Hybrid war warnings over Russian designs on Ukraine. Senators ask about CIA bulk surveillance. No charges against reporter who inspected a website. Hacktivists or vigilantes?
Dave Bittner: The U.S. and U.K. warn of the possibility of false-flag provocations as Russia keeps the pressure on Ukraine. NATO members and others issue warnings of the threat of Russian cyber-operations spilling over the Ukrainian border. Two U.S. Senators want an accounting from the CIA over an alleged bulk collection operation. No charges filed in the case of a reporter who viewed a website source. The 49ers were hacked. Daniel Prince from Lancaster University on improving security in agile health IoT development. Rick Howard targets supply chain issues with the Hash Table. And have a careful Valentine’s Day.
Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Monday, February 14, 2022.
Dave Bittner: Presidents Biden and Putin spoke Saturday in negotiations aimed at reducing tensions over Ukraine, but without result, the Washington Post wrote. And U.S. sources subsequently said the risk of a Russian invasion remained high.
Dave Bittner: The Wall Street Journal reports that Russian influence operations, ranging from disinformation to bomb threats, have continued unabated, and that many Ukrainians feel themselves already fully on the receiving end of a hybrid war. The Ukrainian armed forces have also warned that Russia deployments amount to encirclement, the Telegraph reports. An analysis in the New Atlanticist looks at Russian exercises in Belarus and assesses that an invasion of Ukraine would concentrate on air superiority, close air support, long-range fires, intelligence collection and combat sustainment.
Dave Bittner: Citing concerns about security, the Organization for Security and Cooperation in Europe, OSCE, has told its members that a number of countries were withdrawing their staff from the OSCE cease-fire monitoring mission in Ukraine. The OSCE has for some time been a burr under the Kremlin's saddle, and the Russian Foreign Ministry was quick to denounce the announcement as a ploy intended to inflame tension in the region. The Washington Post quoted Foreign Ministry spokeswoman Maria Zakharova that various states were seeking to "manipulate" the monitoring mission through "filthy political games."
Dave Bittner: Japan, Australia, New Zealand and the Netherlands have all asked their citizens to leave Ukraine, apparently as a reaction to the U.S. warning that a Russian invasion might come as early as this week.
Dave Bittner: Some international airlines have suspended flights to Ukraine, and Kyiv has, according to the Guardian, allocated $592 million to pay for measures to secure Ukrainian airspace in the hope of encouraging the resumption of flights.
Dave Bittner: The U.S. grew newly concerned about a Russian false-flag provocation designed to provide Moscow with a casus belli against Ukraine - bogus, but minimally plausible. The Washington Post says that the U.S. Intelligence Community's warning of that possibility prompted the U.S. to withdraw diplomatic personnel and urge Americans to leave Ukraine. The provocation is believed to be different from the one the U.S. warned against last week. Those earlier reports suggested that Russia was preparing a staged atrocity film showing fictitious Ukrainian outrages against ethnic Russians in the eastern part of the country. The GRU was identified as the operator of a website, donbasstragedy.info, that represented itself as a portal run by human rights advocates working in eastern Ukraine. The portal retailed atrocity stories in a disinformation campaign directed against Ukraine.
Dave Bittner: Both the British and U.S. Governments hope that disclosure of intelligence with an unusual degree of public transparency will serve to dissuade Russia from renewing an invasion of Ukraine. The warnings have been explicit - the U.S. CIA is said to have assessed that Russian forces are prepared to move into Ukraine this Wednesday.
Dave Bittner: A White House official said on background Saturday, quote, "Russia is finding itself on defense in the information space, given our own transparency about its intention," end quote.
Dave Bittner: Shields up, or so the U.S. Cybersecurity and Infrastructure Security Agency put it in an advisory published Friday evening. Despite the Trekkie-themed framing of the alert, it's a serious advisory. CISA cites a Russian threat and says the warning represents a shift toward a proactive defensive policy.
Dave Bittner: The agency explains the warning's motivation as follows, quote, "Notably, the Russian government has used cyber as a key component of their force projection over the last decade, including previously in Ukraine in the 2015 timeframe. The Russian government understands that disabling or destroying critical infrastructure - including power and communications - can augment pressure on a country’s government, military and population and accelerate their acceding to Russian objectives. While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine. Based on this situation, CISA has been working closely with our critical infrastructure partners over the past several months to ensure awareness of potential threats - part of a paradigm shift from being reactive to being proactive," end quote.
