Dave Bittner: The U.S. Office of the Director of National Intelligence has released an appreciation of the goals of election interference among three principal U.S. adversaries - Russia, China and Iran. Anomali offers a look at the ransomware-as-a-service market with its research on Smaug. The CyberWire's Rick Howard continues his exploration of incident response. Andrea Little Limbago from Interos on cyber regionalism. And the tangles that need to be untangled in the TikTok affair, with a deadline looming less than a month from now.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 10, 2020.
Dave Bittner: The U.S. Office of the Director of National Intelligence on Friday released a statement on election interference. NCSC director William Evanina says that Russia, China and Iran are all interested in various forms of interference. Briefly, China dislikes President Trump, whom it regards as unpredictable, and wants him out so that he can't, in Beijing's view, continue to damage Chinese interests. Iran also dislikes the incumbent and sees the prospect of his reelection as likely to mean increased pressure on the Islamic Republic, and pressure that would be designed to bring about regime change in Tehran. Iran also has a more general interest in undermining U.S. institutions, the statement says. Russia has been busy denigrating former Vice President Biden, whom Moscow sees as dangerously connected with Ukraine, and with the Obama administration's disapproval of Russia's armed slow-motion reengorgement of that country. He's also seen as part of an anti-Russian establishment. So China and Iran trend blue, Russia red. The returns from Pyongyang aren't in yet.
Dave Bittner: Cybersecurity and Infrastructure Security Agency director Christopher Krebs commented on the ODNI statement, praising the intelligence community for its contributions to transparency, declassifying and sharing intelligence in ways CISA thinks likely to contribute to election security.
Dave Bittner: Director Krebs said, quote, "we have long said Russia and other nation-states are targeting our elections. We knew this to be true in 2016. We know it's true today. And we know they will continue to attempt to interfere. While motives may vary, one thing is consistent. They are attempting to interfere in our democratic process," end quote.
Dave Bittner: Security firm Anomali this morning published its analysis of Smaug ransomware, recently hawked in criminal-to-criminal markets as a ransomware-as-a-service offering. Simple and lacking some of its competitors' functionality, Smaug offers a clean user interface, tech support and a respectable range of ransomware services, from encryption to payment to decryption. Customers are forbidden from infecting targets in the Commonwealth of Independent States - CIS, the former USSR - but that can be accounted for by its hosting on a forum that prohibits operations against the CIS. The exclusion isn't decisive evidence of CIS origin.
Dave Bittner: Wherever Smaug came from, it probably didn't emerge from the English-speaking world. The threat actor's original posts were in non-native English - legitimately broken English, not the phony, facetious lingo of, for example, Shadow Brokerese - and the proprietors advertised at the time for an English-speaking developer. The English in the dashboard and the ransom note are much better. So halting English, and so probably not from an anglophone country, although recent expertise with secondary education in - oh, let's just pick any country at random - the U.S. gives one a little bit of pause.
Dave Bittner: Smaug seems to be a market failure. Its proprietors have been led to offer it at a discount during a trial period. And in mid-May, the forum that had hosted the offering froze the threat actor's activities for evidently failing to deposit $8,000 in escrow. The research is interesting for the insight it provides into the workings of the cyber underworld.
Dave Bittner: According to NPR, TikTok is considering litigation against the U.S. government in the hope of overturning last week's executive order that would kick the social platform out of the U.S. entirely. A suit could be filed in the U.S. District Court for the Southern District of California as early as tomorrow. And NPR speculates that the grounds of TikTok's challenge would be that the president's findings of fact are thin, that the order violated due process and that moreover he lacks the authority to do what he did.
Dave Bittner: Such a suit seems unlikely to succeed on any of these grounds, and TikTok can't count on much political support. The executive order is directed against TikTok as a threat to users' data and as an actual or potential tool of Chinese intelligence. Bipartisan suspicion of Chinese data collection is now so deep that it would be difficult for TikTok to maintain plausibly that it wouldn't share user data with Beijing's intelligence and security services, especially when Chinese law seems to require that companies based there do so on demand. In any case, the U.S. Senate last Thursday unanimously voted to ban TikTok from all government-issued devices.
