The FSB warns Russian businesses to up their security game--the Americans are coming. SonicWall’s investigation of a possible cyberattack. DIA and commercial data brokers. OPC issues. Robota.
Dave Bittner: Russia's FSB warns businesses to be on the lookout for American cyberattacks after the White House says it's reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall investigates an apparent compromise of its systems. A senator asks the U.S. DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues are described. Andrea Little Limbago from Interos on the naughty list of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And happy birthday to the word robot, now 100 years young.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 25, 2021.
Dave Bittner: Russia's FSB has issued an alert on the threat of targeted computer attacks, warning businesses of increased likelihood of U.S. attack. Quote, "In the face of constant accusations against the Russian Federation by representatives of the United States and their allies of [Russian] involvement in organizing computer attacks, as well as threats from their side [of] retaliatory attacks on the Russian Federation's critical information infrastructure, we recommend taking the following measures to improve the security of information resources," end quote.
Dave Bittner: ZDNet characterizes the FSB alert as a signaling response to remarks by the new U.S. administration last Wednesday. Referring to Solorigate, a representative said, we reserve the right to respond at a time and manner of our choosing to any cyberattack. U.S. officials have attributed the cyberespionage campaign to Russia, which has denied responsibility. The FSB's alert amounts to an anodyne but sound list of 15 cyber hygiene best practices. And who could object to that?
Dave Bittner: Lawfare has published a piece on the risks Solorigate poses to control systems and specifically the SolarWinds Orion platforms supply chain compromise. The authors are concerned to remind people that the issues the Orion compromise opened up could very easily spread to control system networks, whether in the industrial Internet of Things or in such networks as are used to control building HVAC systems.
Dave Bittner: Late Friday evening, SonicWall disclosed that it had been the victim of, quote, "a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall, secure remote access products" end quote. The company initially believed that NetExtender VPN had been compromised, but has revised its assessment to conclude that this product is safe. A possible zero day in the SMA 100 Series remains under investigation.
Dave Bittner: To summarize the state of their product security, according to the company, the SonicWall firewalls NetExtender VPN client, the SMA 1000 Series and SonicWave Access Points are all unaffected by the vulnerability. The SMA 100 Series, as we noted, is still under investigation. But SonicWall is offering guidance on mitigations users can apply against the possibility that there's a problem.
Dave Bittner: The US Defense Intelligence Agency responded to an inquiry from Senator Wyden, Democrat of Oregon, acknowledging that the DIA provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones. The memo went on to explain that, quote, "DIA purchases location data generated by phones located outside the United States and inside the United States. DIA's data provider does not supply separate streams of U.S. and foreign location data. And DIA processes the location data as it arrives to identify US location data points, which it segregates in a separate database. DIA personnel can only query this database of US location data when authorized by the chief of staff and DIA's Office of General Counsel. Permission to query DIA's database of commercially acquired US device location data has been granted five times in the past 2 1/2 years," end quote.
Dave Bittner: Senator Wyden has asked Director of National Intelligence Haines for an explanation. The New York Times characterizes this form of collection as a loophole in existing US law that some legislators, Senator Wyden among them, hope to correct with more specific comprehensive privacy legislation.
Dave Bittner: Claroty today released a summary of flaws in the Open Platform Communications network protocol. They've been working on identifying the vulnerabilities and disclosing them to affected vendors since last year and are now beginning a public review of what they've learned. Three major vendors have already addressed the issues, and Claroty recommends that users update their systems to the latest versions. The three vendors are Softing Industrial Automation GmbH, Kepware PTC and Matrikon Honeywell. All have provided fixes for OPC issues.
Dave Bittner: And people are marking the hundredth anniversary, the centennial, of the word robot, coined by Karel Capek in his play "R.U.R." The initials in the play's title stand for Rosumovi Univerzalni Roboti. "R.U.R." also works in the direct English translation often appended as a subtitle, "Rossum's Universal Robots."
