEDs, surgical robots, orthopedic implants – there is quite a lot they are able to supply to a healthcare organization. They are quite important, quite popular, and about two weeks ago they were the victim of a destructive cyberattack carried out in response to the U.S. war in Iran.
The Stryker attack has a lot of complexity that won’t be revealed to the public for weeks, and maybe months. But what we do know, which we understood very early, is the attacker was able to “wipe” tens of thousands of personally-owned devices belonging to Stryker employees. In addition to destroying many tens of thousands of corporate-owned devices. “Wipe” can mean different things to different types of devices, but in the case of personal phones and laptops, it isn’t that complicated – you lose everything. It’s a reset button.
Take a moment and reflect on how you would feel if your emails, texts, photos, documents, browser links, literally anything stored on your phone or your tablet or your laptop just…disappeared. Forever. My first thought is terror. The one that hollows you out, that you feel right in the pit of your stomach. My second thought is, when did I last back all that stuff up. Then maybe my third thought is still terror, based on how that second thought panned out. Family memories. Bank information. Years of conversations. Appointments and reminders. Multi-factor authentication apps. Vaporized. Some of that stuff could be resurrected. Some of it, impossible.
That is exactly what tens of thousands of Stryker employees have been living through in the wake of the attack on their employer. It’s a direct consequence of these employees abiding by a corporate policy requiring the installation of Stryker’s mobile device management (MDM) tool on their personally owned devices. Quite likely because employees who had done so desired the convenience of accessing company resources on their phones and tablets and laptops. I don’t work for Stryker, and I’m not intimately familiar with this area of their operation, so we’ll halt any further assumptions around the operational use of MDM or how it was configured. We can just leave it as this – those employees who wanted access to things like company email on their personal devices were required to install this company-owned management tool. Incidentally, a management tool which was then abused by criminals to destroy everything connected to it.
Employees, I think as a sweeping statement, did not understand the consequences of allowing Stryker MDM to live on their personal devices. Certainly they do now and no matter what representations are made, many will never do it again. These employees are living a nightmare right now, trying to recover their digital lives from something they had nothing to do with. Not really. With respect to the cited attacker motivation – the war – it isn’t even some kind of uniquely “American” retribution, as this impacted Stryker’s global workforce, which extends to over 75 countries. Innocent people all over the world just trying to earn a paycheck were absolutely leveled by this. It didn’t matter where you were from.
We have to reflect on how we got here. We, as employees of a business, have long requested, required, demanded this kind of flexibility to use our personal phones and laptops to do company business in some capacity. Whether to check email, or work on documents, or access certain work-related systems or platforms. It’s right in our pockets, or sitting right next to us, and it’s easy. This is the concept of bring-your-own-device – BYOD – which gained popularity in the years before COVID and then never looked back.
Companies kind of liked this idea at first, as BOYD saved them some money on equipment, and made some workers more efficient. I’ll be honest with you – cybersecurity teams never liked this idea, it was scary, it still is scary, it introduced all kinds of risks around the protection of company information and forced us to trust devices we didn’t have complete control over. Over the years, we have developed better strategies and acquired tools to help improve our confidence around BYOD, but in the end I will level with you – I don’t love that the same device you play Candy Crush on also has a way to access some of the most sensitive information in my business.
Like everything I write in this column, this is personal opinion, and not a reflection of the opinions or policies of my employer. But I would rather us abolish the use of personal devices for business purposes altogether. The Stryker event all but cements the consequences into the public record. If I, as a business owner, demanded someone be intimately tethered to my organization’s email or collaboration tools, I would supply them with company-owned equipment. Even for multi-factor authentication, I’d rather employees use a company-furnished mechanism like an ID badge or a physical token, and not a personal phone which I generally have zero control over. Maybe it’s a consequence of a formative Ghostbusters upbringing, but I don’t like crossing the streams. It has always been a dangerous game for security teams when employees use company devices for personal reasons; the Stryker breach unequivocally proves the inverse is just as dangerous. And we may have yet to see how bad this could really get. I’d rather not find out.
We are in a time in history where cyber threats are moving at a speed we’ve never seen before. Cyber attacks used to develop over a period of months. Then it was weeks. Now it is down to days, hours, and minutes. Organizations used to rely on assumptions around what was ‘likely’ to happen, what we could ‘reasonably’ trust, what we thought was ‘generally’ safe. All of those things are flying out the window right now. Cyber adversaries have never been more powerful (yes, it’s probably because of that thing we’re not going to mention). Our world has never been more interconnected. The systems which make our civilization possible have never been more exposed.
It forces us, as cyber defenders, to take a harder look than we ever have before around how we secure IT systems. Who we trust, and how we trust them. And as employees ourselves, in the wake of the Stryker breach, it is clear we now must take a much harder look at how we work, how our personal life and business life technologies are intersecting, and if we truly understand the consequence of that intersection. Do we really know how that can go wrong? That worst case scenario being suffered by Stryker employees – losing their digital lives, the very first photos of a child, the very last words ever exchanged in a text with a loved one – I never, ever want to live through that loss. I don’t want you to live through it either.
Chris Plummer is a cybersecurity architect from Manchester. Nearly expelled from UNH for hacking in 1996, Chris has gone on to serve the US Navy and New Hampshire hospitals as a cyber defender in a career spanning nearly three decades. In 2023 he discovered a major vulnerability in Google’s Gmail, forcing security changes at some of the world’s largest names in tech. Chris has been a White House cybersecurity advisor for healthcare, served as an expert panelist for federal agencies, and his work has been covered in podcasts and media outlets across the globe – including this one! He is an assistant martial arts instructor here in the city, has run up McIntyre hundreds of times, and is a regular at the Backroom. You can reach him at icdtad.mail@gmail.com