Ransomware epidemic during the pandemic. Cyber insurance and state actors. Cyberstalking. Don’t exaggerate election meddling. Reflections on National Cybersecurity Awareness Month.
Dave Bittner: Ransomware becomes endemic in the health care sector. Cyber metaphors - we read a good one this morning. Does your cyber insurance indemnify you against state-sponsored attacks? More guilty pleas in the ex-eBayers cyberstalking case. U.S. Cyber Command and others advise everyone not to see foreign election meddling where it isn't. David Dufour looks at the spookiest malware of 2020. Our guest is Travis LeBlanc from Cooley on the European Court invalidating the EU-U.S. Privacy Shield. And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 30, 2020.
Dave Bittner: This week's warnings about hospitals and ransomware continue to move organizations to higher levels of alert and to be borne out in reported attacks.
Dave Bittner: U.S. public and private organizations - CISA, the FBI and the Department of Health and Human Services on the federal side and FireEye's Mandiant unit on the private side - have warned that organizations in the health care and public health sector are under an increasing threat from ransomware. The strains deployed are usually Conti and especially Ryuk. The perpetrators are Russophone gangsters, not spies.
Dave Bittner: These particular gangsters get even worse press than such goniffs usually attract - "brazen," Ars Technica calls them. Others say despicable, conscienceless, loathsome. You get the picture. It's clear why they've attracted so much deserved odium. Attacks on the availability of health care are hateful in the best of times, and with the COVID-19 pandemic, these aren't the best of times.
Dave Bittner: It's equally clear why the hoods are interested in hospitals. Data availability and privacy are at a premium, and the health care sector is under unusual pressure to knuckle under extortion. They can't always shrug off a successful attack when patient safety and privacy are at stake.
Dave Bittner: Security Affairs says the hospitals in New York and Vermont have been the latest Ryuk victims. Both the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network have disclosed that they've sustained and are recovering from ransomware attacks. They're not alone. WIRED puts the number of ransomware attacks against hospitals in the dozens, and the Wall Street Journal quotes Charles Carmakal, chief technology officer at FireEye's Mandiant cybersecurity firm, as saying, quote, "most threat actors - they're explicitly not looking to hit hospitals. This group in particular has explicitly stated that they're going to hit hospitals, and they've proven it." He adds, "this is the most significant cyberthreat that I've seen in the United States in my career," end quote.
Dave Bittner: While U.S. hospitals have been notably affected by cybercrime, it's not solely a U.S. problem. The Montreal Gazette reports that various targets in Quebec have been hit, including non-health care targets in the transportation and law enforcement sectors. Montreal's Jewish General Hospital has been hit with a cyberattack the hospital's administrator says wasn't ransomware, but his conclusion was based on the fact that no extortion demand had yet been received.
Dave Bittner: We've heard a lot of metaphors about cybersecurity over the years. There's the Cyber Pearl Harbor and the related Cyber 9/11. There's the herd immunity metaphor for control of computer viruses. There's Cyber Moonshot, beloved of industrial research and development.
Dave Bittner: But here's one that strikes us as not bad and worth thinking about. Cloudflare's COO Michelle Zatlyn offers an interesting metaphor as she looks at the future of cybersecurity. It's moving toward a "water treatment model," she told Business Insider's inaugural tech executive roundtable.
Dave Bittner: It would be mixing the metaphor to point out that this seems especially true given the widespread move to the cloud, but she does seem to be on to something.
Dave Bittner: The Harvard Business Review reminds business leaders that cyber insurance policies may have war clauses that exclude coverage for state-sponsored attacks. Since companies and private organizations are often the victims of state-sponsored hacking, they would do well to examine their policies for appropriate coverage.
Dave Bittner: It's long been said that only people who legally wear badges and carry guns - that is, law enforcement and the military - are really interested in attribution. This piece reminds us that others, notably underwriters, can be closely interested in attribution as well.
Dave Bittner: Two more former eBayers took guilty pleas yesterday in a Massachusetts cyberstalking case. A former senior manager of special operations for eBay's global security team and the former manager of eBay's Global Intelligence Center pleaded guilty to conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. This brings the total of guilty pleas to five. Two other former eBayers in the eCommerceBytes newsletter harassment case have yet to plead.
Dave Bittner: Is there a downside to seeing too much foreign interference in these upcoming U.S. elections you may have heard about? Yes, various experts tell The Washington Post. The recent failed attempt by Iran to impersonate the Proud Boys in an evident attempt to discredit the campaign of President Trump by communicating threats to Democrat and other voters was an example of how tactics that seemed to have been effective in 2016 have fallen flat in 2020.
Dave Bittner: U.S. Cyber Command's election security lead, Brigadier General Joe Hartman (ph), told the Post, quote, "my biggest concern is that we give a foreign adversary more credit than they're actually due," end quote. He thinks that social media platforms in particular have grown more adept at recognizing, exposing and taking down coordinated inauthenticity. General Hartman said, quote, "their platforms have been exposed. Social media companies have taken down their personas. In most cases, their personas have gained very little traction," end quote.
