Vault 7, again, as Beijing names and shames. Schulte case goes to jury. Maersk to cut incident response jobs. The Cyberspace Solarium’s election security preview. Advice for intel collection.
Dave Bittner: [00:00:03] A Chinese security firm calls out the U.S. CIA for Vault 7 campaigns against civil aviation. Meanwhile, the jury's out in the Joshua Schulte Vault 7 case. Incident responders in the U.K. may be reentering the labor market. U.S. agencies issue a joint warning to adversaries about election interference and joint encouragement to citizens. The Cyberspace Solarium talks about elections. And the Justice Department offers advice on cyberthreat intelligence collection.
Dave Bittner: [00:00:38] And now a word from our sponsor ExtraHop - securing modern business with network detection and response. Cloud native is a buzzword, but it's also a direction. IDC predicts that 70% of enterprise applications will be developed cloud native by 2021. It's time for security teams to adopt the same agility and speed as their DevOps counterparts so they can secure multicloud deployments and enterprise IOT at scale. ExtraHop helps organizations like Home Depot and Wizards of the Coast detect threats inside their hybrid and cloud environments up to 95% faster and respond 60% more efficiently. Investigate an attack with ExtraHop in the full product demo of cloud-native network detection and response available online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 3, 2020. Chinese security firm Qihoo 360 has outlined an 11-year campaign by the U.S. Central Intelligence Agency to compromise targets in China, particularly in the civil aviation sector. The report, apart from some suggestions that incursions into civil aviation extended beyond China, is mostly warmed-over Vault 7 material from WikiLeaks. The report makes much of the case of Joshua Schulte, currently standing trial in the U.S. on federal charges related to the Vault 7 leaks. Qihoo 360 has certainly published interesting and useful warnings of cyber risk in the past. But as Forbes points out, this report depends heavily on material published earlier with a heavy dose of speculation and not much in the way of detailed evidence for attribution, so it seems to be Beijing's riposte for Washington's recent naming and shaming of Chinese cyber operators.
Dave Bittner: [00:03:04] To return to the case of Mr. Schulte, The Washington Post reports that a jury in Manhattan is currently deliberating the verdict on his indictment for illegal gathering of national defense information, unauthorized computer access, theft of government property and making false statements. The defense's closing arguments portrayed Mr. Schulte as a patriot and a whistleblower whom an embarrassed agency made the fall guy as it scrambled to undo the damage the Vault 7 leaks had done it. The prosecution argued that the former CIA employee was angry and vindictive, a disgruntled employee who wanted to damage the agency, knew what he was doing and took steps to cover it up. The jury is out.
Dave Bittner: [00:03:47] The Register says Maersk is preparing to cut 150 jobs at its Maidenhead Command & Control Centre. This is the crew credited with helping Maersk ride out NotPetya in 2017. So if you're hiring in the U.K. and looking for people who know a thing or two about incident recovery, consider a visit to Maidenhead.
Dave Bittner: [00:04:07] The U.S. government issued a terse warning to foreign adversaries in advance of today's Super Tuesday presidential primaries. Quote, "Any effort to undermine our democratic processes will be met with sharp consequences," end quote. The secretary of state, attorney general, secretary of defense, acting secretary of homeland security and the acting director of national intelligence all signed the joint statement, as did the heads of the FBI, U.S. Cyber Command and NSA and CISA. They also stressed the citizen's role in rejecting disinformation. Know where and when to vote; know what the issues are; and know what identification will be required at the polls. And they commended state and local election authorities to voters as the best source of reliable information.
Dave Bittner: [00:04:54] That joint statement resonated this morning at the Cyberspace Solarium meeting we attended. The commissioners, especially Senator Angus King, independent of Maine, gave the government's warning and advice about election security a big thumbs-up. Senator King compared what was happening with respect to election interference to like cyber jiujitsu - a yin, soft-style attack where the opposition uses our strengths - like freedom of speech and democratic processes - against us. The Cyberspace Solarium is a presidential commission tasked with developing, in outline, a U.S. strategy for operations in cyberspace. Its historical model, name-checked in the commission's title, is the original Solarium President Eisenhower convened in 1953 to develop a U.S. strategy for the new and unfamiliar nuclear-armed world.
