Google's head of internet security says businesses should ignore cyber scare tactics and learn from history

Key Points
  • In an exclusive conversation with CNBC, Google's head of security and privacy says businesses have more to learn about their own insecurity from the history of cybersecurity than from frightening headlines or scary pitch decks drom vendors. 
  • Heather Adkins has served in a top privacy and security spot at Google for 16 years. 
Heather Adkins, head of information security and privacy at Google.
Source: Heather Adkins

There are a lot of scary cybersecurity headlines, and many shiny new solutions from vendors that promise to address those threats.

Ignore them and look at history instead. That's the advice of Google's Heather Adkins, who has served for 16 years as the head of information security and privacy at the tech giant.

Adkins has witnessed many landmark cyber events from the front lines. She says the attacks, methods, motivations, tools and even criminals themselves are the same as they've been since the 1980s. History is a better teacher for businesses than a frightening pitch deck from a vendor, she says.

U.S. government-backed research papers from as early as the 1960s started to outline the problems we would see today, she told CNBC. Government workers back then spoke of new threats they saw as the government went from single-use, big mainframe computers to shared environments.

Here are a few examples of how things have evolved -- and how they haven't.

Nation states attacking weak links. One landmark for Adkins was Clifford Stoll's 1989 book, "The Cuckoo's Egg". Stoll, a computer lab worker at U.C. Berkeley, discovered that hackers from East Germany were systematically trying to break into university computers to capture military secrets.

"What happens today is still very similar," she said, "especially when we are thinking about the root causes of attacks, including things like the Equifax hack."

In other words, nation-state hackers target companies like Equifax, banks or universities to get important secrets, rather than wasting all of their resources on the more heavily fortified government agencies themselves.

Old methods of attack keep resurfacing. The methods for distributing malware and viruses have grown and become easier, but they haven't changed that much on a technical level.

Take for example the Morris Worm, one of the first internet worms distributed widely over the web. A computer worm is a piece of malicious software that can replicate itself, sometimes very rapidly, distributing itself across connected computers.

Worm attacks largely fell out of practice, but then came back in style in 2017 when criminals attached worms to ransomware -- which shuts down a user's computer until a ransom is paid -- in attacks like WannaCry and NotPetya. These worm-style attacks spread globally in very rapid fashion, causing havoc at companies like FedEx and Maersk.

The vehicles for transmitting hostile software may be roughly the same, but their availability and ease-of-use has exploded, Adkins said.

"At the time of the Morris worm, the people exploiting [computers] were mostly just curious people. But today, it's different. There's an extraordinary amount of knowledge available -- you don't have to know very much. You can go out and for $20, buy a spying kit, and use that for your own purposes," she said.

In another example, email schemes have become far more sophisticated than the "Nigerian prince" schemes of 15 or 20 years ago. But attacks convincing people to wire money or enter their bank credentials are still going strong, and the basic idea remains the same: A scammer sends a fake email that tries to trick a recipient into providing information they shouldn't.

This slow evolution provides an advantage for the back-end machine learning tools Gmail uses to identify them. The company has gotten better about catching the these attacks and providing more information about them, like whether the fraudulent message was sent by a nation-state.

The old rules are the best rules. Adkins said sometimes the marketplace suffers from a "proliferation of cybersecurity professionals" offering conflicting advice on passwords, antivirus software, safety practices and so on.

But the best rules for individuals looking to secure their personal information are the classics, Adkins said.

Keep your software up to date, and don't re-use the same password. Criminals rely on simple hacks that exploit old software problems, and when a company is breached, data stolen frequently includes passwords and usernames. If you use those same terms elsewhere, criminals can easily break into your other accounts.

Here are some more of Google's up-to-date email security rules to consider as well.

"Things have grown and changed so much, but really so much of what we do has stayed the same or is based on these very well used concepts," said Adkins. "Doing these well-known basics can still go a long way in being more secure."

Google plans to pour more than $1 billion into new Manhattan headquarters