She Saved Saudi Arabia. Can She Save the World From Cyberwarfare?
WHY YOU SHOULD CARE
This military veteran and child genius is at the front lines of keeping us safe online amid the pandemic.
A cyberattack brought a Czech coronavirus testing laboratory to its knees in the middle of the pandemic. Japan faced a deluge of hacking attempts from Russia and China, immediately after the coronavirus lockdown ended in Wuhan. And as the world leader with more than 50 million internet assets that are remotely accessible — thus vulnerable — the United States is a giant sitting duck.
Chris Kubecka shares all these threats on her computer screen over Zoom, watching them like some strange, digital guardian angel from her Amsterdam apartment. The half Puerto Rican, half Dutch expat was already a well-respected security researcher, responsible for exposing major security weaknesses in the airplane manufacturing giant Boeing as well as saving Saudi Arabia’s oil giant Aramco after it was crippled by the devastating Shamoon cyberwarfare offensive in 2012. Now the former U.S. Air Force and Space Command veteran is becoming a pivotal player in helping institutions protect themselves from a spate of cyberattacks launched amid the pandemic panic.
“She is a go-to professional for governments. There are only a certain number who can both frame the problem conceptually and put it in straight fucking English so somebody can understand. And she can do that,” says Bryson Bort, founder of the boutique cybersecurity consultancy GRIMM.
I remember growing up in the projects and seeing crime left unchecked, blissfully ignored or perpetrated by those in power for personal gain.
Kubecka has worked with NATO, the European Union and academics to develop cyberwarfare exercises, and she’s currently helping craft a joint EU-U.S. response to “cyber malicious activities” — anything from attacking energy grids to election manipulation. And she is slated to advise hundreds of German government officials and policymakers on best practices in an upcoming fireside chat. The goal is “to show them the different chess pieces involved, and how they can be used against them,” Kubecka says.
Her expertise is in open systems intelligence, a form of data scrubbing that Bort describes as “a database of spiders that just crawl through everything they can see and touch,” allowing experts like Kubecka to discover what networks are potentially exposed to hackers. “What she has done is find ways to slice that data, to illustrate the scope of the problems we haven’t identified yet.”
Not that her work always seems so grim. She recently helped British journalists reveal the accidental exposure of nearly 9 million drivers’ road logs to internet users, a leak with potentially monumental consequences for those affected … and which she spun with a dose of humor, asking whether authorities had informed drivers their info would be stored that way, or “like in Hitchhiker’s Guide to the Galaxy, were the plans in a planning office at an impossible or undisclosed location?”
Humor aside, few are more qualified than Kubecka to take on the world’s cyber challenges. While working at Unisys in July 2009, she helped halt a wave of North Korean cyberattacks aimed at South Korea. And in 2012, when the Shamoon attacks wiped out 85 percent of Aramco’s computer systems — while severely hampering Saudi Arabia, Qatar and Bahrain — Kubecka was the expert called to mitigate the damage and stabilize the global oil market. “It was exhilarating,” Kubecka says. “They gave me a huge amount of leeway with my budget, what I wanted to do, what I wanted them not to do. And if there was a case where they didn’t agree, I was allowed to prove my point — and I always proved my point.”
A seventh-generation military member, Kubecka, who declines to give her age except to say she is “between 35 and 50,” has always been purpose driven. As a kid growing up in Washington, D.C., her Puerto Rican mother was single and had limited support after immigrating to the nation’s capital. “She was a mathematical genius who, due to race and gender, was limited in achieving her dreams but tried nonetheless,” Kubecka says kindly, despite the fact that her mother’s drug addictions led to her being raised primarily by her grandparents.
While her mother worked night shifts as a network operator for Digital Equipment Corp., she would tag along — Kubecka says she learned programming by age 6, and at 10 was caught illegally accessing Justice Department computer systems. Her great-grandfather, an MI5 field agent during World War II, and great uncle, a naval officer, taught her ciphers to help her hide her notes in class. She joined the Air Force as a military aviator at 18, and handled command and control systems at Space Command after being injured in the line of duty. “I remember growing up in the projects,” she says, “and seeing crime left unchecked, blissfully ignored or perpetrated by those in power for personal gain.” She was motivated by “the absolute desire to make one world better, albeit a virtual digital world.”
While Kubecka has a strong reputation in the industry, her biggest challenge may be building a sustainable business, according to some of her mentors. She has had contracts canceled because of coronavirus travel restrictions, and advising governments rarely pays well. Plus, not everybody sees her work in a positive light: Boeing has threatened to wage a legal and public relations campaign against her, Kubecka says, since she publicly criticized the vulnerabilities in their security systems last year. (Boeing did not reply to requests for comment.)
Still, the industry continues to respect her judgment: Kubecka was a key guest speaker at November’s Aviation Cyber Security conference in London. And she may be more insulated from legal threats than most, given that the Dutch government has some of the most robust protections for “white-hat hackers” — security professionals who look to expose potential breaches. “She can rattle the cages and turn over a few more stones and dig a little deeper,” says former NSA analyst Jeff Man, now an information security evangelist at Online Business Systems.
Now Kubecka is busy developing guides for both employers and employees on how to secure their work when much of it is done at home, as personal networks tend to be less secure. The number one rule? “Don’t expect employees to become cybersecurity experts. Ship them equipment to protect themselves,” she says … and leave the heavy lifting of protecting the world to the pros, like herself.