Dave Bittner: [00:05:42] The Solarium produced the New Look strategy of nuclear deterrence and recommended containment as the central U.S. goal during the Cold War. That is, patiently wait for the Soviet Union's problems to cause its decline and fall, and in the meantime, avoid a devastating global hot war. This morning's session in Washington, D.C., was an election-focused preview. We'll know later this month what the Cyberspace Solarium's recommendations proved to be. This morning's session wasn't a full report, but it offered a perspective on election security appropriate to Super Tuesday. Nina Jankowicz of the Wilson Center discussed Estonia's experiences with a comprehensive Russian cyber campaign in 2007. She described ways in which the U.S. might look to other countries' experiences with Russian cyber operations and draw lessons that could be applied to attempts to interfere in U.S. affairs.
Dave Bittner: [00:06:34] CISA director Christopher Krebs came to the session from a briefing about last night's tornadoes in Nashville. He thought it worth pointing out that there were significant commonalities between cyberattacks and natural disasters. Election officials have contingency plans in place for disasters. The job of election officials is to prepare for every possible scenario, and they do it well, he thought, as the Nashville disaster shows. The tornadoes should also remind us that those officials' focus is much broader than cybersecurity and that CISA functions as an assistant to help augment their capabilities in cybersecurity.
Dave Bittner: [00:07:11] Our own chief analyst, Rick Howard, was in attendance, and he files this report.
Rick Howard: [00:07:15] There's good news and bad news from the Cyberspace Solarium's election preview. First, the good news - the feds and the states have made huge investments in election security with over 300 million invested since 2016, and election infrastructure has improved across the board. Both the NSA and DHS are working closely together this time around, as opposed to the 2016 elections. And, according to Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency at DHS, the nation is the most prepared we have ever been for the upcoming 2020 elections. He said that 90% of all state election systems have paper audit trails, including all of the swing states. And finally in the private sector, Facebook is taking down over a million fake accounts daily. All that is very positive.
Rick Howard: [00:08:03] The bad news is that we still have a lot of work to do. And as we like to say around here in the inner sanctum of the CyberWire, this news is less than fully successful. Because of the states' constitutional responsibility for conducting elections, it's difficult for the feds to mandate any improvement. Eight states have moved to all-digital systems, and they need to come up with a paper audit trail of some kind in time for the 2020 elections. Our focus has been on voting systems, but the political campaigns themselves don't get much help and aren't that interested in what they're offered. They use every dollar they have to get their candidate elected. Cybersecurity is not just the second priority. It is the last priority.
Rick Howard: [00:08:44] Panel members were clear that it wouldn't take much for outside influencers to cause distrust in the election process, especially if they focus on the swing states and maybe on as few as 10 counties in those states. The Election Assistance Commission seems broken, also. Established through the America Vote Act of 2002, the commission has no cyber expertise, lots of unfilled positions and little authority. Congress passed a law prohibiting foreigners from supporting elections back in 1971 before there was an internet, so that law needs to be updated to abolish a loophole that allows them to buy ads on social media platforms today.
Rick Howard: [00:09:21] And finally, hacking is not the same thing as influence operations, and we have been able to do very little to limit the impact of these kinds of operations in our election process. The Solarium's official recommendations report comes out next week, and I can hardly wait to read them.
Dave Bittner: [00:09:37] That's the CyberWire's chief analyst, Rick Howard.
Dave Bittner: [00:09:41] The U.S. Department of Justice has published advice about how to collect intelligence in cyberspace and stay on the right side of U.S. federal law. The department notes that, quote, "When properly conducted, such activities can improve organizations' cybersecurity readiness and help prepare them to respond to cybersecurity threats effectively and lawfully," unquote. They boil their advice down to two overarching themes; don't become a perpetrator, and don't become a victim. Typically, passively gathering information is perfectly legal.
Dave Bittner: [00:10:11] But avoid, they say, accessing any online forum without authorization or surreptitiously intercepting communications on such a forum. Don't assume someone else's identity without their consent. Using a fake online identity, by itself, isn't usually a violation of federal criminal law, but when your fake identity is someone else's real identity, that becomes a problem. You'll find the whole thing on the Justice Department's website. That's justice.gov. Look for "Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources." It just rolls off the tongue.