Dave Bittner: Capek's story is about a factory that produces artificial humans, for which he coined the word robot from the Czech robota, which connotes a drudge, a forced worker, like a serf. Rossum's robots aren't mechanical. They're fabricated from biological material, so they're closer to "Blade Runner's" replicants than to Robby the Robot. But robots they were, and they're very algorithmical in their manner.
Dave Bittner: Capek's word has found its way into most modern languages. So this week, we take a break from the internet and find a copy of "R.U.R.," read it and spare a thought for Mr. Capek. We won't give you any spoilers, but - what the heck - it's robots. So you know, it doesn't end entirely happily, although at the end of it, all the robots themselves seem to be doing as OK as any robot can.
Dave Bittner: And when you're through with "R.U.R." - don't worry - it's short - find a copy of Capek's "War With Newts" and see how someone in the 1930s saw with blinding clarity how memes, in a sense understood, but in the bigger picture, completely uncomprehended, take root and spread. We won't give you any spoilers - but, oh, what the heck - it's all about committing to an identity. British readers will especially like the newt who picks up his worldview from Fleet Street.
Dave Bittner: And I am pleased to be joined once again by the CyberWire's chief analyst and chief security officer Rick Howard. Rick, always great to have you back.
Rick Howard: Thank you, sir.
Dave Bittner: So this week, you are launching an eight-episode series. And you're examining your first principle ideas, but you're doing it within the framework of the big three cloud provider services, which is Microsoft, Amazon and Google. Bring us up to speed here. What are you getting at here?
Rick Howard: Well, the cloud revolution really got its start back in 2006 when Amazon rolled out AWS. Microsoft followed suit with a competing service in 2010 with Azure. And then Google came to the game with Google Cloud Platform, or GCP, in 2012. And by the way, I can never remember what GCP stands for, so I have to say it, you know, every single time.
Rick Howard: So - and there are other players in the market. Like, Oracle and IBM come to mind. But the big three that most security executives talk about are Amazon, Microsoft and Google.
Dave Bittner: (Unintelligible) - you say Amazon started in 2006. I cannot believe - it just - it doesn't seem like it's been that long.
Rick Howard: Tell me about it. We're just too old, my friend. You know?
Rick Howard: So what I've noticed, though, is that our entire security community has been running at full speed, heads down now for years, thinking, you know, tactically about the technical widgets required to get these new environments running and then flipping switches and turning dials on those widgets to provide some sort of security. So I figured it was time to take a beat and consider the strategic picture. How do you think about cloud deployments through a first principle lens? How do you implement these four keystone strategies that I've been going on and on about in each of these environments? And then more importantly, how do you orchestrate those strategies not only in hybrid cloud environments, but also in SaaS applications, mobile devices and data centers back at headquarters as a single system of systems?
Dave Bittner: What do we need to know going into this? Is there any prep work that listeners should do before bingeing the series?
Rick Howard: (Laughter) No, no prep work - no homework for you, Dave, all right - but maybe a couple things just to keep in mind. All right, then? The first thing is that all cloud offerings provide some kind of networking infrastructure designed for their customers' automation workloads, and these come in the form of infrastructure and platform subscriptions.
Rick Howard: And then the second thing is that all cloud providers offer Software as a Service, or SaaS, products to help you manage your workloads in those environments. Sometimes they provide them as part of the infrastructure service, and sometimes, you know, you have to pay extra for them. I bring this up because it might be useful to consider IaaS stuff and PaaS and SaaS subscriptions as individual products that are managed by different product management teams within the larger company. Depending how old they are, you could consider some of them to even be startup products. I mean, in other words, some of them are more mature than others.
Dave Bittner: Can you give us some examples?
