Security Was Perfect—They Just Forgot About the Smart Aquarium

If in the past, cyber threats were limited to computer systems, today they pose a risk to the house itself, Michal Braverman-Blumenstyk, the chief technology officer of Microsoft’s cloud and AI  security division, told Calcalist in a recent interview. “With billions of devices connected to the web, our vulnerabilities as consumers anywhere we are connected to the cloud are a critical issue. Think about monitors in children's rooms, or about residential cameras,” she said.

Braverman-Blumenstyk is one of the world’s most highly positioned cyber executives. She was a top executive at Israeli cybersecurity company Cyota, and when the company was acquired by RSA Security in 2005 she joined the company, eventually becoming its general manager of global solutions. She joined Microsoft in 2013.

Avi Rosen, Microsoft’s general manager of IoT, also took part in the interview. He was also a Cyota executive, and later co-founder cybersecurity startup Kaymera with the founders of NSO Group Technologies.

IoT—from industrial sensors and hospital medical systems to home cameras and sports sensors—is one of the hottest trends of the cybersecurity world, with a global market estimated at around $200 billion and an annual growth rate of 35%. Four years ago, Microsoft started investing in the creation of infrastructure that will enable manufacturers of IoT device to connect them to its Azure cloud, transfer information, and create apps and services on the basis of the infrastructure.

That technology can sometimes be life-saving, according to Braverman-Blumenstyk. One of the companies Microsoft works with performs mammography exams, and the connection of its systems to the cloud enabled them to provide women with results within a few hours, sometimes even within 15 minutes, a much shorter time than the industry average, she said.

Braverman-Blumenstyk and Rosen also helmed the development of new Microsoft cybersecurity technology for cloud-connected devices. “Almost every device is connected to the internet today,” she said, adding that the world is facing a big change. “When all the sensors that connect to the web and cloud will be connected to one another, all their signals will become an unbelievable amount of data.” It is not an easy process because the connection and the transfer of information requires maximal security, which Microsoft provides the infrastructure for, she said.

Despite those statements and Microsoft’s attempt to set itself up as the champion of privacy in the face of Facebook and Google’s blunders, the company has had its own gaffes. In August, for example, it was revealed that Microsoft enabled partners to listen to Skype calls and Cortana voice recordings.

Microsoft has made it clear that it analyzes audio data to improve voice identification-based services, and the data is sometimes inspected outside service providers, Braverman-Blumenstyk said. “The company has recently updated its privacy policy to emphasize and clarify that such data is sometimes inspected as part of the product development phase. We always ask for user permission before collecting audio data, and we take significant steps to ensure voices will not be identifiable to protect privacy, and demand that the handling of the data meets the highest standards of legally mandated privacy.” Microsoft is also promoting additional steps that will provide transparency about and control how the audio data helps improve products, she said.

Just how real is the IoT cybersecurity threat? According to Braverman-Blumenstyk and Rosen, the number of attacks is already immense. They give as an example an incident that occurred in 2018, when hackers wanted to attack a Las Vegas casino to steal its database. While the cybersecurity system was perfect, there was one crack—the app that releases food to the aquarium fish. The hackers identified the gap and used it to hack the casino’s entire computer system.

While the world is already at the stage that it needs to protect IoT devices just as well as computers, most people have yet to realize it, Braverman-Blumenstyk said. “We estimate that understanding will grow as such attacks become more reported about and known, and the more components are connected to the cloud,” something they estimate will happen in the next two years, she said.

“A year ago, an attack that used a breach in IoT devices paralyzed large parts of the U.S.,” Braverman-Blumenstyk recalled. The hackers wanted to execute the largest DDoS (distributed denial of service) attack in history, and the attack created the understanding that such devices need to be regulated and protected, she said.

Microsoft has somewhat of an image of a company that misses out on trends, the biggest being the mobile revolution. But since Satya Nadella was chosen as CEO in 2014, the software giant has welcomed partnerships, be it through investments and accelerator programs or through acquisitions.

According to Braverman-Blumenstyk, all options are possible in the IoT domain as well. “We have already acquired a number of information security companies in Israel,” she said. “The company’s local cyber center employs hundreds of people—over half of Microsoft’s Israeli development personnel deal with cyber.”