India investigates the possibility of cybersabotage. Walls are opaque to defenders, too. Recommendations for cyber nonproliferation. SolarWinds updates (with an SEC appearance).
Dave Bittner: Indian authorities continue to investigate the possibility that Mumbai's power grid was hacked last October. Apple's walled garden security can inhibit detection of threats that managed to get inside. An Atlantic Council report recommends international action against access-as-a-service brokers to stall proliferation of cyber offensive tools. Ben Yelin has the story of legislators asking the military why they're so interested in apps serving Muslims. Our guest is John Grange from OpsCompass with insights on the top cloud security mistakes organizations make. And updates on the SolarWinds incident, including an SEC probe into who knew what when.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 2, 2021.
Dave Bittner: Indian authorities are investigating the possibility that October's electrical outages in Mumbai were deliberately induced cyberattacks - presumably attacks originating in China, The Wall Street Journal reports. An ambiguous form of confirmation appears in the India Times, which writes that Maharashtra Energy Minister Nitin Raut on Monday said that a New York Times report claiming that the massive power outage in Mumbai last year might have been due to a cyberattack from China was true.
Dave Bittner: So there was an outage, and it may have been due to a cyberattack, and that attack might have been mounted by China. Recorded Future's report on the RedEcho threat actor is interesting and suggestive, and it's worth repeating two of their findings - clearly, the ones that have energized the Maharashtra authorities - quote, "the targeting of Indian critical infrastructure offers limited economic espionage opportunities. However, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives," end quote.
Dave Bittner: Recorded Future's Insikt Group continues, quote, "pre-positioning on energy assets may support several potential outcomes, including geo-strategic signaling during heightened bilateral tensions, supporting influence operations or as a precursor to kinetic escalation," end quote. Chinese government representatives have denied any involvement in cyber operations against India's grid, saying that China disapproves of hacking in all its forms.
Dave Bittner: Technology Review reports that Apple's well-known, locked-down walled garden offers clear security advantages, but that once a threat actor gets in, those very walls serve to protect their malicious activity from detection and expulsion.
Dave Bittner: The walls are opaque, and security tools can't see through them any better than anything else. Apple acknowledges that there are trade-offs, and that no lockdown is perfect, but the company remains confident it's made the right trades.
Dave Bittner: An Atlantic Council report discusses one aspect of cyber proliferation - the growth of access-as-a-service brokers. These vendors offer vulnerability research and exploitation, malware payload development, technical command and control, operational management and training and support.
Dave Bittner: The report recommends international action, specifically by the US and its allies, to, first, understand and partner with like-minded governments, elevating the issue and enacting appropriate controls; next, shape by developing lists of troublesome vendors, standardizing risk assessment, incentivizing corporate ethics moves and controlling sales and assistance to states that deal with banned vendors; and finally, limit by widening the scope of vulnerability disclosure, restricting post-employment activities for former government cyber operators, taking legal action against access-as-a-service business and encouraging technical limits on malware payload jurisdiction.
Dave Bittner: The Atlantic Council's proposals don't amount to a call for a ban on corporate development as contractors of tools useful for cyber offensive operations. Rather, the council argues for an approach that would bring such companies' activities under the sort of regulation now exercised over traditional, conventional, kinetic weapons. Existing approaches to cyber nonproliferation, the study's authors argue, lack the granularity they would need to be effective, and the report's recommendations are intended to outline how such granularity might be developed.
Dave Bittner: Investigation into the SolarWinds incident continues, and, as Recorded Future points out, the name SolarWinds seems increasingly inadequate since nearly a third of the campaign's known victims were not SolarWinds customers and didn't use the company's Orion platform. So they think it might be time for a new name. They mention "Holiday Bear" as one possibility. Representative Peter Meijer, Republican from Michigan's 3rd District, suggested it during hearings on the incident - Bear because it's clearly a Russian group and Holiday because it kept everybody busy over the holidays.
Dave Bittner: The attack is known to have been a Russian operation, although the operator's precise place in Moscow's organization charts remains up for debate. It's also unclear how they got into SolarWinds in the first place. Interns and bad passwords seem unlikely to represent a sufficient explanation.
