|
|
NadyaBartol_2021S-_更好的网络安全始于诚实和可问责性_
|
| Today, I'm going to talk about a shameful topic. |
今天,我要谈一个难以启齿的话题。 |
| This has happened to many of us, and it's embarrassing , but if we don't talk about it, nothing will ever change. |
很多人都有这样令人尴尬的经历, 但如果我们放着它不谈, 我们将永远不能改变现状。 |
| It's about being hacked . |
这个经历就是被黑客入侵。 |
| Some of us have clicked on a phishing link and downloaded a computer virus. |
有些人点击了网络钓鱼链接 并因此下载了电脑病毒, |
|
shameful:adj.可耻的;不体面的;不道德的;猥亵的; embarrassing:adj.令人尴尬的; v.使尴尬; (embarrass的现在分词) hacked:v.砍;劈;猛踢;非法侵入(hack的过去分词和过去式) phishing:n.网络钓鱼;网络欺诈(以虚假的身份和形象随机骗取个人帐号和密码等);
|
| Some of us have had our identities stolen. |
还有些人的身份被盗取了。 |
| And those of us who are software developers might have written insecure code with security bugs in it without realizing it. |
那些软件开发工程师 有可能写了不安全的 有安全漏洞的代码, 却毫无意识。 |
| As a cybersecurity expert, |
作为一个网络安全专家, |
| I have worked with countless companies on improving their cybersecurity. |
我为无数公司工作过, 帮他们提升网络安全性。 |
|
identities:n.身份;本身;本体;特征;同一性;相同;(identity的复数) developers:n.开发商;发展者;[摄]显影剂(developer的复数); insecure:adj.不安全的;不稳定的;不牢靠的; bugs:n.缺陷;虫子;窃听器;(bug的复数)v.窃听;使烦恼;(bug的第三人称单数) cybersecurity:网络安全;网络空间安全; countless:adj.无数的;数不尽的; improving:v.改进;改善;(improve的现在分词)
|
| Cybersecurity experts like me have advised companies on good cybersecurity practices, monitoring tools and proper user behaviors. |
像我这样的网络安全专家 建议过公司 采取良好的网络安全实践, 监控工具, 以及正确的用户行为。 |
| But I actually see a much bigger problem that no tool can fix: the shame associated with the mistakes that we make. |
但我其实认识到了一个更大的, 没有工具能够解决的问题: 伴随犯错出现的羞耻感。 |
| We like to think of ourselves as competent and tech savvy , and when we make these mistakes that can have a really bad impact on us and our companies -- anything from a simple annoyance , to taking a lot of time to fix, to costing us and our employers a lot of money. |
我们喜欢将自己视为 有能力且精通技术的人, 但当我们犯错时, 这些错误不管是对个人还是公司 可能会有很糟糕的影响—— 其中包括一个简单的小麻烦 到需要很长时间去解决 且耗财耗力的大问题。 |
|
advised:adj.考虑过的; v.劝告; (advise的过去分词和过去式) associated:adj.有关联的; v.联想; (associate的过去分词和过去式) competent:adj.胜任的;有能力的;能干的;足够的; savvy:n.悟性;理解能力;懂行(的人);v.理解;懂;vi.理解;知道; impact:n.影响;效果;碰撞;冲击力;v.挤入,压紧;撞击;对…产生影响; annoyance:n.烦恼;可厌之事;打扰; employers:n.雇主;雇用者;(employer的复数)
|
| Despite billions of dollars that companies spend on cybersecurity, practitioners like me see the same problems over and over again . |
虽然公司在网络安全上 花了几十亿的美元, 像我这样的专业从业者 还是反复看到相同的问题。 |
| Let me give you some examples. |
让我给你几个例子。 |
| The 2015 hack of Ukrainian utilities that disconnected power for 225,000 customers and took months to restore back to full operations started with a phishing link. |
2015 年, 一次乌克兰公共设施被黑事件 导致 22.5 万客户的断电经历。 这场始于网络钓鱼链接的危机 花了数月才恢复全面运行。 |
|
