The CyberWire Daily Podcast 8.6.20
Ep 1146 | 8.6.20
US Clean Network program outlines measures against Chinese operations. $10 million reward offered for info on election interference. Australia’s cyber strategy is out. Grand larceny and petty lulz.
Transcript

Dave Bittner: The U.S. announces five new lines of effort for the Clean Network program, and none of them are exactly mash notes for Beijing. The U.S. is also offering rewards of up to $10 million for information about foreign computer crimes aimed at interfering with U.S. elections. Australia's new cybersecurity strategy is out. Maze may have hit Canon. Rob Lee from Dragos addresses speculation of an ICS supply chain back door. Our guest is Theresa Lanowitz from AT&T Cybersecurity on 5G security threats to businesses. And a bail hearing is disrupted by Zoom-bombing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 6, 2020. 

Dave Bittner: U.S. Secretary of State Pompeo has announced five new lines of effort under the U.S. Clean Network program. These include Clean Carrier, aimed at disconnecting untrustworthy carriers from U.S. telecommunications networks, Clean Store, which would remove untrusted applications from U.S. mobile app stores, Clean Apps, intended to prevent untrusted smartphone manufacturers from pre-installing trusted apps in their own app stores, Clean Cloud, which would keep U.S. personal data and intellectual property out of adversaries' cloud services, and Clean Cable, which would ensure that undersea cables aren't compromised by hostile intelligence services. 

Dave Bittner: All these measures are directed at China, and the secretary's published announcement is quite explicit in this respect. Quartz calls it a new Great Firewall, and then, mixing its metaphors, a digital Berlin Wall. Great Firewall, OK, maybe, but not a Berlin Wall since the literal Berlin Wall was designed to keep people in, not to keep people out. The Secretary of State has invited friendly nations to participate in these lines of effort. 

Dave Bittner: The U.S. State Department is also offering bounties of up to $10 million under its Rewards for Justice program for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities. The tone of the announcement suggests that Foggy Bottom is more interested in hackers than it is in influencers. The text says, quote, "persons engaged in certain malicious cyber operations targeting election or campaign infrastructure may be subject to prosecution under the Computer Fraud and Abuse Act, which criminalizes unauthorized computer intrusions and other forms of fraud related to computers. Among other offenses, the statute prohibits unauthorized accessing of computers to obtain information and transmit it to unauthorized recipients." So they've got their eye on doxxing more than they do on trolling, although one imagines that if you had a hot tip that someone was working for a troll farm in St. Petersburg or Shenzhen, they'd be willing to listen to you. 

Dave Bittner: The offer has particular resonance given Fancy Bear's exercise in publishing the contents of Democratic Party emails in 2016, and, more recently, the conclusion British authorities have reached that one of the Bears was rooting through cabinet email accounts during the U.K.'s last general election. 

Dave Bittner: Australia's new cybersecurity strategy is out. It represents a shift towards what others have called a whole-of-nation approach, with much initial emphasis placed not only on federal responsibilities and on what can be done by state and territorial governments, but also on the contributions the government hopes to encourage and enable for private organizations and individuals. Thus the document contains a great deal about information-sharing, resilience and recovery. 

Dave Bittner: There's also evidence that Australia is interested in moving toward an assertive posture in cyberspace, with an explicit reservation of a right of retaliation within the context of international norms. The document says, quote, "Australia will continue to encourage the international community to act responsibly online, including by complying with existing international law, domestic law and norms of responsible state behavior. The Australian Government will ensure that Australia is not seen as a soft target and will continue to publicly call out countries when it is in our interest to do so. The Australian government will match its public statements with action through a range of targeted and decisive responses against unacceptable intrusions or activity in line with Australia's statement of principles on cyber deterrence. We work to actively prevent cyberattacks, minimize damage and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation. Our actions are lawful and aligned with the values we seek to uphold and will therefore be proportionate, always contextual and collaborative," end quote. 

Dave Bittner: One interesting sidelight is the strategy's awareness of the ways in which the COVID-19 pandemic has sharpened awareness of just how the national life - social, economic and political - has come to depend on connection through cyberspace. 

Dave Bittner: The 5G rollout continues at a rapid pace, globally and here in the U.S. The upgrade provides opportunities for security enhancements, for sure, but there are security concerns as well. Theresa Lanowitz is head of evangelism and communication at AT&T Cybersecurity. 

Theresa Lanowitz: So 5G is real. You know, I think a few months ago people would say, well, 5G is on its way. But 5G is here, and it's real. And if you look at 5G, these 5G standards are dynamic, as all standards are. Those 5G standards address the known 4G vulnerabilities. And 5G networks are really being architected with more security than any previous generation of network. However, when you look at that, businesses still have to be able to prepare for security threats, whether those security threats are existing threats or new threats. And those businesses have to be able to adjust their cybersecurity policies and cybersecurity practices accordingly. 

