When a Cyberattack Hits Home (and School)
The modern-day 'snow day'... When a cyberattack hits home – and school... How we do cybersecurity isn't great... Demand is off the charts... A problem that can't be solved – but must be addressed...
Kids here in the Baltimore suburbs are enjoying another 'snow day' today...
The modern version of a snow day, at least.
Last week, hackers took down Baltimore County Public Schools' ("BCPS") virtual learning software... locking everyone out just before the Thanksgiving break.
BCPS teachers were about to post their students' grades for the semester... And one local teacher who I talked to over the weekend said if this hack went on long enough, he'd be giving everyone an "A."
It seems like everyone in his English class is closer to passing with flying colors...
That's because some experts believe the 'fix' will take weeks, if not months...
That's the thing about cyberattacks... If the hackers are successful, they can gain access to certain pieces of data in minutes (or sometimes even seconds). And they can steal administrative rights to a system and start looking for data unnoticed within a few days.
On the defensive side, though... finding, fixing, and then protecting that same system can take companies' or school districts weeks or even months – and cost a lot of money.
Most of us know that various databases and software systems are open to attack from the mischievous among us, but we probably don't realize the scale of it...
At first, I (Corey McLaughlin) thought a high-school student was a good suspect for this particular hack in the BCPS district, given the close timing to when kids were supposed to receive their grades... It felt a little too fishy, and I could see a really smart kid pulling it off.
But I was foolish to think this hack was an isolated incident. It's far from that...
At least 77 school districts in the U.S. have been hacked at some point this year during 'virtual learning'...
I doubt that a kid is responsible for all of those hacks.
That's 0.5% of all the school districts in the U.S... It's not an insignificant percentage, and it's a number that feels like a reasonable proxy for how much software used by schools or any other organizations are hacked each year.
And this isn't a new phenomenon, either. This trend has been unfolding for years...
One team of researchers recently found that school districts and colleges across the U.S. have experienced more than 1,300 data breaches over the past 15 years, putting more than 24.5 million records in jeopardy.
Like Baltimore County here in Maryland, large districts in Virginia (Fairfax County), Florida (Miami-Dade County), and Nevada (Clark County) have been hacked this year alone.
And related, the Baltimore City government also endured a cyberattack last year, which shut down all but the jurisdiction's essential services for months. The hackers had demanded 13 bitcoin (worth about $80,000 at the time) as ransom, but the city declined. Even if you use bitcoin's recent multiyear high of more than $19,000, that would've been a cheaper deal...
The attack ended up costing Baltimore City government about $18 million in lost or delayed revenue and costs to repair hardware. And city officials voted to transfer $6 million from a fund for parks and public facilities to help pay for the losses.
Cyberattacks are clearly a problem that we must face head-on...
Back in July, Stansberry Venture Value editor Bryan Beach addressed the future of cyber-warfare. As he wrote to his subscribers...
Cybersecurity has become an issue of both personal liberty and national security. In our nation's capital, cybersecurity is one of the rare issues that Republicans and Democrats agree on.
In 2019, the late Senator John McCain established the Cyberspace Solarium Commission to address the crisis. The commission is chaired by the Independent U.S. senator from Maine, Angus King, and staffed with commissioners from both sides of the congressional aisle, Fortune 500 CEOs, and leading academic researchers.
As Bryan continued, the commission released its final report in March at a public event on Capitol Hill. The findings were terrifying...
Our country is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our electoral system...
The reality is that we are dangerously insecure in cyber. Your entire life – your paycheck, your health care, your electricity – increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage...
We need C-suite executives to take cyber seriously since they are on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyber-attackers from breaking [into] their networks and the larger array of networks on which the nation relies...
The status quo is inviting attacks on America every second of every day.
As with anything, every hack comes with short- and long-term consequences...
In the immediate term, the hack provided a much-needed break from "at home" schooling...