Dave Bittner: Microsoft's possible TikTok acquisition would be technically challenging, Reuters reports. TikTok shares a significant amount of code and resources with its ByteDance corporation sister Douyin, a social platform available only in China. Carving TikTok out from its dependence on such shared resources is likely to be not impossible, but surely difficult. Doing so without damaging what observers think is TikTok's distinctive advantage, its recommendation engine that meretriciously keeps users coming back for more, is part of that challenge, although the engine itself is believed to be unique to TikTok and not shared with other platforms. Another challenge the mooted acquisition faces is that it requires a geographical disentanglement as well. Microsoft is said to be considering acquiring not TikTok as a whole, but only its operations in four of the Five Eyes - the U.S., Canada, New Zealand and Australia.
Dave Bittner: There apparently are, or have been, other suitors for TikTok. The Wall Street Journal says that Twitter has been in talks with the ByteDance-owned social platform. The House of Dorsey is viewed as a dark horse competitor. It doesn't have Microsoft's cash, for one thing, and so any acquisition would have to be highly leveraged. On the other hand, of course, Twitter's already in the social business game, so it's got that going for it.
Dave Bittner: CNBC thinks Netflix should look at TikTok because the movie and television service's big competitive threats aren't so much direct competitors like Disney+, but rather what Netflix calls substitution threats. That is, other ways of spending your time receiving amusement, which apparently come down to gaming, watching other people game and looking at stuff on your phone. So, kids, if you're so taken by the Fortnite Charleston, at least put the controller down, get up off the couch and do some dancing on your own.
Dave Bittner: And it is my pleasure to welcome Rick Howard back to the show. Rick Howard is, of course, the CyberWire's chief analyst and also our chief security officer. And he is the host of the "CSO Perspectives" podcast, which you can find over on CyberWire Pro. And this week, Rick, you are continuing your exploration of incident response. Share with us where you're headed today.
Rick Howard: That's right, Dave. And we spent the last two episodes talking about that. And, you know, in a nod to the old adage you can't teach an old dog new tricks - yeah - I may be the exception to the rule because I think I may have learned something new this week. Now...
Dave Bittner: OK.
Rick Howard: OK. It's a shocker, I know.
Dave Bittner: (Laughter).
Rick Howard: I think I know everything. So when I invited some of the CyberWire's pool of experts to sit around the Hash Table with me this week and we discussed incident response, I expected that we would be talking about some of the technical things that the infosec team had to consider during a crisis. But what every Hash Table expert jumped to immediately was, how do you plan and execute the escalation process? How do you get everybody into the groove about what's going on? Because, you know, Dave, at a certain point, you are no longer investigating a potential breach but managing a company crisis due to a real, honest-to-goodness compromise that may materially impact your organization.
Dave Bittner: Yeah.
Rick Howard: So when that happens, you get all kinds of people coming in to help - and I'm using, you know, air quotes around the help part here...
Dave Bittner: (Laughter).
Rick Howard: ...Like, you know, the CIO and the IT team and the lawyers and the risk people and the business continuity people and the business unit general managers. And the question is how do you keep that bag of often differing viewpoints all moving in the same direction in times of high stress and no time to think about it? And, you know, I worked on this problem for many years. And it turns out, like most things in cybersecurity, there is a framework for this. So have you ever heard of the DACI model before?
Dave Bittner: I don't think so.
Rick Howard: So it's a decision-making framework. OK. It was developed by the Intuit company. They improved a earlier version of it called the RACI model. That's RACI with an R. The DACI acronym spells out what it does. So D, as in the driver, this is the person who organizes the potential decisions. A - that's the approver. This is the one making the decisions. C is the contributors. These are the people doing all the legwork to figure out what we need to do. And I is the informed, the people that will be impacted by whatever decisions we make. And it turns out this is something you can use for all kinds of big projects, but especially incident response.
Rick Howard: And one of the experts at the Hash Table this week is Steve Winterfeld. He is an old Army buddy of mine and is currently the advisory CISO for Akamai. But he is a huge advocate of the DACI-RACI model.