Theresa Lanowitz: So if you think about what 5G is going to allow with its ultra-low latency and high bandwidth, it's going to say, all right, IoT is going to be real. So we're going to have that expanded attack surface because we're going to have all of those IoT devices now connected to the network. But that expanded attack surface means there are going to be opportunities for new threats to emerge, as well as for the proliferation of those existing threats that we may not necessarily have gone back and patched. So, ultimately, what has to happen with cybersecurity and 5G is security needs to be dynamic, and it needs to be automated in order to really accommodate the scope and the potential speeds of those 5G networks. 

Dave Bittner: You know, there are a handful of the large mobile service providers who are going to be implementing this, who are making the investments on this infrastructure. And, certainly, you know, AT&T is one of them, is one of the largest. How do you recommend that organizations reach out to educate themselves, to find out how they can best leverage this new infrastructure that's going to be part of our day-to-day lives? 

Theresa Lanowitz: You know, there is a wealth of information out there about what 5G is. But you also have to look at it and say, how is 5G going to work with my existing security practices, or do I have to modify my existing security practices? So it comes down to, from the data inside of our research that we did, 25% of participants believe that their current security policies will be effective under 5G. So that's a fairly low number. Fifty-three percent think that they're going to have to make some adjustments. So they're saying, you know, we're in pretty good shape, but we're going to have to go back and make some adjustments to adapt to 5G. And 22% said they expected their security policies will need to be completely rethought. And so I think, as organizations continue with their rollout of 5G, they have to really make sure that their cybersecurity team is involved with what is happening with the rollout of 5G. 

Dave Bittner: That's Theresa Lanowitz from AT&T Cybersecurity. 

Dave Bittner: BleepingComputer reports that Canon, the Tokyo-based multinational imaging and optics firm, has been hit with Maze ransomware, and a number of its internal services appear to have suffered disruption. 

Dave Bittner: The Maze gang contacted BleepingComputer and claimed responsibility. They also claim to have obtained 10 terabytes of company data, which they intend to release if they're not paid the ransom they've demanded. 

Dave Bittner: Claims by criminal gangs should always be received with an appropriate degree of skepticism, but in this case Maze may indeed have what they claim. Canon says it's investigating. 

Dave Bittner: And, finally, in what seems an almost inevitable development, yesterday's bail hearing for accused Twitter hacker Graham Ivan Clark before the Hillsborough County, Fla., court was held remotely by Zoom. Master Clark was seeking a reduction in his $725,000 bail. You'll never guess what happened - really. Come on; try. What do you think happened? You know you want to guess. OK, we'll tell you. The Tampa Bay Times says that the court session was Zoom-bombed by cyber funsters who displayed adult content on everybody's screens until the judge could step in and suspend the proceedings. The story has attracted international attention, with the Telegraph, a British paper, taking specific notice that the content came from Pornhub. Apparently a lot of reporters were on the Zoom call, and far too many of them sniffed that they found the adult content relatively tame. We don't know whether that says more about the Zoom-bombing or about what reporters do in their off-hours. You decide. But it seems to suggest that they're seasoned critics of the genre. What happened with bail? Don't know. That part of the story somehow got lost in the Zoom-bombing sauce. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always great to talk to you. I saw some interesting stuff coming by about some speculation in the ICS community that there might be some vulnerabilities, and I believe it was in transformers. And, boy, the media really ran with this story. And you jumped in and sort of said to folks, hey, not so fast. You know, don't - let's not get carried away here. Can you give us a little bit of the background as to what was going on? 

Robert Lee: Yeah. So there is a lot of things converging and accidentally getting conflated. And so it's understandable where people would be confused with the story. But there are separate threads that if you haven't been drenched in the community of ICS and following that, again, it's understandable. So I don't want to make anybody feel bad. But yes, things are getting conflated. 

Robert Lee: So you have an executive order that came out from the White House talking about the criticality of getting control of our supply chain as it relates to our critical national infrastructure, starting with the bulk electric system. So electric power providers - and just understanding what's there and what's the risk. Part of that risk is adversarial. But part of that risk is also just delivery of the supply chain of if we, you know, lost a transformer due to any given physical event. If you have to wait six months on one to get delivered from China, adversarial or not, that's a supply chain risk. So there's that. That category - essentially what the EO was talking about was, hey, we need to take a look at this, and we need to understand what's going on. And we need to encourage U.S.-made parts going into our critical national infrastructure. It makes sense. Every - you know, many reasonable countries are doing this exact same thing. The U.K. is doing the exact same thing with the NCSC in different ways, but they're doing the same intent. 