Dave Bittner: And finally, National Cybersecurity Awareness Month is winding down this weekend in the United States. Did it have any effect? ESG's Jon Oltsik has an op-ed in CSO in which he laments the limited reach of the observance. He sees it as having traction mostly in universities and inside the Beltway and wishes for more public service programs to get people generally to pay attention. His recommendations surely place him on the side of the angels. Among other things, he calls for a visible public service campaign, like the Forest Service's Smokey the Bear, more kindergarten-through-12th-grade education in cyber and greater cybersecurity career awareness.
Dave Bittner: We don't know much about this Smokey the Bear - sounds like he might work for Moscow - but maybe there's just too much competition for mindshare among the observances. We consulted our Public Awareness Desk, and they inform us that October has also been the month during which we've been asked to observe Eye Injury Prevention Month, Healthy Lung Month, Home Eye Safety Month, Filipino American History Month, Italian American Heritage and Culture Month, Polish American Heritage Month and National Pizza Month.
Dave Bittner: The individual days are too many to enumerate here, but one of them just this week was Plush Animal Lovers' Day, celebrated this past Wednesday.
Dave Bittner: So let's be realistic, friends. We are as into infosec as anyone, but how can cyber compete with pizza and Beanie Babies?
Dave Bittner: My guest today is Travis LeBlanc from law firm Cooley LLC (ph). He's a member of Cooley's litigation department leadership team and vice chair of the firm's Cyber, Data and Privacy practice. He had the honor of being selected by the U.S. Department of Commerce and the European Commission as an arbitrator for the EU-U.S. Privacy Shield framework in 2017 and was unanimously confirmed by the U.S. Senate to the Privacy and Civil Liberties Oversight Board in 2019.
Dave Bittner: We reached out to Travis LeBlanc for his insights on the European Court's recent invalidation of the EU-U.S. Privacy Shield.
(SOUNDBITE OF ARCHIVED BROADCAST)
Travis Leblanc: There was, prior to 2015 or so, a bilateral agreement between the United States and Europe that permitted the transfer of personal data about Europeans across the Atlantic to the United States.
Travis Leblanc: Safe Harbor was the framework that the United States had negotiated with Europe for a determination of adequacy. In 2015 or so, there was a decision out of the European Court of Justice, Schrems, now known as Schrems I. The case was brought by Max Schrems, who's an Austrian privacy activist. It was brought against Facebook and was challenging Facebook's transfer of data about Europeans to the United States and argued, largely in part, that the Safe Harbor framework was not an adequate protection under European law because the national security programs and activities of the United States government would require Facebook and any other company in the United States to permit access - to either permit it or to not have the ability to prevent access to - access by the United States government to the personal data of Europeans.
Travis Leblanc: In 2015, the ECJ says that the protections, due to the national security activities of the United States government, were not adequate. Many of these activities had been exposed by Edward Snowden, and that is what became the basis of the lawsuit and much of the decision.
Travis Leblanc: Shortly after that decision came down, the United States and the European Commission went back to the table to negotiate a new agreement that would permit the transfer of personal data about Europeans to the United States. That new agreement was called Privacy Shield.
Dave Bittner: And so what are the main sticking points here? What's keeping us from coming up with something that everyone can agree on?
Travis Leblanc: Well, you know, by and large, the main sticking points are not the activities of the, you know, 5,000-plus companies that relied upon Privacy Shield. By and large, the concerns of the European Commission - I mean of the European Court of Justice are that there isn't a, you know, due process right for Europeans to challenge the exercise of the national security authorities of the United States government that there isn't a way to - that some of the authorities exceed the privacy right - the privacy rights as they see it of Europeans in particular. It really does go to national security.
Travis Leblanc: And the challenge after Safe Harbor was that the Privacy Shield framework did not come into existence along with substantial modifications to the intelligence authorities of the United States government. And so part of the negotiation will certainly be around, you know, what additional insurances the U.S. government can give as to the, you know, transparency and the limits of the authorities of the United States intelligence community. But I do suspect that without changes to those authorities, meaning changes by law, it's going to be quite difficult to get the ECJ on board.
Dave Bittner: Yeah. It's interesting. Well, I mean, getting back to the Privacy Shield issue, how do you suspect this is going to play out? What do you see as some of the possible resolutions here?
Travis Leblanc: The Europeans and the Americans are already negotiating. We know that they've been quite transparent about the existence of the negotiations. We've seen an effort by the U.S. Department of Commerce to try and keep the Privacy Shield framework, at least nominally, in existence. For example, the Department of Commerce has announced that it's going to continue to process applications to join Privacy Shield. I personally am perplexed by that decision because, you know, the European Court of Justice and the data protection authorities over in Europe have made quite clear that they don't view the Privacy Shield as a valid framework. And so it's not clear to me why the Department of Commerce would want to keep that in play. But my best guess is that in the negotiations, the United States would seek to use the Privacy Shield framework as essentially a model for - or a basis for whatever comes next.