Despite:prep.尽管,不管;n.轻视;憎恨;侮辱; practitioners:n.实践者;开业者;实习者(practitioner的复数); over and over again:adv.一再地;反复不断地; Ukrainian:adj.乌克兰的;乌克兰人的;n.乌克兰人;乌克兰语; utilities:n.公用事业;实用工具,[计]实用程序;公用程式;(utility的复数) disconnected:adj.分离的; v.切断(煤气、水或电的供应); (disconnect的过去式和过去分词) restore:v.恢复;修复;恢复(某种情况或感受);使复原;
|
| By the way , 225,000 customers is a lot more 225,000 people. |
顺便一提,22.5 万位客户 可远多于 22.5 万名个体。 |
| Customers can be anything from an apartment building to an industrial facility to a shopping mall . |
客户可以是任何形式—— 再到一个购物中心。 |
| The 2017 data breach of Equifax that exposed personally identifiable information of 140 million people and may ultimately cost Equifax something on the order of 1.4 billion dollars: |
2017 年 艾可飞(Equifax)的信息泄漏事件 暴露了 1.4 亿人的 个人身份信息, 最终可能导致 公司 14 亿美元的损失。 |
|
By the way:顺便说一下; industrial:adj.工业的,产业的; n.工业股票; facility:n.设施;设备;特别装置;特色;场所;天资; shopping mall:un.商业区林荫路; breach:n.违背;破坏;辜负;中断;v.违反;违背;在…上打开缺口; exposed:adj.无遮蔽的; v.暴露; (expose的过去分词和过去式) personally:adv.个人;亲自;本人;就本人而言; identifiable:adj.可辨认的;可认明的;可证明是同一的; ultimately:adv.最终;最后;归根结底;终究;
|
| that was caused by an exploitation of a well-known vulnerability in the company's customer consumer complaint portal . |
事件的起源是一个众所周知的 隐藏在客户投诉网站中的漏洞。 |
| Fundamentally , this is about technology and innovation . |
归根结底, 这一切与科技创新有关。 |
| Innovation is good; it makes our lives better. |
创新是好的, 能提升我们的生活水平。 |
| Most of the modern cars we drive today are fundamentally computers on wheels. |
今天,大多我们所驾驶的机动车 本质是车轮上的计算机。 |
|
exploitation:n.开发,开采;利用;广告推销; well-known:adj.著名的;众所周知的;清楚明白的; vulnerability:n.易损性;弱点; consumer:n.[经]消费者;[生,生态]消费者; complaint:n.抱怨;投诉;控告;不满; portal:n.大门,入口; Fundamentally:adv.从根本上;基础地;重要地 technology:n.技术;工艺;术语; innovation:n.创新,革新;新方法;
|
| They tell us where to go to avoid traffic, when to take them in for maintenance and then give us all kinds of modern-day conveniences . |
它们告诉我们免堵车路线, 什么时候车子需要保修, 给我们带来了很多现代化的便利。 |
| Many people use connected medical devices like pacemakers and glucose monitors with insulin pumps . |
很多人使用互联医疗设施, 例如起搏器 和带有胰岛素泵的血糖监控器。 |
| These devices make these people's lives better and sometimes even extend their lives. |
这些设备让用户的生活更美好, 有时甚至延长了他们的寿命。 |
|
maintenance:n.维护,维修;保持;生活费用; modern-day:adj.当代的;今日的; conveniences:n.方便性; devices:n.[机][计]设备;[机]装置;[电子]器件(device的复数); pacemakers:[基医]起搏器; glucose:n.葡萄糖;葡糖(等于dextrose); insulin:n.[生化][药]胰岛素; pumps:n.[机]泵; v.用泵送; extend:vt.延伸; vi.延伸;
|
| But anything that can be interconnected can be hacked when it's connected. |
但是,任何可互联的设备 在被连接时都有可能被黑。 |
| Did you know that the former US Vice President Dick Cheney kept his pacemaker disconnected from Wi-Fi before he received a heart transplant ? |
你知道吗?前美国副总统 迪克 · 切尼(Dick Cheney) 在做心脏移植手术前 切断了他的起搏器的网络连接。 |
| I will let you figure out why. |
我想让你自己品味其中缘由。 |
|
interconnected:adj.连通的;有联系的;v.互相连接(interconnect的过去式); Dick:n.阴茎,鸡巴;侦探;誓言; Wi-Fi:abbr.无线保真技术(wirelessfidelity);无线上网技术; transplant:v.移植;迁移;使移居;n.移植;移居者;
|