Robert Lee: However, people then started twisting that EO and conflating it with other things. So first and foremost, a number of media sites jumped on and said, yeah, this is about China. No, it's not about China. Sure, there have been things with China before, and there are questions about Huawei and ZTE and similar, but it's not about them. Well, it's about Russia and Kaspersky. No, there's been comments about Kaspersky and so forth. That's not what this is about. It's about everyone. It's not any given country. Sure, there might be more concern from the adversarial side about things with, you know, China, Russia, Iran, et cetera, but the EO isn't about one topic. There's a lot of things that have gone into it. 

Robert Lee: But what you're referring to explicitly that really got things carried away is a gentleman in our community, Joe Weiss, who's a very well-respected ICS security person who's been around this community a very, very long time, he made a very sensational claim that the EO was tied to the seizure of a transformer coming from China, that the Department of Energy sees this transformer because of an event at - and he named the utility, Western Area Power Administration. He named WAPA and said WAPA found hardware backdoors in a Chinese transformer. DOE seized it. EO came out to have a reaction to this, and the hardware backdoors would allow China to remotely cause a destructive event on our key infrastructure like an Aurora event. And just in, like, that two sentences, you have, like, 15 years of lots of topics getting inflated. 

Dave Bittner: (Laughter) OK. 

Robert Lee: And what I want to say here - and I want to remove it from Joe. Joe's a really good person who is well-known in this community and has been in this community for a long time, and he cares about things that a lot of the community aren't focusing on right now. I'm not so sure they're the right things. Like, I'm not weighing it one way or the other. But he's focused on things like sensor security, which isn't the conversation most of us are prioritizing or having, myself included. And so I wanted to look at it as unbiasedly as possible because I like Joe. And so I knew a lot of things were getting inflated. But the question is are - is that OK? Is the conflating of the topics OK? Is it getting to the right place? Let's just - you know, we're going to make investments in defense in the right ways anyway. Let's analyze this. 

Robert Lee: So Jeff and Tim Conway and I over at SANS, the SANS ICS team, we took a look at it. We contacted everyone we could in the community. We're very familiar with what you can do from an Aurora effect, which is actually a physics challenge. It's not a vulnerability in electric infrastructure; it's just a discussion of physics and electric power. We looked at that type of transformer and that type of equipment and what you could and couldn't do with it. I called around to the White House and DOE and executives everywhere, like, hey, what's going on - and got drenched in what really the EO is about and similar. And where we came out is very simple. 

Robert Lee: The - there's kind of multiple threads here. Thread No. 1 is that U.S. government has gone to electric power companies before and said, please don't use X product or X thing, and we're going to tell you this in a classified manner. But then those utilities can't do anything about it because it's classified. And even if it's not classified, they can't not include those vendors in a bidding process because they're public utilities usually, or they're at least beholden in some way to the Public Utilities Commission and they have to be able to show best price and similar. So what the request basically was that I think fed a real strong component of the EO was if you as a U.S. government think we shouldn't be doing something and you don't want us to do it, you have to give us something to be able to say no because we aren't able to right now. And so there's a thread of that. 

Robert Lee: There's another thread which is non-adversarial of, wow, we're losing control of our supply chain in a huge way, and that poses a national security risk even without anybody being malicious. We should bring back certain manufacturing jobs in the United States. We should bring back certain production of equipment that we need for national security purposes across bulk infrastructure. Let's look at that very critically. 

Robert Lee: Then there's another thread of we are worried about adversaries getting into these environments, especially through remote access. How are we going to deal with that? Then there's this seizure of the transformer that did take place but before it got to the utility. And we have no idea why. I have some guesses, but there's nothing to say that it was related - anything related to hardware backdoors. And there's nobody that's come forward with any insight, information or anything or know why any - you know, know why Joe would have any insight into it anyways. However, the claim being put forward doesn't match what you can technically do on that equipment and match what you technically can do in that environment. 

Robert Lee: So where we came to in the end was publishing this report - I think here in the next week or two - basically saying, in our analysis, if you want to go invest in security, here's the areas to focus on, which happened to do with, like, network security monitoring, segmentation, incident response plan - things we've talked about for a long time. But the claim that this hardware backdoor thing exists, we find no evidence for it, and there's been no evidence provided. So the burden of proof is on the person claiming it. What we further found is it's not tied to the EO at all and have pretty senior-level government conversations going on to validate, yeah, that has nothing to do with this. And there's just a general supply chain discussion going on anyway. So we kind of just unthreaded, you know, this sort of this ball that had gotten formed. And at the end of the day, without any offense to any of the people involved because they're good people, I think this was a lot to do about nothing. 

Dave Bittner: Yeah, yeah. All right, well, thank you for providing some clarity for us. Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.