Dave Bittner: The advisory goes on to offer familiar advice that any organization might apply to reduce the likelihood of a damaging cyber intrusion - taking steps to quickly detect a potential intrusion, ensuring that the organization is prepared to respond if an intrusion occurs, and to maximize the organization's resilience to a destructive cyber incident. CISA closes by urging organizations to study the detailed prescriptions specific to Russian cyber-operations that the agency issued last month.
Dave Bittner: Estonian authorities say their country has been on the receiving end of Russian cyberattacks, but only at roughly the normal rate. The crisis over Ukraine seems not to have produced an increase in the Russian cyber OPTEMPO against Estonia.
Dave Bittner: The Wall Street Journal and others report that U.S. Senators Ron Wyden, Democrat of Oregon, and Martin Heinrich, democrat of New Mexico, both members of the Senate Intelligence Committee, have asked the CIA to declassify and release information on a bulk collection program that may have extended to some domestic surveillance. It’s not clear from the Senators’ heavily redacted letter what the scope of the surveillance would have been, including whether U.S. citizens were directly targeted or were the inadvertent by-catch of collection against foreign targets.
Dave Bittner: The news, Fortune observes, is likely to have an unwelcome effect on U.S. tech companies operating in Europe, as it’s likely to arouse suspicion of GDPR violations.
Dave Bittner: A St. Louis Post-Dispatch reporter who found personal information exposed on a website operated by the Missouri Department of Elementary and Secondary Education will not, after all, be prosecuted for a computer crime. The Cole County prosecutor, to whom the case was referred at the insistence of Missouri Governor Parsons, has declined to file charges.
Dave Bittner: To review, the reporter’s offense, in the eyes of Governor Parsons, was to have viewed the page source on the Department of Elementary and Secondary Education site, where he saw personal information about teachers coded into the html. He disclosed, responsibly, what he’d found to the department, which initially intended to thank him - until, that is, the governor heard of it, decided that the journalist must have hacked the site. Because the reporter looked at the code, the governor apparently took this to mean that the reporter had illicitly broken the site's encryption as opposed to, say, hitting control-u while he looked at the page. The governor directed that the case be referred to the Cole County prosecutor.
Dave Bittner: The FBI advised the state that as far as it could tell, no one had broken any laws, and the prosecutor’s minimalist statements about the whole affair suggests a more realistic understanding of the internet than apparently prevails in the governor’s office. Still, some think that loosely worded Missouri computer crime statutes may bear part of the blame. CISA Director Easterly tweeted approval of the Cole County prosecutor's decision. She says it makes responsible disclosure easier.
Dave Bittner: You don’t have to make the Super Bowl to be a target for cyber criminals, and playing in Silicon Valley doesn’t confer any immunity, either. BleepingComputer reports that the San Francisco 49ers were affected by a ransomware attack Saturday. It’s unclear how successful the attack was, but the 49ers are working on remediation. The Blackbyte ransomware crew has claimed responsibility.
Dave Bittner: It’s Valentine’s Day. Did you notice? The scammers have. The U.S. Federal Trade Commission says that romance scams in general hit record highs in 2021. We would add that you can expect them to continue. Unlike some of you - you know who you are - the scammers haven’t waited until the last minute to make their annual observance toward matters of the heart. They’re up-and-at-em, not waiting until the eleventh hour to buy flowers, candy, stuffed animals or whatever the criminal equivalents of those things are. So be appropriately on your guard for e-commerce fraud, advance fee scams and artful catphishing.
Dave Bittner: And it is always my pleasure to welcome back to the show, the CyberWire's own chief security officer and chief analyst Rick Howard. Rick, welcome back.
Rick Howard: Hey, Dave.
Dave Bittner: So not surprising to anyone in our audience - first of all, you and I are both men. And...
Rick Howard: (Laughter) I'm glad you noticed that. Yeah.
Dave Bittner: Yeah. Well, and more importantly than that, neither one of us are what could be accurately described as young men.
Rick Howard: That's very true. Yeah.
Dave Bittner: And so with both of those categories linked together, that means that I think it's fair to say that both of us are hesitant to admit when we were wrong.
Rick Howard: Oh, yes.
Dave Bittner: (Laughter).
Rick Howard: It's really hard for me to do (laughter).
Dave Bittner: That's right. But in this case - in this case, last time you and I spoke, you actually spoke in error and you wanted to set it right today. So what exactly did you screw up on last week's show?
Rick Howard: Oh, yes, indeed. Well, we were talking about supply chain attacks, if you remember. And...
Dave Bittner: Yeah.
Rick Howard: ...I made the point that even though we've had some high profile attacks recently, like SolarWinds, Accellion, and Log4j, that these kinds of attack vectors have been around for years. And I mentioned that the bad guys who attacked Home Depot in 2014 used this third-party digital supply chain technique. And that's where I screwed up, OK? Right there.