| In a digitally interconnected world, cyber risks are literally everywhere. |
在一个数字互联世界里, 网络危险真的无处不在。 |
| For years, my colleagues and I have been talking about this elusive notion of cybersecurity culture. |
多年来,我和我的同事们 都在谈论 一个难以捉摸的概念—— 网络安全文化。 |
| Cybersecurity culture is when everybody in the organization believes that cybersecurity is their job, knows what to do and what not to do and does the right thing. |
网络安全文化 是指当组织的每个人 都视网络安全为己任, 知道该做什么和不该做什么 并且做正确的事。 |
|
digitally:adv.数位; literally:adv.按字面:字面上:确实地: colleagues:n.同事;同行(colleague的复数); elusive:adj.难懂的;易忘的;逃避的;难捉摸的; notion:n.观念;信念;理解; organization:n.组织;机构;体制;团体;
|
| Unfortunately , I can't tell you which companies do this well, because by doing so, I would put a juicy target on their backs for ambitious attackers . |
虽然我不能告诉你 哪些公司在这方面做得很好, 因为这么做 会吸引那些雄心勃勃的黑客们, 从而给那些公司招来麻烦。 |
| But what I can do is make cybersecurity less mysterious , bring it out into the open and talk about it. |
但是我能做的 是使网络安全变得不那么神秘: 把它带到公众面前,并公开谈论它。 |
| There should be no mystery or secrecy within an organization. |
一个组织里不应该有秘密。 |
|
Unfortunately:adv.不幸地; ambitious:adj.野心勃勃的;有雄心的;热望的;炫耀的; attackers:n.攻击者;进攻者; mysterious:adj.神秘的;不可思议的;难解的; secrecy:n.保密;秘密;隐蔽;
|
| When something is invisible and it's working, we don't know that it's there until it's not there. |
当一个隐形的东西正在产生影响, 在它消失之前, 我们不会知道它的存在。 |
| Kind of like toilet paper . |
这有点像厕纸。 |
| When the COVID-19 pandemic began, what has been there all of a sudden became super important because we couldn't find it anywhere. |
当新冠大流行病开始时, 平凡的厕纸 因为我们无法随处可见它的存在 突然变得很重要。 |
| Cybersecurity is just like that: when it's working, we don't know, and we don't care. |
网络安全也是如此: 当它正常运作时, 我们不知道也不关心; |
|
invisible:adj.看不见的;n.看不见的人或物; toilet paper:卫生纸,厕纸; pandemic:adj.(疾病等)全国流行的;普遍的;n.流行性疾病; all of a sudden:突然地,出乎意料地;
|
| But when it's not working, it can be really, really bad. |
但当它出现故障时, 事情可以变得非常,非常糟糕。 |
| Toilet paper is pretty straightforward . |
厕纸的例子相对直接易懂。 |
| Cybersecurity is mysterious and complex . |
网络安全神秘且复杂。 |
| And I actually think it starts with the notion of psychological safety. |
我其实觉得 网络安全始于心理安全感的概念。 |
| This notion was popularized by an organizational behavior scientist, |
这一概念 是由一位组织行为学家普及开的, |
|
straightforward:adj.简单的;坦率的;明确的;径直的;adv.直截了当地;坦率地; complex:adj.复杂的;合成的;n.复合体;综合设施; psychological:adj.心理的;心理学的;精神上的; popularized:vt.普及;使通俗化;vi.通俗化; organizational:adj.组织的;编制的;
|
| Amy Edmondson. |
她叫艾美 · 埃德蒙森。 |
| Amy studied behavior of medical teams in high-stakes situations like hospitals, where mistakes could be fatal . |
艾美研究了医疗团队在 高危险环境(例如医院)中的行为。 在这一环境下,错误可以是致命的。 |
| And she found out that nurses were not comfortable bringing up suggestions to the doctors because of the fear of questioning authority . |
她发现护士不愿意 对医生提出建议 因为他们害怕质疑权威。 |