No parent made a New Year's resolution at the start of 2020 to teach more at home – while working at home, hopefully – in the middle of a pandemic. And we're sure no teachers made that resolution, either. And for the students, it's simply like a more traditional snow day.
But this attack does shine a light on a troubling part of our growing digital life...
We've talked at length this year about the tailwinds that "at home" companies had going for them... They're aiming to connect people who just want to live their normal lives as best as possible at school and work – from the comfort of their own living rooms or basements.
There's also the other side, obviously... Invisible bad actors are hacking into local school districts to steal people's passwords and other private information to likely do something else nefarious.
Local teacher groups have already encouraged educators to change any passwords that matched the ones they used to log into the school's software. And parents are asking Baltimore County officials on social media pages if their kids' information is safe...
To that, the county's head of information technology told concerned parents that the hack is a "ransomware attack, which encrypts data as it sits and does not access or remove from our system."
Even if it's true that the students' information was safe, the lives of everyone involved has already been upended...
Kids don't know their grades, for one (which could be good or bad!)... Families are adjusting at home again... And the county's IT employees had to work over the Thanksgiving break.
Time has been lost for everyone involved... That's the most important commodity of all.
The details of this hack also reveal a bigger-picture idea about cybersecurity that a lot of folks don't understand...
Baltimore County officials updated folks today with information that the attack was very specific to Microsoft (MSFT) products and not Alphabet (GOOGL) devices.
In a social media post, the county explained...
We now know that BCPS-issued Chromebooks were not impacted by the cyberattack. You may now safely use: BCPS-issued Chromebooks and BCPS Google accounts for students and staff. Please do not use BCPS-issued Windows-based devices until further notice.
Why are Alphabet products safe to use while Microsoft's are not? This just shows exactly "how we do cybersecurity" in this country. Namely, it goes like this... Good luck to you.
More often than not, we leave public institutions like school districts or private companies on their own to figure out their defenses against what could be nation-state bad actors like China or Russia... or low-level actors, too.
When you start to spell it out like this, you can start to see the problem... And you can realize why one student's Microsoft Surface with one type of software on it may be deemed dangerous to use while another student's Google Chromebook with that same software is safe.
On this point, our colleague Jessica Stone recently conducted a fascinating interview with Jamil Jaffer, a cybersecurity expert and former associate White House counsel to President George W. Bush and an executive at IronNet Cybersecurity.
Jaffer says how the U.S. handles cybersecurity doesn't make sense at all when you really think about it...
The reality today, unlike pretty much any time in the last 50 or 100 years, is that we expect the American private sector to defend itself... You don't expect Target or Walmart to have service-to-air missiles on the roof of their warehouses to defend against Russian bear bombers coming over the horizon, right?
And yet, today in cyberspace, we know that our nation and primarily our private-sector companies are under massive sustained assault, whether it's stealing intellectual property by the Chinese, or the Russians, who are trying to engage in election interference, or the Iranians and North Koreans, who want to conduct destructive attacks on our systems...
Said another way, our government protects itself and our military... But what about everyone else? We don't expect our schools to protect themselves from physical Chinese missiles, do we? So why do we leave them on their own against digital missiles?
Jaffer believes the best path forward is better private-public partnerships that "empower" private companies to protect themselves with help from big government defense contractors like Raytheon Technologies (RTX) or Northrop Grumman (NOC). That's desperately needed because this demand for cyber protection is not going to go away on its own.
In fact, it's just the opposite... Jaffer speaks of cyber threats and data breaches as if they're an unending total addressable market. As he told Jessica...
The combined annual growth rate for the cybersecurity industry can be dramatic. We're talking year-over-year 50%-plus increases. We've already seen those historically and we'll see that continuing going forward.
There is no dearth of the threats. Unfortunately, this is not a problem you solve. It's not like you wake up one day, and you got the magic cybersecurity bullet. We're off the races, and this is a constant hamster wheel of keeping up with the threats.
