Is Wall Street bad for cybersecurity?

After an investment firm released apparent digital flaws in a company's products to profit on Wall Street, experts worry that security researchers may prioritize quick gains over public safety.

The New York Stock Exchange in New York City.

Brendan McDermid/Reuters

September 27, 2016

Mistakes are costly, especially in software or critical computer systems.

So when medical technology startup MedSec discovered the possibility of "troubling cybersecurity flaws" in pacemakers made by St. Jude Medical Inc., it turned the research over to activist investment firm Muddy Waters. There, the duo saw a chance to boost their fortunes.

Muddy Waters unveiled the findings, and St. Jude stock dropped 5 percent. That's good news for Muddy Waters, a firm that makes money by betting against, or short selling, stocks – and for MedSec since it garners a piece of that gain.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

But it could be bad news for everyone else.

If Muddy Waters' disclosure sets a precedent for other researchers to reveal their findings first to Wall Street instead of affected companies or regulatory agencies, it could eventually harm legitimate research into the emerging field of internet-connected medical devices, say many cybersecurity experts and practitioners.

Mark Lanterman went so far as to call Muddy Waters' approach "kind of like cyberterrorism." The chief technology officer at the firm Computer Forensics Services compared Muddy Waters and MedSec's actions to ransomware, the malicious software that locks up a computer's data until its owner pays a fee. 

"Only instead of holding your data hostage, I’m going to hold your stock price hostage," he said. "There are acceptable ways of getting these bugs fixed before they can cause anyone harm.”

This isn’t it, he says.

Howard University hoped to make history. Now it’s ready for a different role.

Other researchers say hackers who follow Muddy Waters' example will put a significant amount of money (dollars spent on research) on the line for a strategy that may not pay off or result in more secure devices.

"I anticipate that now that the bridge has been crossed, other security researchers will attempt to work with similar investment companies to monetize the vulnerabilities and research they have conducted," said Gunter Ollmann, chief security officer at the cybersecurity firm Vectra Networks.

"However, it is yet to be determined whether the economics of such a disclosure process are worthwhile," he said. After all, there's a "very narrow range of exposed companies" for which a stock bet could be lucrative.

St. Jude just happened to be one of those.

Cybersecurity researchers have the means to follow in MedSec's footsteps, but that doesn't mean the strategy will play out as fruitfully, said Lillian Ablon, an information scientist at the RAND Corp. There's no guarantee a vulnerability disclosure will tank a stock, she told Passcode.

"This particular disclosure [regarding St. Jude's pacemakers] appeared to have very good, reliable, and predictable timing in the sense the stock dropped relatively quickly after the release," she said. "But, in general, big data breaches haven’t necessarily caused a drop in stock prices with such quick or predictable timing."

In 2013, Target stock toppled by double digits after thieves breached its point-of-sale systems, compromising some 40 million credit cards. But as the headlines disappeared, so, too, did Target's stock losses. Shares have recovered 9 percent since then.

Josh Shaul, vice president of web security at the online content delivery firm Akamai Technologies, noted this phenomenon.

"Disclosure of security flaws does not tend to drive significant changes in valuation," he said. "In fact, I've seen many cases where disclosure of major vulnerabilities in an organization's products has been quickly followed by meaningful gains in their stock price."

That’s because the public is largely desensitized to hacks, Mr. Ollmann of Vectra said. In 2015, the US suffered breaches at the US Office of Personnel Management, Anthem, and BlueCross BlueShield, to name a few. Each fostered weeks' worth of headlines.

"Such vulnerabilities are uncovered several times a day within products of the world's largest software companies and infrastructure manufacturers," he said. "Historically, the industry is quickly desensitized to related public disclosures."

A more reliable, and increasingly accepted, way for researchers to profit from computer vulnerabilities is via "bug bounties," which are payments for the disclosure of potential vulnerabilities, Ms. Ablon of RAND pointed out. Companies such as Apple, Facebook, and Google, and many more, currently pay researchers who uncover flaws in their products. 

In Ablon’s research on zero-day vulnerabilities, which are unseen holes in software that can be catastrophic to businesses, bug bounties are thriving.

Bug bounties are guaranteed and immediate, whereas Muddy Waters' investment approach is likely to reap greater riches. But the investment route is a gamble.

Still, people are now thinking about vulnerabilities differently, says Ablon. "There’s a whole new option out there."