The CyberWire Daily Podcast 5.24.21
Ep 1339 | 5.24.21

Ransomware warnings in Ireland, New Zealand, Germany, and the US. Belgium’s new cybersecurity strategy. A tipline to dime out cryptominers. Air India passenger data breach.


Dave Bittner: Ransomware warnings in the U.S., Ireland, New Zealand and Germany. Health care organizations are said to be a particular risk. Belgium adopts a new cybersecurity strategy. China is not happy with freelance crypto miners. Air India sustains a third-party breach of passenger personal data. An FBI analyst is indicted for mishandling classified information. Rick Howard previews this week's "CSO Perspectives" podcast and kicks off Cybersecurity Canon Week with author Perry Carpenter. And happy birthday, U.S. Cyber Command.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 24, 2021. 

Dave Bittner: This week opens up much as last week ended - with a great deal of attention paid to the continuing problem of ransomware. The U.S. FBI has warned that the Conti ransomware is a current threat, especially to health care and emergency response organizations. The bureau counts more than 400 Conti attacks worldwide. Some 290 of those targets were based in the U.S., including law enforcement agencies, emergency health care networks and 911 dispatch centers. The Record points out that the timing of the alert is no accident, coming as it did shortly after the gang behind Conti, Wizard Spider, in some accounts a gang generally believed to operate from Russia, hit health care agencies in New Zealand and especially in Ireland. Some of these attacks have interfered with scheduling certain kinds of patient care. The highest-profile Conti incident currently in progress is Wizard Spider's ransomware attack on Ireland's HSE health care agency. It's been disruptive and protracted, with the HSE saying that, the cyberattack on our IT systems has caused some disruptions to our service. Emergency services are being provided as necessary, although staff is reported to be unusually busy. Other, more routine procedures are also being offered but with some difficulties and delays. According to The Irish Times, Dublin is working to resolve HSE's problems and has ruled out paying the ransom. Minister for Public Expenditure Michael McGrath said that patients' personal information is in the hands of the criminals but that the government is resolved not to pay the ransom the hoods have demanded. Quote, "The state will not be paying a ransom, and we have been unequivocal about that since the very beginning. The release of personal data is a crime," end quote. The Conti gang has threatened to begin releasing sensitive data as early as today, the Irish Examiner reports, if their extortion demand isn't met. The minister for further and higher education, Simon Harris, said, quote, "There's some evidence that it may already have happened in some instances, and that's been verified by the Gardai," end quote. One of the predictable effects of data exposure is an increase in fraud. And Minister Harris reminded all that the government, quote, "will never call asking for your bank details over the telephone or by email," end quote. Nonetheless, Gardai are preparing for what The Irish Times calls "an avalanche of fraud claims."

Dave Bittner: The Guardian reports that New Zealand's Waikato District Health Board, which was hit with ransomware last Tuesday, continues to struggle with its own recovery from what an official has characterized as the biggest cyberattack in the country's history. RNZ said that about 20% of elective procedures are being rescheduled and that the system is not expected to return to normal until next week. 

Dave Bittner: The head of Germany's IT security agency, BSI, independently warned that ransomware in general is a growing threat, and he, too, sees the health care sector as a particular risk, Heise writes. He pointed out that health care facilities have been hit before. 

Dave Bittner: Colonial Pipeline continues to investigate the DarkSide ransomware attack it sustained on May 7th. It's still not known publicly exactly what vulnerabilities, either human or technical, were exploited during the incident, CNN reports. But government and private sector organizations have been looking to shore up defenses that might prevent them from becoming the victims of similar attacks. An op-ed in The Hill argues that the attack should serve as a wake-up call for hardening our cyberdefenses, a conclusion few would dispute. It urges three areas deserving increased attention - intelligence and deterrence, post-attack recovery and resilience and more attention to security training. 