Travis Leblanc: I think the challenges that we really face right now, at least on the American side, what we have to do is give the Europeans the comfort that there is sufficient transparency and oversight of the intelligence community in the United States that they do not have to be concerned, you know, about the NSA, for example, breaking into Facebook. That's going to be a challenge. The United States did a lot in the negotiations around Privacy Shield to try to assuage Europe of these concerns. And so I think the challenge we're going to face is identifying who in the intelligence community in the United States is going to go to the table with the Europeans and whether we will need to make any changes to the authorities of the ombuds person, the authorities of the Privacy and Civil Liberties Oversight Board.
Travis Leblanc: So there's a lot on the table. And it is apparent that the Department of Commerce alone won't be able to make all the assurances that are necessary, but that the intelligence community, or at least some component of it, will have to be at the table as well as it was in the negotiations after Safe Harbor and that put in place Privacy Shield.
Dave Bittner: That's Travis LeBlanc from Cooley. You can hear our full interview over on the "Caveat" podcast, and it's also available in our Interview Selects as part of CyberWire Pro.
Dave Bittner: And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering at Webroot. David, always great to have you back. You know, we are not far off from Halloween, and tied into that, you sent over a list of some spooky trends that you've been tracking. what sort of things are on your radar right now?
David Dufour: David, as always, great being here. And, you know, the marketing folks, the PR folks, they wanted me to say spookiest, but to me, a lot of this is terrifying.
Dave Bittner: (Laughter) OK.
David Dufour: So to be clear, you know, we're talking about cyber threats. And, you know, we continue to see a huge uptick in threats around COVID phishing attacks, attacks that are around stimulus checks and people trying to steal your bank account information. So I think that's all top of mind. People are aware of that. But we do need to stay on top of the fact that those are coming at us - even though we may know it, it's happening. So just stay aware of that. But, you know, that's kind of the general spooky. But we got some real fun ones here, David, if you're going to let me run in with this.
Dave Bittner: Yeah. Let's go.
David Dufour: So, to me, the most terrifying statistic I can throw out there is five years ago, six years ago, we'd see a ransomware attack. And it was your Aunt Judy whose computer got locked up. And they wanted $200 to unlock, you know, her selfies, right? I mean, you can remember those days, right, David?
Dave Bittner: Yeah. Yeah.
David Dufour: Well, now we're seeing the average ransomware payment north of $175,000. They're no longer going for Aunt Judy's computer anymore. The real terror here is municipalities, universities, medical facilities. This has really turned into big, big business. And they don't care about your Aunt Judy's computer anymore. They really care about these mid-sized institutions that can afford to pay $200,000 because it's cheaper than trying to restore all their computers.
Dave Bittner: Yeah. Well, take us through some of the threats that you're tracking here.
David Dufour: So some of the biggest ones we're seeing now - Emotet. That's a botnet. It's - we're seeing continuous growth. They're super-effective through emails and things like that. You know, you're not going to get an email that says, I'm Emotet, click here to be infected. It'd be nice. I would probably - that would work on me because I would want to see what happens.
Dave Bittner: Right.
David Dufour: But most people are not going to pay attention to that. But that - we're seeing an uptick there. I always pronounce this one wrong, so you're going to have to bear with me. Ryuk is also...
Dave Bittner: I say Ryuk, but who knows?
David Dufour: Well, you're probably right. We're going to go with you because this is your show.
Dave Bittner: OK.
David Dufour: You know, it's growing as well. It's a fairly new one. But we're seeing it grow in the ability to infect machines as a ransomware threat, lock those computers down. Phobos is always a great one. And the big thing about Phobos that is actually scary with people working from home is it takes advantage of RDP vulnerabilities, RDP being what a lot of people use to remote into their offices and do work on machines in an office. So obviously, people are working from home more. If you're using that functionality, I mean, RDP is always being attacked because there are always exploits being found in it. You've always got to make sure you're being patched. So huge uptick there. And, you know, mobile threat Joker's out there. It's kind of, you know, just trying to steal information. And it's - we've got to throw a mobile app in there once in a while. I got to admit, though, the mobile providers do a pretty good job, Google with Android and Apple with iOS, protecting mobile devices. But we do see from time to time something pop up.
Dave Bittner: Do you suspect we're going to see a continued shift in that direction, or is it - the opportunities are so rich on the desktop machines that there's no reason to go away from them?
David Dufour: Well, I think just like the ransomware example, if somebody can figure out a type of threat on a mobile device that makes them a couple hundred bucks now but they can foresee a future where they have a greater ROI - and I don't mean to be funny. I mean, this isn't the kids hacking anymore. This is big business the cybercriminals are in. And so the problem with a mobile attack is, what's your long-term ability to make money? And so, yes, I think the possibility exists, and we shouldn't ignore it. I still think, though, that there's so much money to be made in ransomware and attacking small to medium-sized businesses and getting real money out of them, that that's going to be the focus for the foreseeable future.
Dave Bittner: All right. Well, David Dufour, thanks for joining us.
David Dufour: Great being here, David.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. That's the best-tasting pickle I ever heard. Listen for us on your Alexa smart speaker, to.
Dave Bittner: Be sure to check out "Research Saturday" and my conversation with Jon DiMaggio from Symantec. We're speaking about APT41 indictments. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.