Rick Howard: Yeah, so Google launched Cloud Identity in - as a SaaS product in 2018. Microsoft launched Azure Active Directory in 2019. And these products might be fantastic, but they're only 3 years old. You know, how mature can they be? And just because they have a big brand name over them doesn't mean that they are completely ready for prime time, and that's especially true for security products. Amazon released their AWS Network Firewall in 2020. You can't expect that product to have the same feature set and maturity that the traditional firewall vendors like Check Point, Cisco, Palo Alto Networks and Fortinet have in theirs.
Dave Bittner: So this week you are kicking things off, and you're going to be examining Microsoft Azure.
Rick Howard: That's right. We'll do Microsoft first, then Amazon, then Google, and then we'll wrap everything up with how the big security platforms play in those environments.
Dave Bittner: All right, we're looking forward to it. It is "CSO Perspectives." It is part of CyberWire Pro. You can find that on our website, thecyberwire.com. Rick Howard, thanks for joining us.
Rick Howard: Thanks, Dave.
Dave Bittner: And I'm pleased to be joined once again by Andrea Little Limbago. She is the VP of research and analysis at Interos. Andrea, it's always great to have you back. I want to talk today about this notion of - sort of tech-naughty lists, that there are certain companies that have found themselves sanctioned throughout the world and the impact of that. I wanted to get your take on what's going on here.
Andrea Little Limbago: Yeah. No, and actually, I love the term naughty list. I first heard it from Megan Brown, so I'm going give her credit for when I first heard it. But, really, it encompasses the range of restricted entity lists that companies are finding themselves on that basically means that they have limited ability to trade and export with the United States. Or, you know, there are EU versions. There's, you know, the U.N. sanctions - but, really, in the U.S. The U.S. has been hitting just a rapid pace of adding on to this list. And there are a couple of different areas to touch upon. One would be the Commerce's restricted entity list. And that has basically skyrocketed over the last two years for adding Chinese companies. And since 2019, they added 142 companies to that list from China. And while the majority were Huawei - and I think that's the one that everyone - you know, garners everyone's attention.
Dave Bittner: Right.
Andrea Little Limbago: So it's Huawei and Huawei affiliates. And most of those are for, you know, various kinds of security concerns. You know, it extends well beyond that. They're - you know, actually, and then 2019 it was 142. 2020, so far, there have been 106 additional ones added. So, you know, over the last two years, you get over 200 Chinese companies added to this restricted list. And it ranges from some of the security designations, such as Huawei, but also extends into - for their role in surveillance and repression of the Uighurs in China...
Dave Bittner: Right.
Andrea Little Limbago: ...To also - to WMD - you know, for trying to circumvent some of the WMD restrictions. So it's for a broad range of reasons. And that's just Commerce's restricted entity list. And so, you know, again, it's sort of the who's-who in the zoo in the U.S. with some of these lists because there's more than one list. So it's very hard for companies to maintain - you know, stay on top of this for compliance. This year alone, there was a time this summer when it was almost every two weeks, Commerce was adding a couple dozen more companies to this list. So it was a pretty rapid pace. So that's hard to stay on top of. But then on top of that, you know, if you're working with the federal government, there's now Section 889 of the National Defense Authorization Act that basically says that five companies and their affiliates - that's Hytera, Hikvision, Huawei again, ZTE and Dahua - their products cannot be within the ecosystem of federal contractors or working with the government.
Andrea Little Limbago: And why that is - you know, it sounds like only five companies, but it's actually much more than that because it's five companies and their subsidiaries and affiliates. And so - and that - so I did, you know, spent a couple of weeks looking into that and came up with over 900 different...
Dave Bittner: Wow.