Dave Bittner: What the threat actors were after is also up for debate. It's been suggested that it was direct espionage, theft of sensitive files and documents. There may have also been a counterintelligence dimension to Holiday Bear's activities. There you go, Representative Meijer. We've used your name. They appear to have paid attention to security firms - it was FireEye that noticed them, after all - and they may have wanted to learn how U.S. organizations detected and tracked Russian cyberactivity. And, of course, it could've been battlespace preparation - staging a persistent presence in networks where it could be used at some future point.
Dave Bittner: And finally, at least two of SolarWinds' largest investors have fallen into some legal water that if it's not yet hot is at least uncomfortably warm. The Washington Post reports that the U.S. Securities and Exchange Commission is investigating the possibility of insider trading. The Post says that private equity firms Silver Lake and Thoma Bravo led the sale of $315 million in SolarWinds shares days before the hack was revealed. The firms hadn't commented to the Post by the time the story ran, and SolarWinds itself says it's cooperating fully with the SEC.
Dave Bittner: John Grange is co-founder and CTO of OpsCompass, a provider of software-as-a-service cloud compliance and security products. He shares some of the top mistakes his team sees when it comes to cloud security.
John Grange: You know, we're far enough into the cloud adoption phase in enterprises and in most businesses that we're kind of at the place where it really depends on the maturity. Maturity matters a lot because you have some companies, even in traditional industries, large organizations that are incredibly cloud mature. You have other companies that might even be in the same industry, the same space, be really just getting started.
John Grange: So the way I like to think about kind of cloud security and the state of things today is kind of this spectrum of maturity and this hybrid nature where companies are still kind of struggling with how do they kind of have one foot in the data center and one foot in the cloud. And a lot of the mistakes they make kind of draw from that phenomenon.
Dave Bittner: The companies who are doing it right, who are successful at this - are there any commonalities that you see from them?
John Grange: You know, going to cloud is a difficult thing. And I think that as companies scale and grow and become more cloud mature, there's a little bit of a false sense of security that with all of their security controls and everything happening in the pipeline and the idea that it's going to end up going into the cloud perfect and it's just this, you know, everything-works scenario, that just really doesn't happen in real life. You know, companies buy other companies, new teams start firing up new projects. The clouds are always adding more services, so there's a desire within lots of organizations to try these things out, to innovate more quickly.
John Grange: So what I actually see are these cloud-mature organizations starting to overcorrect and starting to rely too much on really complex and advanced controls in the development stage of things. And they start to really ignore what's happening in the actual runtime environments and the cloud platforms themselves.
Dave Bittner: And how can they protect themselves against that? What sort of things can they put in place to keep them from going down that path?
John Grange: I think a lot of it is planning for error, planning for problems, planning for things changing. So what the really smart teams do after they've been beaten around a little bit, they start to have a more holistic approach to security, making sure that they have a robust ability to secure code and secure changes before they hit the cloud platform. That's a big deal. But also having that kind of deep visibility into what's really happening in your cloud, what's really out there ends up proving just invaluable.
John Grange: One of the things I always like to remind people is that, you know, you don't get - you're not going to get dinged on an audit, you're not going to accidentally spend too much money, you're not going to get breached in a place where - that's not even live in the cloud. It's something that doesn't exist. So you still really have to pay attention to what you have.
Dave Bittner: That's John Grange from OpsCompass.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, it's always great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: Article from Joseph Cox on Motherboard. This is Tech by VICE, and the title is "Lawmakers Demand Answers from Military on Muslim App Data." What's going on here, Ben?
Ben Yelin: So it seems like a lot of data, particularly from Muslim-related apps - so things like a Quran app called Muslim Pro, which has 98 million downloads. That's a lot of downloads. So a lot of the data from that - those apps have been sold to military contractors. When they're sold to military contractors, the, you know, United States government can get access to some of that data. So whether it's the Pentagon or its intelligence agencies, the U.S. government is getting hands on that data.