(SOUNDBITE OF PODCAST, "CSO PERSPECTIVES")
Steve Winterfeld: I think one of the best tools out there to map out those roles in responsibility is a RACI. And a RACI, if you haven't seen one, is a spreadsheet that talks about, on the left, who is going to be doing it and, on the top, what is going to be done. Reverse those if you want. And then you're going to talk about, you know, is this person for this task responsible, accountable, consulted or informed?
Steve Winterfeld: When I build my RACI, only one person could be responsible, multiple people can be accountable, consulted or informed. And then, you know, you broke that out to different stakeholders for, you know, legal and public relations and, you know, leadership and all of these. And then - and, you know, deciding if there is a breach and deciding to go public and making the public announcement. So that's just a way to organize everything. So in one graphic, you can tell who's supposed to do what.
Rick Howard: All right, so there you have it.
Dave Bittner: Yeah.
Rick Howard: I've been trying to manage the escalation process my entire career and didn't know that a framework even existed. So there you go - even an old dog can learn new things.
Dave Bittner: Well, congratulations. Going to be a nice, little scratch behind the ears there for you, Rick. But how - does a framework like this also help keeping people in their lanes? Because I can imagine in an emotional situation like this - like you said, you put air quotes around help. And I think part of this has to be the discipline for people to contribute in the ways that they are trained and their areas of expertise, despite having the impulse to want to help out with everything.
Rick Howard: Yeah, and it does, right? And it helps out in a number of different ways. During the crisis, you don't have to be remembering, you know, what you said you were going to do two years ago or the last time you thought about it. It's a simple spreadsheet. So you can just see who's responsible for everything. It's also really good for exercises, right? When you practice this, I guarantee you that what you thought was going to happen is not going to happen during the exercise. So you bring that in, the DACI chart in, and say, oh, we thought it was going to be this; now it's going to be this other thing. So it's a way to keep it fresh and on everybody's mind. So yeah, I wish I would've had it, like, 10 years ago. My life would have been easier.
Dave Bittner: Right. Fair enough. Well, it's "CSO Perspectives." It's part of CyberWire Pro. You can check it out on our website - thecyberwire.com. Rick Howard, always a pleasure.
Rick Howard: Thank you, sir.
Dave Bittner: And joining me once again is Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it's always great to have you back. I wanted to touch today on this pattern we're seeing when it comes to regionalism and sort of contrast that against the - you and I have talked about this notion of the splinternet, of nations sort of breaking away from the global internet and putting a virtual wall around themselves. Where are we finding ourselves these days when it comes to those two elements?
Andrea Little Limbago: Yeah, and thanks for having me. It's always fun to chat with you. So we're seeing the divisions continue to grow, is - would be the simplest way to put it. And it really is - you know, the splinternet for a while was something that - you know, it was almost one of things that you - you know, we - thought about with something, a future component. But, you know, what's really going on - I mean, it's really already here. And whether you think about, you know, how certain websites look or what you have access to depending on where you sit is only, you know, one component of it.
Andrea Little Limbago: But it's really - where we're seeing it going is even more so into well beyond what data you have access to and what you can explore and to, you know, what the tech stacks are going to be built on. And that's where I think sort of the bigger changes are we're starting to see, is that you're seeing both on the fracturing of the internet but also fracturing of the software stacks and the hardware that's being - that will be driving these technologies from different countries. And so it's even - you know, from a splinternet - I feel like is evolving into more of a - two different techno spheres that kind of, you know, encapsulates the broader divisions that are going on on the technology front, but also encapsulating the internet divisions.
Andrea Little Limbago: And so it really is very much so along geopolitical lines, and, you know, it's something we've talked about in the past, you know, with the rise of digital authoritarianism. And so the use of - you know, by the various authoritarian leaders to leverage the internet for internet control and leveraging the technology for that, albeit from a surveillance state to disinformation to, perhaps, enabling some sorts of backdoors through various kinds of technologies. There's really a broad range of tools that the digital authoritarians are using, and so that continues. And that's, you know, largely driven by the Chinese model, the Russian model. And that's permeating through to different countries across each of the regions across the globe.