Andrea Little Limbago: But because it's, you know, worded in such a way, you know, I can guarantee you that I don't have them all. And then at the same time, you know, does it - what does it include? And so I included some of the Huawei affiliates, for instance, that were on the Commerce list that are some open labs. And, you know, whether a company's actually dealing with an open lab or not - you know, probably not. But it still is on there, both on Commerce and it would fall under 889. So that's sort of a double whammy for that. And then on top of that, there's a couple of - there's OFAC sanctions. But then, also, the Pentagon has its own list of companies associated with the - with China's PLA. So this list, though, doesn't have any compliance requirements. But it's one of the things - like, I look at it almost as an early indicator and warning for what the other lists might add on. And so in June, they added 20 Chinese companies that are linked to the PLA. Some overlap with these other lists I've talked about; some do not. And they added 11 more in August. And so we'll see what happens with that. And it's something to definitely keep an eye on and to be aware of right now for compliance.
Dave Bittner: If you're - I'm thinking of, you know, a big company like Apple, who obviously, you know, does - a...
Andrea Little Limbago: Yep.
Dave Bittner: ...vast majority of their manufacturing happens in China. I mean, is there some back-and-forth here? Is there - is Apple working with our government agencies, presumably, and lobbying and saying, hey, you know, we kind of - you know, you all love your iPhones, right? - so here's a list of companies who maybe back off of?
Andrea Little Limbago: Yeah. So they're for sure - writ large, the private sector is pushing back not only because of the disruptions it causes to their own supply chains, which are already going through a lot of disruptions, but also due to just the hard nature of actually complying. And, you know - and a good example for this is that for ZTE and Huawei to - for the small carriers just to basically rip out ZTE or Huawei from their systems, they estimate it would cost $1.8 billion for these small carriers. So there's a cost component, too. So there's the supply chain disruption component. There's the, you know, just having a hard time figuring out how to comply. And then if you do need to comply, it going to cost a lot of money.
Dave Bittner: Right. It's kind of an unfunded mandate, right?
Andrea Little Limbago: Yes. And that's where, you know, again, some of the pushback is as far as both clarifying what that list would look like. And I'm finishing up a paper with Lori Gordon on this for National Security Institute on - you know, one of the recommendations is that to have this one-stop shop so people can - or companies' leaders can know what companies are on these lists and what they need to do to comply. And so we really do need a one-stop shop for that.
Andrea Little Limbago: But then on top of that, you know, if we're moving in this direction, the government does need to step in and provide that support as needed. And you know, you can argue that some of these really big companies may not need it, but for a lot of smaller carriers, they absolutely do. And even for the federal government, you know, you've got the big defense contractors. But then there are so many different smaller defense contractors that support them that likely will need that help or they may go under given these costs. And so - and then - actually, even on top of that, as far as a different concern, China has their - introduced their own unreliable list now in response. So we know the...
Dave Bittner: (Laughter) Of course they have.
Andrea Little Limbago: Yep. Exactly - which, you know, not shocking, right? That's...
Dave Bittner: Yeah, yeah.
Andrea Little Limbago: I mean, we know what - there's a trade war going on. It's a tit-for-tat environment. So if the U.S. starts doing this, they create their own unreliable list. They announced that in May. And just last month, they basically expanded on it to explain what - you know, how they'd go about implementing it. And most people think that by the end of this year, some company may get on it. And like you said, you know, Apple would be - you know, can you imagine if they put Apple on their list?
Dave Bittner: Right, right.
Andrea Little Limbago: I don't - I personally - I mean, that would really up the ante quite a bit in the relations, so we'll see.
Dave Bittner: Yeah. It's hard to imagine. And yet, I - you know, the past - I don't know - six months, year or so, the unimaginable has been happening every day. So (laughter)...
Andrea Little Limbago: Exactly. No, that's exactly - and so for me, like, nothing's out of the question at this point.
Dave Bittner: Right, right. All right. Well, Andrea Little Limbago, thanks so much for joining us.
Andrea Little Limbago: All right. Thank you.
Dave Bittner: Hey, everybody - Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs. And that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit thecyberwire.com/sponsorship to learn more and connect with us. That's thecyberwire.com/sponsorship. Thanks.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - land of 10,000 lakes. Listen for us on your Alexa smart speaker, too.
Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.