Unusual stock move shakes up cyber community

Unusual stock move shakes up cyber community
© Getty Images

An investment firm’s use of medical device security research has alarmed many within the cybersecurity and healthcare fields, and excited others. 

Muddy Waters Capital announced on Thursday that it had sold stock in the medical technology firm St. Jude Medical based on vulnerabilities in MedSec’s cybersecurity. Cardiac devices make up nearly 50 percent of St. Jude’s business, and an interruption in their sales could drastically affect the company's stock price. 

After its sell-off, Muddy Waters Capital described the vulnerabilities on its website. 

The report reads, in part: “We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house [the] exploits that help to enable these attacks.”

According to the report, Muddy Waters bet against St. Jude when its stock was at $81.88.

By 9:45 a.m. on Friday, it had dropped to $76.07.

Beyond the immediate hit, Muddy Waters anticipates a prolonged recall process. There could also be fines and lawsuits.

St. Jude was in the process of being acquired by Abbott Labs in a $25 billion deal that valued the company at around $85 a share. 

On Friday, many within the security community were still trying to grasp the impact of Muddy Water’s move.  

Some called it “naked greed” at safety’s expense, something that went against the community's norms.

Others saw it as a way to “do good by doing bad,” as Duo Security’s Chief Officer Dug Song tweeted, a way to encourage better security in companies fearing their bottom line.

“I wouldn’t say it’s good,” said Northeastern University law professor Andrea Matwyshyn. “I would say it’s inevitable.”

The action by Muddy Waters was unusual.

Usually, security researchers at least try to act in the best interests of device manufacturers and notify a company in some way of a security flaw in its products. A few sell the bugs to governments who use them in espionage.

Matwyshyn noted that the Securities Exchange Commission has advocated for more transparency about security risks in products. For the past few years, Matwyshyn has held conversations with investors trying to incorporate cybersecurity into investment schemes. 

“This did not come out of left field,” she said. 

She said researchers have for years been rebuffed by companies when they try to notify them of security problems for free. If altruism does not work in getting vulnerabilities fixed, she said, it should not be a surprise that researchers turn to the free market. 

Andy Sellars, director of the new cyber law clinic created by Boston University and MIT, said the that Muddy Waters’ model “was incredibly short-sighted.”

The right for researchers to investigate medical devices, cars and other critically important technologies for security problems is not a given. Until last year, research into the security of connected devices was in many cases thwarted by copyright law, but it’s now legal under a temporary exemption that might not be renewed.

“It’s staggering to me a company like MedSec would do this. It will only increase the calls that companies like MedSec need to be regulated,” he said. 

Joshua Corman, the director of cyber statecraft at the Atlantic Council and co-founder of the security advocacy group I Am The Cavalry, said the legality is not the only tenuous relationship at stake when a MedSec takes this kind of action. 

Though groups like I Am The Cavalry have not solved the problem of companies willfully ignoring security, they have made inroads. Medical technology manufacturers, including Philips and Johnson & Johnson now invite researchers to disclose vulnerabilities for repair.  Corman said those inroads exist largely because they have eased the adversarial relationship between researchers and companies. 

“Finger-pointing never worked; empathy did,” he said. 

Corman said he feared Muddy Waters might decimate the delicate working relationship between the security experts and device-makers. 

More than anything, Corman said he was concerned about what most people believe is the fundamental issue in medical devices: patient safety.

“Thousands of people have these devices inside their chest cavities. Releasing information on how to hack them without even trying to contact St. Jude puts all of them at risk,” he said.