Andrea Little Limbago: And for a while, there wasn't much of a democratic model until lately. On the one hand, as far as where privacy is concerned, Europe's GDPR was basically the main global counterweight as far as how to protect data. But that's starting to emerge. And so the example that I'm keeping an eye on and want to - that I think might be indicative of emerging democratic collaboration would be the pact the U.K. pushed forward about a month ago, I think, on, you know, creating a 5G pact to help strengthen the trust within supply chains - the technology supply chains, or the digital supply chains, if you will - and ensuring that the technologies building into those digital supply chains are from trusted countries. And so, you know, the focus for that is to reach out to, you know, coordinate with 10 Democratic countries and, one, release reliance on various Chinese technologies that may be untrusted, but then also to build up their own domestic capabilities as well.
Andrea Little Limbago: And on days that I'm hopeful in this area, a lot of it focuses on that kind of collaboration that we're starting to see across democracies in trying to create more of a trusted environment to at least, you know, head toward some of those aspirations of what the internet was supposed to be as far as free-flowing information but still having - you know, maintaining some security within it.
Andrea Little Limbago: And so we'll see what happens with that, but I think it's also a nice counterweight to, you know, the rising economic nationalism that we see and, you know, concerns about, you know, every country going off on their own, which is not the best way to, you know, handle all the global challenges that we have right now.
Andrea Little Limbago: So I think we will hopefully, you know, continue to see some more collaboration in that area, and I think that will be an interesting trend to keep an eye on and could have a very large impact to counter some of the more negative trends that we're seeing going on in cybersecurity.
Dave Bittner: I mean, is it fair to describe it almost as like a recoil, a reaction of - I feel like, in some ways, things were rolling along and, in a way, the democracies sort of took their eye off the ball for a little while as so many of the benefits, things we got used to with the connectivity of the internet and global commerce and all those sorts of things and the exchange of information. And then it's sort of been, like I say - a recoil is the image I have in my mind. Is that a fair description?
Andrea Little Limbago: Yeah, I think it is. And I think it's also that, you know, whether it's a recoil or whether - I mean, I like the analogy of even taking the eye off the ball. I mean, really, for quite some time, it was just assumed that the internet would provide - you know, only had, you know, good ends and means going along with it.
Andrea Little Limbago: And if you think about - especially if you think about the Arab Spring now, you know, almost a decade ago...
Dave Bittner: Right.
Andrea Little Limbago: Or in some cases, you know, people looked at the Arab Spring and saw, look what social media can do. You know, it can give voice to people who didn't have a voice before. And there certainly was an element of that, and those are the aspirations on which the internet was built, but it ignored the fact that, oh, you know, these tools are also available to those who don't have good intentions and can also be used for suppression and through disinformation and actually to crush those same voices. And so that dual-use nature of the internet, I think, was just ignored.
Andrea Little Limbago: And so, you know, in some regards, you can say maybe the 2016 U.S. election was some level of a wake-up call for democracies. But, you know, even then, Russia and other countries have been interfering in elections for, you know, years before that and continue to do so. So democracies, I think, really are just starting to see how much their dependence on both technologies from other countries, but also on some of the - the fact that they hadn't built in some these guardrails, you know, that's where the norms and the policies come to place. But they kind of just forgot about building some of those.
Andrea Little Limbago: And at the time, for a while, you know, especially if you think about norms and cyber norms and the proper rules of the road for behavior in that, you know, there were plenty of efforts that went through the U.N. over the last decade. And they basically fell apart due to these divisions that, you know, I was talking about as far as Russia and China and, say, Cuba on one hand and then democracies on the other. And I think that was one of - looking at those norms discussions are almost a precursor to where we see things going now. And the difference is, it's not just, you know, a discussion at the U.N. It's actually - we're seeing it play out through the technologies that we have and through the data that we have access to, and just how governments are handling themselves.
Dave Bittner: Yeah, it really is fascinating to watch. It's interesting times, for sure. Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: All right. Thank you.
Dave Bittner: If you will forgive me a bit of bragging on behalf of our CyberWire team, I am pleased to share that over the weekend, we passed 30 million total downloads for our main CyberWire podcast feed. You all have been downloading episodes at a rate of over a million per month for the past nine months, and all of us here are honored that so many of you all over the world find our work valuable and choose to join us every day. So a heartfelt thanks.
Dave Bittner: For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.