Unusual stock move shakes up cyber community
The Hill - 08/26/2016
An investment firm’s use of medical device security research has alarmed many within the cybersecurity and healthcare fields, and excited others.
Muddy Waters Capital announced on Thursday that it had sold stock in the medical technology firm St. Jude Medical based on vulnerabilities in MedSec’s cybersecurity. Cardiac devices make up nearly 50 percent of St. Jude’s business, and an interruption in their sales could drastically affect the company’s stock price.
After its sell-off, Muddy Waters Capital described the vulnerabilities on its website.
The report reads, in part: “We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house [the] exploits that help to enable these attacks.”
“I wouldn’t say it’s good,” said Northeastern University law professor Andrea Matwyshyn. “I would say it’s inevitable.”
The action by Muddy Waters was unusual.
Usually, security researchers at least try to act in the best interests of device manufacturers and notify a company in some way of a security flaw in its products. A few sell the bugs to governments who use them in espionage.
Matwyshyn noted that the Securities Exchange Commission has advocated for more transparency about security risks in products. For the past few years, Matwyshyn has held conversations with investors trying to incorporate cybersecurity into investment schemes.
“This did not come out of left field,” she said.
She said researchers have for years been rebuffed by companies when they try to notify them of security problems for free. If altruism does not work in getting vulnerabilities fixed, she said, it should not be a surprise that researchers turn to the free market.