Dave Bittner: [00:10:49] It's fair to say the role of CISO has become more stressful in the past few years with greater responsibilities and more accountability to the board of directors, not to mention an ever-increasing menagerie of security tools and services to keep track of. Security firm Nominet recently published new research on CISO stress, and their own Stuart Reed joins us with their findings.
Stuart Reed: [00:11:11] Well, this is our second annual report from Nominet, and what we wanted to do is really look at well-being issues from a cybersecurity standpoint, really looking at the humanistic aspects of cybersecurity, which to many people is typically considered really a digital problem. But certainly, there's a lot of human aspects that go into a mature cybersecurity policy. And we wanted to really focus in on some of those professionals, particularly from a CISO perspective, and understand how that may impact them, their lifestyles and their working lives.
Stuart Reed: [00:11:51] One of the things that was fairly consistent, I suppose, with the report that we carried out last year is that 9 out of 10 of those CISOs that we spoke to have experienced some level of stress. I think what's really changed this year quite significantly, actually, is the impact of that stress. So, for example, we spoke to the CISOs in our report last year, and about 27, 28% of them felt that their workplace stress was having an impact on their mental health. This year, when we were asking a similar question, that number is nearly half of everyone we spoke to, so that's roughly in at 48% now. So there really is a number of influences and impacts that perhaps have come in over the last 12 or so months. And so, you know, in this context, it's understandable that CISOs are feeling a lot of pressure.
Dave Bittner: [00:12:43] Yeah. It's an interesting insight because I can imagine some people saying, well, you know, this is a high-level role. You're probably well compensated. Of course, there's going to be stress with this job. That's the effect of any C-level position. So, you know, what are you complaining about? You - this is what you signed up for.
Stuart Reed: [00:13:04] Yeah. And I think that that is one of the reasons that Nominet conducted this research is really to help shine a light and to ask those thought-provoking questions and to perhaps challenge some of those things as well. I think what we've seen here from our CISO report, though, is that of the CISOs that we spoke to, the average tenure of a CISO appears to be just over two years. And so when you consider the need to understand the legacy infrastructures, the decisions that have been made by the previous incumbent of that role - you then got to build a new strategy; you then got to implement it; you then got to test it and evolve it over time - it's a pretty tall order for a new CISO coming into a role for them to leave in just over two years. And I think when you compare and contrast that, clearly people, particularly from a tech perspective, are perhaps more transient in their roles anyway.
Dave Bittner: [00:13:56] Well, what are the take-homes from the report? What sort of advice would you have for organizations who want to do a better job with this?
Stuart Reed: [00:14:04] Well, I think there's a couple of aspects here. So I think the first one is that there still needs to be this notion of a - more of a collective responsibility as far as cybersecurity is concerned. It does still seem that there is a bit more of a solid approach that the CISO is purely responsible for everything that they're doing from a cyber perspective, and the spotlight is on them. And I think that really what we need to work towards is a notion of that collective responsibility or a culture of shared responsibility as far as good cybersecurity or cybersecurity hygiene is concerned.
Stuart Reed: [00:14:39] I think, also, as far as stress is concerned, it's worth noting that, you know, CISOs are where we focused our report, and, clearly, there is a huge amount of evidence from that report that CISOs are feeling particularly stressed. But it is also worth noting that, you know, employees more generally may be feeling the impacts of stress. And I think that it's important for employers to recognize some of the telltale signs of their employees perhaps feeling a little bit stressed. There's an opportunity for employers to look at what more perhaps they could do from an employment perspective that maybe they're not doing already.
Dave Bittner: [00:15:23] That's Stuart Reed from Nominet.
Dave Bittner: [00:15:26] Finally, we've long regretted the lack of good animal names for U.S. threat actors. It's a matter of national pride. But some Chinese sources are calling the group behind the alleged CIA Vault 7 material Rattlesnake. And it occurs to us that here in the land of the pit viper, Rattlesnake isn't bad. Other pit viper names you might use include Copperhead, Diamondback, Sidewinder and Cottonmouth. Feel free to modify them with appropriate adjectives - Sweetheart Cottonmouth, Clever Diamondback, Outstanding Copperhead, Bodacious Sidewinder. You're welcome. But don't tread on them.