Dave Bittner: DarkSide may have benefited from security researchers' public airing of some flaws in DarkSide's own code. DarkSide, in any case, woofed that a security firm's release of a free decryption tool had simply helped the gang with its own quality control. MIT Technology Review urges security researchers to find ways of helping victims of cyberattack that don't wind up helping the attackers by flagging issues with malware. It's difficult to see an easy way of doing this. At some point, after all, the criminals will get wise to ways in which the effects of their attacks can be circumvented. But the challenge seems to be worth some thought. The recent record of the ransomware gangs - infrastructure, hospitals, emergency call centers - would seem to give the lie to the gangs' claims that they're sensitive to the social effects of their attacks. But any organization that the criminals think has the wherewithal to pay is a potential target. Shortly before it announced its dubious intention to shut down, for example, the DarkSide gang hit British insurer One Call, Computing Reports

Dave Bittner: The government of Belgium has adopted a new cybersecurity strategy that gives priority to six strategic areas - investing in secure network infrastructure, raising awareness of cybersecurity threats, protecting vital institutions, deterring cyberattacks, improving public, private and academic partnerships and articulating a clear international commitment to the issue, The Record reports

Dave Bittner: The Financial Times says the Inner Mongolia Development and Reform Commission has created a hotline for reporting illegal crypto mining. The government objects to people stealing power to mine coin. Cryptocurrencies are also seen as potential competitors to the country's new digital yuan, which the government hopes to position as a digital reserve currency. 

Dave Bittner: The airline passenger data provider SITA at the beginning of March disclosed a data breach that's apparently continuing to make its effects felt in the air travel industry. Over the weekend, Air India warned that some 4 1/2 million passengers data had been compromised. The data exposed includes names, some credit card details, dates of birth, contact information, passport information, ticket information and Star Alliance and Air India frequent flyer data. TechCrunch takes this as evidence that the initial SITA breach was deeper and more serious than realized at the time it was first disclosed. 

Dave Bittner: An FBI analyst has been arrested and charged with mishandling classified material, Kendra Kingsbury, 48, of Dodge City, Kan., who had worked for the FBI's Kansas City division, was arrested last Tuesday and charged with two counts of willful retention of national defense information, material classified at the secret level she's said to have removed from her office and taken home with her between 2004 and 2017. The Department of Justice said Friday, quote, "Kingsbury is alleged to have violated our nation's trust by stealing and retaining classified documents in her home for years," end quote. The government hasn't revealed a motive for the theft. And there's no mention of Ms. Kingsbury's having leaked the documents to anyone. The arrest came, the Justice Department says, in the course of investigation into potential insider threats.

Dave Bittner: And finally, a belated happy birthday to U.S. Cyber Command, which marked the 11th anniversary of its formation on Friday. 

Dave Bittner: And joining me once again, as he often does on Mondays, is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So it is an exciting week. It is Cybersecurity Canon Week here at the CyberWire. And I know that is a week that is near and dear to your heart. 

Rick Howard: (Laughter). 

Dave Bittner: Can you explain what's going on here for us? 

Rick Howard: Well, yeah, Dave, you know, it may have slipped out on one of these weekly interviews that you and I do that I'm an avid reader of good cybersecurity books. You know, I may have mentioned it a couple of times. 

Dave Bittner: No, Rick, I don't know what you mean. You are a reader of cybersecurity books? Have we talked about this before, like - oh, I don't know - every other time you were on when you were still at Palo Alto Networks... 

Rick Howard: (Laughter). 

Dave Bittner: ...And before you joined the CyberWire? It seems to me like we talked about this a lot. 

Rick Howard: Yeah, maybe at every staff meeting. Yeah, I know I'm a little - I get it. 


Rick Howard: I know it sounded a little like broken record, but - and I get the same reaction from my family. You know, when I tell them I'm reading some new cybersecurity book, you know, I get the eye roll or the glaze, right? 

Dave Bittner: OK, right. 

Rick Howard: But I started this project about seven years ago, and it's called the Cybersecurity Canon Project. It's kind of a Rock & Roll Hall of Fame for cybersecurity books. And the mission is to identify all the books that cybersecurity professionals should have read by now. And last week, the Cybersecurity Canon Committee announced the Hall of Fame winners for 2021. 

Dave Bittner: And here at the CyberWire, we have partnered with the Cybersecurity Canon Project in order to get the word out about these great books. So what does that mean? What are we doing for Cybersecurity Canon Week? 

Rick Howard: Yeah. So each day this week, your audience will hear my short interview in the daily podcast with one of the authors that has just been inducted into the Hall of Fame. We have five interviews in total, Monday through Friday. And then on the CyberWire Pro side, our subscribers will get access to the complete long-form interviews in a week or so in my "CSO Perspectives" podcast feed. 