Ben Yelin: So that has raised the ire of members of Congress because - you know, for a number of reasons. First and foremost, these basically are suspicionless searches. If there really is a focus on Muslim-oriented applications, then, you know, we're getting a collection of data that has not been subjected to any type of, you know - it's not a bulk pile of data in which you're collecting everything, and it's also not specific to an individual who's suspected of committing a crime or who's a suspected intelligence threat. It's in that in-between area where it can come off as discriminatory.
Ben Yelin: So as a result, a bunch of members of the House of Representatives, including AOC and the two Muslim members of Congress - or two of the Muslim members of Congress, Representatives Ilhan Omar and Rashida Tlaib, have written a letter to the secretary of defense and to our intelligence agencies to just kind of get an idea of what's happening. They want to know how widespread this collection is. And in each instance where this data has been collected by the military and the intelligence community, has there been any warrantless surveillance using this location data? So, you know, have any FISA applications been authorized as a result of this data collection? How many Muslim Americans have been impacted by this, et cetera?
Ben Yelin: You know, I think one of the key issues here is this is a potential First Amendment problem. If people of a particular religious group think that they are being surveilled or being singled out for potential surveillance because of the applications that they use, then they're going to be less likely to download those applications, you know, and that could have a chilling effect on the practice of their religion. So I think that adds to some of the danger here.
Dave Bittner: Is there a possible defense here? For example, and I'm just being hypothetical, if the defense agencies came back and they said, oh, yes, we're gathering this data from these Muslim apps, but we're also gathering data from Catholic apps and from Jewish apps and from, you know, a number of - in other words, yes, we're using targeted apps to investigate people of religions, but we're doing all religions.
Ben Yelin: Yeah, that's the sort of thing - this reminds me of when I was watching the confirmation hearing for the attorney general nominee Merrick Garland. He kept talking about looking for patterns in practice when you're trying to figure out whether something merits an investigation. So, you know, you look at things like, is it disproportionately targeting Muslim-based applications? You know, if the percentage of data being collected is disproportional to the number of applications that are targeted to Muslim audiences, that's when it would start to be a problem.
Ben Yelin: You know, if this was something where they were, you know, uniformly collecting location data from all different types of religious-based applications and there wasn't a specific focus on one religion, I think they'd be on firmer ground, and I don't think these lawmakers would have sent that letter. But it does not appear that that's the case, and that's why you're seeing this pushback.
Dave Bittner: How much of this is about religion? In other words, what if they were targeting apps that focused on gun owners, for example?
Ben Yelin: I think - so gun owners is an interesting hypothetical. Religion, I think, carries a particular importance because of its place in the First Amendment. So, you know, things like religion and political speech - any time that is targeted, especially when it's targeted, you know, in a way that secular applications are not targeted, that's going to raise the ire of not only members of Congress, but the judicial branch because, you know, that's one of our most sacred rights.
Ben Yelin: Gun owners, you know, if you believe that the Second Amendment grants an affirmative right for individuals to own firearms, potentially could have that same sort of problem. I think you'd have perhaps a similar outcry. You know, I think religion carries sort of an extra burden, but, you know, for people who believe strongly in the Second Amendment, perhaps gun ownership carries that special burden as well.
Dave Bittner: Interesting. So this letter has been sent. They're expecting an answer. And then what happens?
Ben Yelin: So, you know, I think they have a receptive audience within the Biden administration and within the Department of Defense. For that reason, I think it's possible these lawmakers and the agencies themselves can work on some sort of solution in a constructive manner. You know, but if not, you could see legislation enacted like that proposed by Senator Ron Wyden in the Senate, which would require the government more generally to obtain a warrant before it collects any location data.
Ben Yelin: And, you know, maybe one of the impetuses for enacting such a law would be a story like this, where, you know, you see this power used in a discriminatory fashion. And that could be what motivates lawmakers to enact more of a broader law requiring some sort of judicial approval before any government agency collects location data.
Dave Bittner: All right. Well, interesting, indeed. Again, the article is titled "Lawmakers Demand Answers from Military on Muslim App Data." It's over on the VICE website, written by Joseph Cox. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The cracklin's what's happenin'. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.