| Amy helped improve medical teams to make nurses more comfortable bringing up suggestions to the doctors for patient treatment without the fear of being scolded or demeaned . |
通过让护士们更愿意 向医生提出病人的治疗建议, 而不屈服于被训斥或轻视的恐惧, 借此,艾美帮助医疗团队 提升团队行为表现。 |
|
high-stakes:adj.高风险; fatal:adj.致命的;灾难性的;毁灭性的;导致失败的; authority:n.权威;权力;当局; improve:v.改进;改善; patient:adj.有耐心的,能容忍的;n.病人;患者; treatment:n.治疗;疗法;对待;处理;讨论; scolded:v.训斥,责骂(孩子);(scold的过去分词和过去式) demeaned:v.降低身份;失去尊重;贬低;(demean的过去分词和过去式)
|
| For that to happen, doctors needed to listen and be receptive -- without judging. |
为了这一改变的发生,医生需要 学会聆听且善于接受意见—— 而不是批判。 |
| Psychological safety is when everybody is comfortable speaking up and pointing things out. |
心理安全感指的就是 每个人都愿意发表自己的看法 并指出问题。 |
| I want cybersecurity to be the same. |
我希望网络安全也是如此。 |
| And I want cybersecurity practitioners to be comfortable bringing suggestions up to senior executives or software developers, without being dismissed as those people who continue to talk about horrors and errors, and say no. |
而且我希望网络安全从业人员 也能对高管或软件开发者 勇于提出建议, 而不是被忽视为一群一直谈起可怕事件与错误 并且只会说“不”的人。 |
|
receptive:adj.善于接受的;能容纳的; senior:adj.大;级别(或地位)高的;成人的;高级水平的;n.上级;上司;较…年长的人; executives:n.经理,主管领导,管理人员;领导层;行政部门(executive的复数) dismissed:v.不予考虑;摒弃;去除,消除;解雇;(dismiss的过去分词和过去式) horrors:n.震惊;恐惧;厌恶;;令人厌恶的性质;(horror的复数)
|
| Not doing so is really hard for the individuals who are responsible for the creation of digital products because fundamentally, it's about their pride and joy in their creations . |
对那些数字产品的研发负责人来说, 不勇于提议的后果很严重。 其根本原因是这些人 对自己创作成果的自豪和喜悦。 |
| I once tried talking to a senior software development executive about the need to do better security. |
我曾经试着告诉一个 软件开发高级管理人员 他们需要提升安全性能。 |
| You know what he said? |
你猜他怎么说? |
| '"Are you telling me we're developing insecure code?" |
“你是在告诉我 我们的代码不安全吗?” |
|
individuals:n.[经]个人;[生物]个体(individual的复数); responsible:adj.负责的,可靠的;有责任的; creations:n.创作;创造物(creation的复数形式);
|
| In other words, what he heard was, "Your baby is ugly ." |
换句话说,他听到的是 “你的孩子不好看”。 |
| What if instead of focusing on what not to do, we focused on what to do? |
如果相反,我们不强调“不做什么”, 而是关注“做什么”呢? |
| Like, how do we develop better software and protect our customer information at the same time ? |
例如,我们怎样开发更好的软件 并同时保护我们的用户信息? |
|
ugly:adj.丑陋的;邪恶的;令人厌恶的; What if:如果…怎么办? at the same time:同时;另一方面;与此同时;
|
| Or how do we make sure that our organization is able to operate in crisis , under attack or in an emergency ? |
或者如何确保 在面临危机、攻击或紧急情况下 我们的组织能够正常运作? |
| And what if we reward good things that people do in cybersecurity in some way and encourage them to do so, like reporting security incidents, reporting potential phishing emails, or finding and fixing software security bugs in the software that they develop? |
如果我们通过某种方式奖励 在网络安全方面人们做得不错的地方 并鼓励他们这么做, 例如汇报安全事件, 报告潜在的网络钓鱼邮件, 或是识别并修复 他们研发软件中的安全漏洞, 事情又会怎么样? |
|