No wonder demand for cybersecurity products has been off the charts this year...
Schools represent just a fraction of the tens of thousands of organizations realizing they need stronger digital security. Take your pick of positive data...
Just two weeks ago, shares of cybersecurity leader Palo Alto Networks (PANW) hit a new all-time high after the company's third-quarter revenue rose 23% year over year, to $946 million.
And the products that are turnkey, so to speak – readily available, easy to use, and proven already – have been the most in demand. During the company's earnings call, Palo Alto Networks CEO Nikesh Arora said the growth had been driven by the pandemic-induced switch to cloud computing.
To this point, cybersecurity is another "use case" for the cloud-based Software as a Service ("SaaS") models, which we've talked about here before, that generate rivers of recurring revenue once folks sign up for them.
How do you keep up with the constant new threats out there in cyberspace? You hire experts who know what they're doing and make sure your systems are updated constantly.
First, that requires the services of cloud-hosting vendors like Amazon (AMZN)'s Web Services, Microsoft's Azure, or Alphabet's Google Cloud Platform. And then, you need the protective software that will run on those platforms... That's the type of stuff Palo Alto and other software companies sell.
Back in July, when Bryan wrote about cybersecurity to his Venture Value subscribers, he talked about a tiny company that has been developing cloud-based software to meet these very real threats and increased demand. If you're a Venture Value subscriber, we urge you to check it out today if you happened to miss it.
Bryan believes this company is the best place to put money to work in the space today... And he says it presents the best risk-reward profile of any business in the current Venture Value model portfolio. In part, Bryan wrote...
Most cybersecurity breaches today are based on artificial intelligence ("AI"), which dekes the firewalls and slips undetected into a target's network. To effectively combat that, you need a defense that can analyze all traffic – incoming, outgoing, and internal – identify the suspicious communications, and stop the threat in real time.
It might seem like a no-brainer solution, but this is work that most cybersecurity companies aren't doing today... However, the small company that Bryan recommended to subscribers is – and even better, it's doing it via a SaaS model, which we love.
In fairness to Bryan's subscribers, we can't reveal the name of this company here in the Digest today, as much as we would like to. This is one of our most exclusive services.
But we bring up the example of this company today because it is a relatively unknown, yet incredibly innovative organization doing what all of us should – assuming that we've all already been hacked, or will be at some point.
That might sound startling, but it's probably the best approach in today's world. And it's the thesis that this tiny company started with when it began developing its newest software... It sought to limit the damage being done, even if you are hacked.
Bryan got the CEO of this company on the phone to explain the story. As he told Bryan...
Everything else really works to lock your network and keep bad guys from getting in. [But it] ignores what gets past them... The reality is... every network in the world is already infected today.
We started out... with the premise that you can't keep the bad guys out. You can't put another lock on the door... Firewalls aren't stopping cyber breaches, as the numbers prove daily. So we decided rather than try to stop them, we would neutralize them.
In other words... that means no modern-day snow days due to a bunch of bad actors. We know at least one school district that would want that today. And we're sure many more across America would agree.
Demand in this space is only going to increase...
For one, this is another boon for the big cloud vendors like Amazon, Microsoft, and Alphabet. These companies are continuing to virtually touch every part of our lives, both directly and indirectly...
And two, it means the innovative companies at the forefront of the cybersecurity industry – and in particular, those that sell their services via a recurring revenue subscription model like the one Bryan has identified – are well worth considering in any portfolio today.