Dave Bittner: Oh (laughter). OK.
Rick Howard: It wasn't Home Depot in 2014. It was Target in 2013. And my only excuse is that I can't remember my children's names most days of the week, so, you know, cut me some slack. And as one of my favorite comics, Craig Ferguson, on his late night talk show used to say, I look forward to your letters.
(LAUGHTER)
Dave Bittner: Well, you know, the thing is, Rick, lucky for us, cybersecurity professionals, particularly the ones who, again, are in that category like you and I - older men - are not at all pedantic. They don't...
Rick Howard: No. No, not at all.
Dave Bittner: They're not sticklers, not sticklers for any of those details. So I think...
Rick Howard: No, they're not...
Dave Bittner: ...You're probably in the clear. Yeah. Yeah.
Rick Howard: They're not important. Why should we worry about little details like that? OK, so...
Dave Bittner: (Laughter) That's right. All right. Well, getting to this week's "CSO Perspectives" show, I understand you have a new expert that you've invited to the CyberWire Hash Table. Who's the new guest?
Rick Howard: Well, you know her, Dave. In fact, you talked to her last week on the daily podcast. It's Amanda Fennell, the CIO and CSO of a company called Relativity. And she hosts the "Security Sandbox" podcast, the latest addition to the CyberWire's collection of security podcasts. And when I heard she was joining our family, I immediately contacted her to be on our bench of security experts that help us understand this kind of changing landscape. And she didn't hesitate. By the way, she's awesome, all right?
Dave Bittner: Yeah. Yeah.
Rick Howard: She's very smart and highly articulate about how to explain all this stuff. And so for this show, I asked her to walk us through how her company, Relativity, handled the Log4j crisis over the holiday break this past year.
Dave Bittner: All right. Well, look forward to that. That is part of "CSO Perspectives" on CyberWire Pro. You can find that on our website. Rick Howard, thanks for joining us.
Dave Bittner: And I'm pleased to be joined once again by Daniel Prince. He is a senior lecturer in Security and protection science at Lancaster University. Daniel, it is always great to welcome you back to the show. You and I have spoken previously about health IoT security issues, and I know something that is on your mind is making sure that the folks who are developing these things understand the folks that they're up against, some of those threat actors. What exactly are you working on here?
Daniel Prince: Yeah. So our research project here at Lancaster, which is funded under the national IoT center for security and privacy, PETRAS, in the U.K., we're looking at this idea of how do we help developers understand the threat actors and the ways that they operate so that they can really try to start to enhance the security of their products using agile development methodologies? So we're specifically focusing on agile development approaches for health IoT.
Dave Bittner: And so can you give us some examples of how that plays out?
Daniel Prince: So one of the key things that we're looking at here is allowing the companies that are doing the development to understand these actors and really getting a good sense of how they might attack their products and what they might want to seek to achieve. I mean, one of the classic things that I talk about when I'm teaching is that computers don't attack computers. It's individuals performing some action via computers. And so it's about these groups and these attackers and how they might be seeking to undermine the security and the safety, therefore, of their products.
Daniel Prince: And so by getting them to think - the developers to think about how the threat actors might be targeting their devices and building scenarios and helping them to understanding the different types of approaches, we can also help them to understand the potential exposures and the risks that they've got potentially coming down the line so that they can start to put countermeasures in much earlier. And there's some information out there, some research out there that kind of says the earlier you fix these security problems, the less it's going to cost you long term. And it's kind of almost, you know, an exponential growth in the cost from, you know, initial product idea to out in the wild in terms of the costs associated with fixing security issues. And so by taking this back early in the development cycle and fitting our approaches within weekly sprints and so on and getting - or two weekly sprints - and getting people to think about this has the effect that there's a continual improvement.
Daniel Prince: But also, one of the other things that we're hoping to see is, because you're covering the security aspects every two weeks and you're thinking about it in a structured way, it remains at the forefront. Unlike other concepts around security, where you may, you know, do a security audit every six months or every three months at most, you don't have to worry about it, you know, until, you know, 12 weeks down the line. The fact you're having to consider the security aspects and who might be after you every couple of weeks, alongside the kind of the cool features that you want to develop, really helps to embed that as part of the security culture. So it's this constant improvement and working towards, you know, a secure, minimal, viable product within agile, but also the constant raising of awareness of security issues. We're hoping to see an overall improvement in security.
Dave Bittner: All right. Well, Daniel Prince, thanks for joining us.
Dave Bittner: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.