crisis:n.危机;危险期;决定性时刻;adj.危机的;用于处理危机的; emergency:n.紧急情况;突发事件;非常时刻;adj.紧急的;备用的; reward:n.[劳经]报酬;报答;酬谢;v.[劳经]奖励;奖赏; potential:n.潜能;可能性;[电]电势;adj.潜在的;可能的;势的;
|
| And what if we tied these good security actions to performance evaluations to make it really matter? |
如果我们将这些优秀的安全行为 与绩效评估联系起来 使网络安全成为一个值得认真对待的问题 又会发生什么? |
| I would love for us to communicate these good cybersecurity things and encourage them in some sort of company-wide communications like newsletters , blogs , websites, microsites -- whatever we use to communicate to our organization. |
我非常愿意大家交流 这些好的网络安全事例 并在公司范围的交流中 鼓励网络安全规范, 例如简报、博客、网站, 和微网站—— 任何我们用来和内部组织交流的平台。 |
|
performance:n.性能;表现;业绩;表演; evaluations:n.[审计]评估(evaluation的复数); company-wide:adj.全公司的;公司性的;企业水平的; newsletters:n.时事通讯(newsletter的复数); blogs:n.网志;博客;v.写网志;写博客;(blog的第三人称单数和复数)
|
| What if a company announced a competition for who finds the most security bugs and fixes them in a two-week development sprint and then announces the winner of the competition for the quarter at a large company virtual town hall , |
或许公司可以举办一场比赛, 比拼谁找到的安全漏洞最多 并能在两周的开发冲刺中修复它们, 之后在一个巨大的公司虚拟大厅 宣布这一季度比赛的冠军。 |
| and then rewards these people, these winners, with something meaningful , like a week's vacation or a bonus. |
随后公司可以用一些有意义的东西 奖励这些获奖者, 像是一个星期的休假或奖金。 |
| Others will see the celebration and recognition , and they'll want to do the same. |
其他人对这样的表扬和认可 有目共睹, 因此也会跃跃欲试,想赢得比赛。 |
|
competition:n.竞争;比赛,竞赛; sprint:vi.冲刺,全速跑;n.冲刺;短跑;vt.全速奔跑; virtual:adj.[计]虚拟的;实质上的,事实上的(但未在名义上或正式获承认); town hall:n.镇公所;市政厅;(英国)市镇集会所; rewards:n.[劳经]奖励; v.[劳经]奖赏; meaningful:adj.严肃的;重要的;重大的;意味深长的; recognition:n.识别;认识;承认;认可;
|
| In the energy industry, there is a really strong culture of safety. |
在能源行业, 有一种很强的安全文化。 |
| People care about this culture, are proud of it, and there is a collective reinforcement of this culture to make sure that nobody gets hurt. |
人们很关心这种文化, 并为此感到骄傲。 这种安全文化存在集体强化 来保障没有人受伤。 |
| One of the ways they exhibit and keep this safety conscious culture going is by counting and visibly displaying days since the last safety incident. |
人们展现并维持这种安全意识文化的 其中一种方式 就是计算并可视化 距离上次安全事故已经过去了多少天。 |
| And then everybody works really hard not to have that count go back to zero because that means that somebody did get hurt. |
于是,每个人都非常努力地 避免这个数字归零, 因为归零意味着有人受伤了。 |
|
collective:adj.集体的;共同的;集合的;集体主义的;n.集团;集合体;集合名词; reinforcement:n.加固;增援;援军;加强; exhibit:v.展览;表现;展出;n.陈列品;(在法庭上出示的)物证; conscious:adj.意识到的;故意的;神志清醒的; visibly:adv.明显地;显然;看得见地; displaying:v.陈列;展出;展示;显露(display的现在分词)
|
| Cybersecurity is the same as safety. |
网络安全和人身安全一样。 |
| What if we all agree to keep that count of days since the last cybersecurity incident going on forever and then work really hard not to have it reset to zero? |
如果我们齐心协力 将自上次网络安全事件后 过去的日子 一直计算下去 并努力不让其归零, |