New 52-week highs (as of 11/27/20): AbbVie (ABBV), ARK Fintech Innovation Fund (ARKF), Autohome (ATHM), BlackLine (BL), Siren Nasdaq NexGen Economy Fund (BLCN), Cognex (CGNX), Cresco Labs (CRLBF), Crispr Therapeutics (CRSP), Curaleaf (CURLF), ProShares Ultra MSCI Emerging Markets Fund (EET), iShares China Large-Cap Fund (FXI), Alphabet (GOOGL), Gravity (GRVY), GrowGeneration (GRWG), Green Thumb Industries (GTBIF), Innovative Industrial Properties (IIPR), Renaissance IPO Fund (IPO), Jushi (JUSHF), KraneShares Bosera MSCI China A Fund (KBA), MongoDB (MDB), Match Group (MTCH), Cloudflare (NET), Intellia Therapeutics (NTLA), Flutter Entertainment (PDYPY), Starbucks (SBUX), Southern Copper (SCCO), ProShares Ultra S&P 500 Fund (SSO), Trulieve Cannabis (TCNNF), The Trade Desk (TTD), ProShares Ultra Semiconductors Fund (USD), Vanguard S&P 500 Fund (VOO), ProShares Ultra FTSE China 50 Fund (XPP), Zebra Technologies (ZBRA), Zendesk (ZEN), and Zymeworks (ZYME).
In today's mailbag, we're sharing some feedback on Dan Ferris' Wednesday Digest about the "nanny state" and Thanksgiving. The topic sparked a lot of comments – both in support of Dan's message and opposed to it. As always, we welcome all your thoughts, comments, and observations at feedback@stansberryresearch.com.
"Let me simply add a huge AMEN!! I am truly concerned about the potential long term power grab and loss of individual freedom." – Paid-up subscriber Wes J.
"Thank you Dan Ferris! Some of us are becoming really disappointed and quite angry in our alleged leaders. Only way anything will change is if we band together, stand up and say go eat dunk, we will take no more of your anti-American ways of infringing on our rights! Enough is enough!!!" – Paid-up subscriber Daryl R.
"Dan, an interesting read for certain. Is it that those in control wish us to cower in the corner waiting to be rescued? Not on my watch! The wealthy have become more so for centuries by exploitation of the masses. As the Constitution states, 'We the people...' It is high time that our leadership be reminded that their role is to serve us, and not to manipulate us any longer. These leaders are absolutely not superior to the people who labor and provide for their families and this Great United States of America." – Paid-up subscriber Chris D.
"Dan, wow, that was brilliant and I could not agree more. Unfortunately, we are like the frog slowly and unknowingly being boiled to death – our constitutional freedom of personal choice and determination is being eroded daily by so-called elites on both sides mainly through fear but also by deceit. I hope our magnificently intelligent citizenry awake and respond soon." – Paid-up subscriber Dale S.
"Good for you Dan. I'm behind you 100%. I'm 68 years old and I don't need anyone, especially the government, telling me how to take care of myself. Happy Thanksgiving to you and yours." – Paid-up subscriber J.L.R.
"Dan you're the man. I agree 100%, keep up the good work. Happy Thanksgiving and Merry Christmas." – Paid-up subscriber Bill L.
"Unfortunately some people are so scared of this virus that they think the power grabs are good. We now have some pushback against King Newsom out here. Good editorial in the Long Beach Tribune. This is just a cold virus. A bad one but still just a cold virus. A mask will not stop it. And hiding in my house is not the way I want to live. Live free or die." – Paid-up subscriber William R.
"Dan, I always love reading your Digests. Regarding the nanny state, many current state restrictions are indeed draconian. Here in Northern Colorado restaurants can't have indoor eaters, but retail stores can be at 50% capacity. There's no consistency in that measure. Many restaurants are openly defying the rules under threat of losing their license. But it's worth noting that there is always a line somewhere that separates both sides of an issue, and it is never an easy one to spot.
"If AIDS were an airborne virus when it first hit, it could have killed a significant amount of the world population. Under that possibility, the same draconian measures would not be enough. While COVID is a 2% mortality rate, there needs to be a line somewhere between freedom and public safety. I think states are trying to figure that out. I liken COVID to a fire drill... let's find out what works and what doesn't now, because someday a really bad virus may come along, and we'd better be ready." – Paid-up subscriber Darren N.