Dave Bittner: [00:16:09] And now a word from our sponsor, ObserveIT - a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:17:02] And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: [00:17:11] Good to be with you, Dave.
Dave Bittner: [00:17:12] We have spoken over on "Caveat" about the big telecommunications companies - your Verizons, your T-Mobiles, your Sprints, your AT&Ts - getting in a bit of hot water selling location data. Turns out that they've attracted the attention of the FCC.
Ben Yelin: [00:17:28] Yeah. So the latest development is that the FCC has sent an official legal notice to the major telecommunications companies - AT&T, Sprint, T-Mobile and Verizon - warning them that they're going to have to pay hundreds of millions of dollars in fines. These are what are called notices of liability. So this, in and of itself, doesn't compel the companies to hand over a fine. It sort of starts the process. And these companies have the option of appealing and almost certainly will. At issue is the fact that these telecommunications companies, by the nature of collecting business records, can very neatly track where we go because wherever we are, our cellphone naturally pings the closest cellphone tower. These companies can track our location.
Dave Bittner: [00:18:11] Right.
Ben Yelin: [00:18:12] And these telecommunications companies have been selling that information to third parties. Of course, you know, as we've talked about in our podcast and on this podcast, that information's extremely valuable, extremely useful. If you know that I'm in a certain neighborhood every Wednesday afternoon, then I'll start seeing advertisements for a cafe in that neighborhood.
Dave Bittner: [00:18:32] Right. Right.
Ben Yelin: [00:18:33] So obviously, this...
Dave Bittner: [00:18:34] Or perhaps if I went to a health clinic or some religious organization or something - yeah.
Ben Yelin: [00:18:38] Yes. You can imagine it being, you know, even more personal.
Dave Bittner: [00:18:42] Right.
Ben Yelin: [00:18:43] The tech companies seem to have promised the Federal Communications Commission that they would cease this practice, but an investigation spearheaded by the head of the FCC and Senator Ron Wyden, who is a prominent civil libertarian in the Senate, seems to have indicated that they were still engaging in this practice. And as a result, they've been sued. So separate from the potential fines at issue here, they're facing a lawsuit for selling this data. So, you know, my guess is, if there's enough evidence out there that these companies were warned to cease this practice and they were not, then they would be facing pretty hefty fines from the FCC. The FCC has pretty broad enforcement authority.
Dave Bittner: [00:19:25] Yeah. That was what I was going to ask you, is, how does this play out with the FCC? Can the - does the FCC have the ability to just say, you know, give us this amount of money, and it's this amount of money, and then what happens next? Does it eventually end up in front of a judge?
Ben Yelin: [00:19:40] It could. It depends on the circumstances. So just like, you know, any sort of administrative procedure, an enforcement action coming from a federal agency - it is subject to judicial review. Courts are generally very deferential to the agencies themselves. You know, and you can see that because the FCC issues hundreds of fines for subjects ranging from indecent material to, you know, stuff like this - violating consumer privacy. So while it certainly would be eligible for judicial review, I don't see any reason based on the evidence we have now that we would see judicial review in this case.
Dave Bittner: [00:20:17] And for folks who are concerned about civil liberties, this is probably good news.
Ben Yelin: [00:20:23] Absolutely. You know, one of the ways we hold companies accountable for bad behavior is through regulatory action. And if the fines that are levied are enough to disincentivize this type of behavior, then it's going to be very valuable for consumers who are concerned about privacy. So we know this is going to be a very large fine, somewhere in the realm of hundreds of millions of dollars. And, you know, hopefully, that will be enough to disincentivize the behavior on the behalf of these telecommunications companies. If, you know, the fines levied against them are more than the potential profit they'd get from selling this location data, then they'll have an incentive to stop selling the location data.
Dave Bittner: [00:21:04] Right. Right.
Ben Yelin: [00:21:05] So, you know, I think that's what the FCC is doing. And the FCC has been criticized over the past several years from members of Congress and from the general public of not being tough enough on these telecommunications providers when it comes to personal data. So this is a major step in the right direction in that regard.
Dave Bittner: [00:21:25] All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: [00:21:27] Thank you.
Dave Bittner: [00:21:33] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the thecyberwire.com. And don't forget; you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:21:42] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:21:54] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.