| And then certain things are a no-no, and we need to clearly communicate to our organizations what they are in an easily digestible and maybe even fun way, like gamification or simulations , to make sure that people can remember this. |
同时,有些事情是绝对不允许的, 我们需要用一种简单易懂的方式, 甚至是有趣的方式, 例如通过游戏或模拟, 在组织内 明确告知哪些事是被禁止的 以确保人们将其铭记于心。 |
|
reset:vi.重置;清零;重新组合;n.重新设定;重新组合;重排版; organizations:n.组织,构造,有机体(organization的复数);组织机构; digestible:adj.易消化的;可摘要的; gamification:n.游戏化; simulations:n.[计]模拟(simulation的复数);[计]仿真;
|
| And if somebody does something they're not supposed to do, they should face some sort of consequences . |
如果有人做了不该做的事, 他们应该面对某种后果。 |
| So, for example, if an employee buys equipment on Amazon or eBay or uses personal Dropbox for their company business, then they should face some sort of consequences. |
举个例子来说,如果一个员工 用亚马逊或 eBay 购买了设备, 或用个人云存储服务账号 处理了公司业务, 他们就应该面对惩罚。 |
|
supposed:adj.误信的;所谓的;v.认为;假设;设想;(suppose的过去分词和过去式) consequences:n.后果,结果;影响(consequence的复数); Amazon:亚马逊;古希腊女战士;
|
| And when this happens, executives should get the same treatment as regular employees, because if they don't, then people won't believe that it's real and will go back to their old behaviors. |
同时,经理也应像普通员工一样 受到同样的处置, 因为如果不这么做, 人们不会认真对待这件事 并且会重拾恶习。 |
| It's OK to talk about mistakes, but just like a teenager who violates the rules tells us about it, we appreciate that they told us about it, but there should still be some sort of consequences. |
谈论错误是可以接受的, 但就像违反规则的青少年 对此坦白一样, 我们应该感谢他们的诚实, 但他们依然应该面对后果, 为自己的行为负责。 |
| Cybersecurity is a journey . |
网络安全是一段旅程。 |
| It's not a destination, and we need to keep working on it. |
它不是一个目的地, 所以我们要持续为之奋斗。 |
| I would love for us to celebrate cybersecurity people like the heroes that they are. |
我希望我们能够赞颂 英雄般的网络安全从业人员。 |
|
violates:违反;亵渎;侵犯; appreciate:v.欣赏;感激;感谢;理解; journey:n.旅行;行程;vi.旅行;
|
| If we think about it, they are firefighters , emergency room doctors and nurses, law enforcement , risk executives and business strategists all in the same persona. |
如果我们仔细想想, 他们其实集消防员、 急诊医生和护士、 执法人员,风险主管, 和商业战略家 于一身。 |
| And they help us protect our modern life that we like so much. |
他们帮我们保护着 我们如此喜爱的现代生活。 |
| They protect our identities, our inventions, our intellectual property , our electric grid , medical devices, connected cars and myriad other things. |
他们保护我们的身份、 发明、知识产权、 电网、医疗设施、 联网车辆,和很多其它东西。 |
|
firefighters:n.消防队员;(firefighter的复数) emergency room:n.急诊室; enforcement:n.执行,实施;强制; strategists:n.战略家;军事家; intellectual property:知识产权; electric:n.供电;adj.电的;用电的;电动的;发电的; grid:n.网格;格子,栅格;输电网; myriad:adj.无数的;种种的;n.无数,极大数量;无数的人或物;
|
| And I'd like to be on that team. |
我很愿意做这个队伍的一员。 |
| So let's agree that this thing is with us to stay, let's create a safe environment to learn from our mistakes, and let's commit to making things better. |
所以,让我们一致同意: 网络安全与我们同在。 让我们创造一个 可以从错误中吸取教训的安全环境, 并共同致力于创造更好的世界。 |
| Thank you. |
谢谢。 |
|
commit:v.犯(罪等);干(坏事等);[法]提(审);判处;
|