"Mr. Ferris: First I agree with your analysis regarding Fed policy. I admit I've benefitted from the asset inflation, but I worry not only about asset deflation but what effect the Fed policy has had over the years to those without assets – a large and unfortunately growing segment of our population who, as you suggest, are the sacrificial lambs for the asset rich. The endgame to all of this will not be pretty. This may not happen in my lifetime (I'm 70), but I fear for my children and grandchildren's future.
"As to your freedom to have as many guests as you wish for the holidays and ignore public health guidelines, what about by doing so you impair my freedom to be safe while we get over this pandemic in about another six months? Are you that impatient to risk lives of others in the name of your freedom? Apparently so. To exercise your freedom what is a fair cost – another 100,000, 200,000, 500,000 dead?" – Paid-up subscriber Allan O.
"I have to disagree with Dan Ferris' rant about what governors are doing to infringe on our personal freedoms. For what it's worth, I am a Republican. But I also believe in science and a duty to keep our fellow citizens safe during the worst public health crisis in 100 years. If you want to protect your fellow citizens, if you want to keep front line hospital workers from being overwhelmed, if you want to protect hospitals from overflowing with COVID-19 patients, then it is a small sacrifice this Thanksgiving day to celebrate with just your own family in your own house. Remember the words of John F. Kennedy: 'Ask not what your country can do for you. Ask what you can do for your country.'" – Paid-up subscriber Jeff Y.
"You do not have a God-given right to kill other people by any method, including Covid. A quarter of a million deaths don't look like much compared to the population of the USA, but it is still a lot of people. True you can get away with it because the people you kill will be your grandparents and others like them, or some young person who hasn't had a chance to taste life, i.e. someone whose illness cannot be traced to you with certainty, in court.
"Most people get Covid from a family member now. So the encouragement to wear masks when you have guests is an attempt to reduce the transmission of Covid between families. It's not a petty grab for power. It's an attempt to stop an epidemic that kills people.
"I'd be happy to answer questions, if I can. But I won't argue with you." – Paid-up subscriber Jerry S.
"People just won't do the right thing – physically distance, wear masks and wash their hands often. What are government officials supposed to do in order to try to slow down the virus? Absolutely nothing or worse than nothing like the governor of South Dakota who does everything to make the virus spread as much as possible in her state.
"Dan finishes with 'I'm getting together with friends and family – as many as I want, even if it's more than 10. And I'm also making a special point to sing, shout, drink, eat, and be merry. It's my right. And it's yours as well, if you so choose.'
"Just because you can doesn't mean you should. Even the CDC advises against getting together in person for the holiday. I would love to have a regular holiday too, but I care about my family and friends and would hate for any of them to get sick or die. I have a friend who is a very healthy 40 year old that slipped up recently and was at a house party with a dozen people and 8 of them got Covid. He had to go to the ER, and one other person is still in the hospital." – Paid-up subscriber Brian O.
"I'm disappointed that Dan, in his rant about the nanny state (which I don't necessarily disagree with), never once mentioned the massive number of dead, or the thousands of doctors and nurses who put their own health on the line as they struggle to keep their patients alive..." – Paid-up subscriber Rich G.
"Dan, perhaps the Digest should stick to financial advice. I usually support libertarian philosophy, and I suspect you do so too, yet I disagree with your call for civil disobedience on two counts. First, I am surprised that you think that the Constitution is above common sense. Secondly, I don't think increasing the spread of COVID is worth the extra joy you may derive from shouting at a large Thanksgiving party. No one likes restrictions, but I place a limit on my personal freedom, by trying not to harm others. If you think restrictions don't help, look at countries such as South Korea, where the culture places responsibility to others above personal gain. As a result, mask compliance is virtually 100%, hospitals are not overrun, and the Corona death rate is 150 times lower than in the US." – Paid-up subscriber Isaac O.
All the best,
Corey McLaughlin
Baltimore, Maryland
November 30, 2020