Tom Yardic took a rare and bold step for a cybersecurity engineer.
He directly alerted the CEO and trustees at his organization that there were hundreds of thousands of unpatched security vulnerabilities across the organization due to "a long-standing cultural indifference to computer and network security."
According to LinkedIn, Yardic still works for Blue Cross and Blue Shield of Minnesota, which insures some 2.8 million people and has revenue north of $6 billion.
Cybersecurity whistleblower: 'failure to patch'
Now, he's revealed as a cybersecurity whistleblower by the Minneapolis Star Tribune which broke this story:
"Internal documents show that Minnesota Blue Cross allowed 200,000 vulnerabilities classified as 'critical' or 'severe' to linger for years on its computer systems, despite stark warnings to executives. Software patches were available to fix most of the weak points.
At Minnesota Blue Cross, documents obtained by the Star Tribune show that cybersecurity engineer Tom Yardic met with executives as early as August 2018 to raise alarm that important patches weren't getting done. On Sept. 16 Yardic e-mailed the board of trustees in what the e-mail describes as a last-ditch effort to push for change.
'I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,' Yardic wrote to the trustees and CEO Dr. Craig Samitt. Although the seriousness of the situation had been acknowledged in meetings going back over a year, Yardic wrote, 'what has not happened is a serious attempt to remedy the situation.'
Scans of the Minnesota Blue Cross network show the number of software vulnerabilities classified as critical or severe peaked at around 200,000 inside roughly 2,000 important computers called servers, according to records obtained by the Star Tribune and confirmed by the insurer. At least 89,000 of those vulnerabilities were more than three years old as of the end of last year, and some 24,000 dated to 2010 or earlier."
CISO responds to whistleblower within organization
Amy Eklund, Chief Information Security Officer at Blue Cross and Blue Shield of Minnesota, did not dispute the vulnerability numbers revealed in the documents. But she told the Star Tribune:
"Through ongoing focus, collaborative efforts and opportunity afforded by migration and upgrade projects, our managed volume continues to decrease and should be considerably reduced by the end of the year."
Organization gets ahead of whistleblower story
Just days before the cybersecurity whistleblower news broke, Blue Cross and Blue Shield of Minnesota got ahead of the story by publishing a blog story with its CISO.
The focus of the article? You can trust us with your data because of our dedication to excellent cybersecurity. Here are a few snippets:
Q: As one of your members, can you tell me, is my information safe with Blue Cross?
Yes. Protecting personal and sensitive data is core to who we are as a company. Every day, millions of members trust us with safeguarding the private and protected information we use to ensure they have access to high quality health care.
Q: So a strong cyber security posture is part of the company culture at Blue Cross?
Absolutely. While the folks on my team are focused 100 percent on security, we believe every Blue Cross associate is a member of the cyber security team. All of us have a role in reinforcing the defenses that protect our member data.
Blue Cross takes that responsibility very seriously. We have been and will continue to be highly vigilant with our security measures.
Interestingly, the subject of patching also came up in the Q&A:
Q: I've heard a lot about the importance of "patching" in cyber security. What exactly is that?
A "patch" is simply shorthand for a targeted software update. The security updates that you download for the apps on your smartphone? Those are patches and they fix what are called vulnerabilities or "software bugs."
We apply patches to fix literally millions of vulnerabilities every year. It's a fundamental aspect of cyber security control and part of our ongoing system maintenance.
There is a lot more in the Q&A with CISO Amy Eklund. But the interview concludes like this:
Q: Is there anything else you want people to know about cybersecurity at Blue Cross?
Our members place their trust in us to protect their most sensitive data. We don't take that for granted. I would want them to know that we are committed every single day to doing just that.
Cybersecurity engineer Tom Yardic clearly has a different view of the security culture at the organization, which he called indifferent.
"It will take a sustained push from the top to permanently change this culture," he wrote.
Security patching: did we learn anything from Equifax?
The patching situation revealed at BCBS of Minnesota seems hard to fathom, especially since security teams around the world watched in horror after the Equifax mega-breach. That data breach was caused by a failure to patch.
We interviewed Graeme Payne in 2019 after he spoke at a SecureWorld cybersecurity conference. Equifax fired him after the company's data breach since his team had ownership of the unpatched vulnerability.
Payne told us what the situation was like:
"The chief executive, or the former chief executive, of Equifax testified in Congress about the root cause of the breach. And he said there were two issues: there was a human error and a technological error.
The technological error was that the vulnerability scanner did not detect the existence of an unpatched version of Apache Struts. The human error was, obviously, the patch wasn't installed. And the reason they indicated that was the case is because the information didn't get to the people responsible. And they said it was because I had failed to forward an email to the appropriate people to ensure that they actually patched the system."
He says the email went to more than 400 people within Equifax, but it never got to the right person.
"I think that speaks to some of the challenges around patch management and making sure that you've got robust processes to get information to all the key people that need it."
Security patches: a failed paradigm?
Cybersecurity author and thought leader Bruce Schneier told us he believes that patching as a security tool is a failed paradigm.
Companies struggle to get it right, and what's worse, we're shifting to a world of connected devices that don't have security teams to develop a fix.
"Patching is kind of reaching the end of its useful life. It works, really, because the things we're patching are expensive and maintained by tech companies. They’re laptops, they are computers, they are phones. And that whole patching ecosystem is predicated on there being engineers at Apple and Microsoft and Google who can write these patches and push them down.
You start moving to low-cost embedded systems like DVRs and home routers and appliances, and there are no engineers to write patches. There's no mechanism to get the patches to the systems. So that, that's going to fail pretty badly."
Here Bruce Schneier's take on the state of cybersecurity in The SecureWorld Sessions podcast:
Getting the basics right is a mantra we hear repeatedly on our SecureWorld web conferences. But if the Blue Cross whistleblower is right, not everyone has gotten that message.
Read More in the Minneapolis Star Tribune: Minnesota Blue Cross scrambles to boost cyberdefenses