Dave Bittner: All right. Sounds good. Well, speaking of "CSO Perspectives," what is in store for us this week on that show? 

Rick Howard: Well, you know, Dave, we plan these seasons weeks in advance. And a perfect example of even a broken watch is right two times a day, right? 


Rick Howard: We're talking about how to secure the supply chain at the same time that the story of the Colonial Pipeline ransomware attacks here in the States are still unfolding. We have Ann Johnson from Microsoft and Ted Wagner from SAP coming to the Hash Table to provide some insights on how they think we should tackle these issues. 

Dave Bittner: All right. Well, that's an all-star cast for sure. What about on the ad-supported side? What's going on there? 

Rick Howard: So this week's episode is when I finally figured out what the podcast is really about. You know, the previous episodes were good, but it was me all over the map on a wide range of topics. But on this episode, we started talking about cybersecurity first principles. And it's the idea that our community has been sliding along for almost 30 years, incrementally improving our defensive posture but never stopping to consider if we have been going in the right direction in the first place. And so in this episode, we try to make the case for what is the ultimate goal for any cybersecurity program. And I'm going to bet you will be surprised by the answer. 

Dave Bittner: All right. Well, we will have to check that out. Please do so. You can go to our website, Look for "CSO Perspectives" and see what it's all about. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: All this week, my CyberWire colleague Rick Howard is sharing interviews with authors of his favorite cybersecurity books, each one an entry in the Cybersecurity Canon. Here's Rick Howard to explain. 

Rick Howard: It's Cybersecurity Canon Week here at the CyberWire. And unofficially, all of the CyberWire staff members are referring to this week as Shark Week for cybersecurity books because the Cybersecurity Canon Project has announced the author selectees for the Hall of Fame awards in 2021. And I'm interviewing all the winning authors. Each day this week, you'll get a taste of the winning author interviews here in this daily podcast segment. But you can listen to the entire long-form interviews as special episodes in my "CSO Perspectives" podcast, only available to the CyberWire Pro subscribers. Today's interview is with Perry Carpenter, the author of "Transformational Security Awareness: What Neuroscientist, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors." I started out by asking Perry about his reaction to being included in this stellar collection of must-read cybersecurity books. 

Perry Carpenter: Man, this is not something that I expected when I wrote the book. I kind of wrote words and threw them out into the wind, hoping that they would be accepted by the community. I've been super humbled by the fact that it's not only been accepted by the community. It's been embraced. And I hear stories every day about the impact that this book is having on people's lives and their programs. So I want to thank Rick, thank Ben and Ron for the nomination and the induction into this. And certainly, man, I want to thank the entire crew of folks that I work with at KnowBe4 that supported me on this project as I was giving a lot of my time and energy. So thank you so much. I am super humbled by this, and I hope that I am able to continue to contribute in meaningful ways going forward. 

Rick Howard: Perry has a theme running through the book that he calls the knowledge, intention and behavior gap. 

Perry Carpenter: The first one of those is, just because I'm aware doesn't mean that I care. The second one is, if we try to work against human nature, we will fail. That's what most of our policies in the security field try to do. They try to build some kind of practice and say that we have to do things. And they don't take human nature into account. Ultimately, we just end up frustrated as security leaders because our people aren't doing the things that we've printed on the page, and we don't understand why. And that leads us to number three, which is that what our employees do is way more important than what they know. And I'll say it as bluntly as I can. What somebody has known has never stopped a breach. It's the behavior in the moment, regardless of what somebody knows. 

Rick Howard: The book is called Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors." The author is Perry Carpenter, and he is the newest addition to the Cybersecurity Canon Hall of Fame. And if you're interested in the collection of Cybersecurity Canon Hall of Fame books, plus all the candidate books and even the best novels with a cybersecurity theme, check out the Cybersecurity Canon website sponsored by Ohio State University at - all one word - and with one N for canon of literature, not two N's from machines that blow things up. And if that's too hard, go to your preferred search engine and type cybersecurity canon and Ohio State University. And congratulations to Perry Carpenter for his induction into the Cybersecurity Canon Hall of Fame. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called SECURITY HAH! I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire Team Is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.