Chris Vickery’s work has morphed into something so much more than leaky cloud databases.
Yes, Vickery has made a name for himself finding a number of misconfigured or public-facing repositories that have caused grief for everyone from credit monitoring services in Florida to the Department of Defense.
Vickery, the director of cyber risk research at UpGuard, has seen his investigations pivot in an entirely different direction. Over the past year, Vickery has been immersed in data that is related to disinformation campaigns and geopolitics. How exactly it may all be connected is to be determined, but his work has caught the attention of both lawmakers and the security community alike.
CyberScoop: We’ve been following your Twitter feed, and you have been doing a lot of things that seem to have a connection to the government’s investigation into Russian meddling. Can you talk about what you have been working on?
Chris Vickery: I talked to the Senate Select Committee on Intelligence with a specific regard to Russia’s interference in the 2016 election. I spoke about a very wide range of topics. They had questions for me, speaking as an expert witness on the topic. They were very interested in social media manipulation. There were a few things I didn’t have any idea about, so there are things even beyond what I’ve seen. There were some people that they reference that I had no concept of, so I’m looking forward to hearing about that stuff whenever final reports are ready.
There’s an element that people don’t see yet that is much more inside America than that is tied into this whole network of social media manipulation and influence in political campaigns. We’ve heard about Russian trolls, but there is a large amount of networking going on in America. I don’t want to go too much into the particular, but that will be coming out and is currently being investigated quite heavily. I think there’s going to be a lot of people that are polarized by it.
CyberScoop: A lot of what you have discovered is rooted in poor security practices when it comes to cloud instances. Does that ever surprise you’re work has morphed from finding data leakage to exposing social media manipulation?
CV: It’s all sprung out of data breaches that I’ve discovered. I keep my eyes open and know where to look. I don’t know if people are moving too fast to secure things properly or what the deal is. Through my research and what UpGuard has shown and reported on, it’s clear that there’s a natural theme of developers moving too fast and not securing their stuff appropriately. When you throw in the notion of politics and moving quickly towards getting a message out before an election .that amplifies things to a degree that has been shown to be unsustainable.
CyberScoop: How much of your work is moving toward exposing disinformation campaigns? It seems like it’s becoming part and parcel with just the cybersecurity work overall. Do you think that that’s going to continue in the future?
CV: I think one of the reasons it’s become such a mainstream things is people started dying because of this stuff. In Myanmar, there’s been a lot of deaths based upon false information being passed around on social media. It’s hard to ignore. When people start to look into how is this happening and realize that the tech side of things needs to be explained, they are turning to information security professionals to bridge that gap.
A few years ago, when I started hunting down data breaches, I came across a whole bunch of MongoDB databases that were processing Twitter data. It looked like someone was looking for influencers. That may be marketing basic stuff, but I think back to it, and there was a lot more political edge to some of the things that we were seeing. I wish I had saved a lot more of those. I discarded them because I thought, “It’s publicly posted messages that happen to be about political topics.” But I’m very curious, if I had held onto those, how much information I could glean these days about who was doing that and at what scale.
CyberScoop: Going back to the information you talked to lawmakers about, you said it’s going to be polarizing. Hasn’t what already come out been polarizing enough. Can social media companies handle any more turmoil or negativity toward their platforms?
CV: Social media is going to have to change fundamentally, and there are a couple of potential outcomes. As sad as I am to admit this, because I love privacy and security and everything, there may come a time in the future where you cannot be allowed to post something, as far as new information goes, without your identity being proven. Just taking out the anonymity factor and having it proved to a certain level.
CyberScoop: Would the government have to be charge of that? That seems like a disaster waiting to happen.
CV: It’s going to be a big disaster, but it’s either the government’s going to be overwhelmed by it or the government’s going to control it. I don’t think there’s a nongovernment option to fix it.
CyberScoop: Do you ever think we are going to get to a point where humans are taken out of the equation and things are inherently secure by design?
CV: If you design a system where the user can configure it, a certain percentage will misconfigure it. As long as you allow humans to do that, it’s going to happen. So you have to design things if you want it to be as secure as possible. You have to design it in a way that will not allow the misconfigurations.
If Amazon Web Services or another cloud provider wants to make a really granular system that allows you to do all these cool things with it, they need to allow you to go down certain tracks. If you have a forest and you just let people wander and nobody’s ever wandered through that forest before, they’re going to stumble over rocks and hit branches. But if there are pathways through it, people are generally going to stick to the pathways. I think that’s the mentality we need to have.