Amid widespread unrest, Sudan shutters its Internet. A new PRC influence campaign targets US elections. Software supply chain security. And cybercrime in wartime.
Dave Bittner: Hello, everyone. This is Dave Bittner, co-founder and host of CyberWire. Before we get started today, I have an exciting announcement. CyberWire is growing. We're thrilled to announce that CyberWire and CyberVista, an industry leader in data-driven cybersecurity training, are joining forces to form parent company N2K Networks, the world's first news-to-knowledge network. One of the insights we gained about our business since we launched back in 2016 is that you aren't just listening to CyberWire to keep up on the latest news. You're listening to learn. And over time, you've told us that we've become a critical part of your professional lives, a tool that helps you do your job better. That's news to knowledge. And we're excited to lean in on this idea and do more than ever before. So CyberWire and CyberVista are coming together to connect news to knowledge, one continuous spectrum of situational awareness and learning. The union creates powerful new opportunities for professionals to keep abreast of the latest developments in their industry, climb the knowledge curve quickly and stay ahead in a rapidly changing world.
Dave Bittner: As always, you can continue to count on us at CyberWire to deliver the world-class content you rely on. It's only getting better from here. And if you're new to CyberWire, welcome. Be sure to check out our other shows and partner content. We have more than 20 different shows on our network, and there's something here for everyone. You can find them all on our website, cyberwire.com/podcasts. Thank you for being a valued member of our CyberWire community. And now back to your regularly scheduled programming.
Dave Bittner: Sudan closes its internet as the country sees protests on the first anniversary of a coup. A Chinese influence campaign targets U.S. elections. A software supply chain security study and a look at vulnerability scanning tools; documenting cyber war crimes in Ukraine. CISA issues eight ICS Advisories. Andrea Little Limbago from Interos on the effects of water scarcity on data centers. And if you'll indulge us, we've got some pretty exciting CyberWire news.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 26, 2022.
Sudan closes its Internet.
Dave Bittner: On the first anniversary of the military coup that brought the current regime to power, Sudan has shut down most of the country's internet access, The Record reports. The measure, likely to be temporary, comes as civil unrest spreads through the country. According to Reuters, protesters number in the tens of thousands.
Chinese influence campaign targets US elections.
Dave Bittner: Mandiant this morning described what it characterizes as a pro-PRC influence campaign actively directed against the U.S. midterm elections. The themes of the campaign are familiar and unconvincing stuff. Mandiant calls it DRAGONBRIDGE. The researchers outlined three of the themes - first, claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor; next, aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S. midterm elections; and allegations that the U.S. was responsible for the Nord Stream gas pipeline explosions. Taken individually, it's sad stuff, but the opportunistic, scattershot quality of the narratives, coupled with new sophistication and impersonation, plagiarism and alteration of sources and the use of inauthentic persona to amplify messaging, suggests that the objective may be the more attainable one of confusion than the heretofore more common Chinese aim of persuasion.
Dave Bittner: Rezilion today released a report, the Vulnerability Scanner Benchmark, detailing inaccuracies they've found across popular commercial and open source scanning technologies. Rezilion found that in using six different popular vulnerability scanners, only 73% of relevant results were returned out of all vulnerabilities that should have been detected. Only 82% of the results were identified correctly and relevant. Across the examined 20 containers from Docker Hub, over 450 high- and critical-severity vulnerabilities were wrongly identified. On average, the scanners also missed more than 16 vulnerabilities per observed container. Rezilion recommends ensuring that the scanner you choose matches your needs and being aware of its capabilities and limits. They also advise that you don't blindly follow the scanner's results, as the report showed misidentification. Also recommended was utilizing a Software Bill of Materials to validate the results of the scanner and gain visibility.
Software supply chain security.
Dave Bittner: And in a distinct and independent but topically related study, BlackBerry has released the results of a survey focused on supply chain software security conducted by research firm Coleman Parkes. Surveyed were 1,500 IT decision-makers and cybersecurity professionals from North America, the United Kingdom and Australia. Eighty-one percent of those surveyed reported experiencing cyberattacks in the last 12 months, with 29% indicating that they had been compromised via operating systems. Fifty-nine percent of respondents identified lack of skilled talent as the primary barrier to regular software inventories, with limited visibility found to be the next greatest barrier. Sixty-eight percent of respondents also said that they would welcome a tool to inventory software libraries, as visibility of software potentially impacted by a vulnerability is difficult.
Dave Bittner: Fifty-nine percent of those surveyed who had been notified of a software supply chain vulnerability or attack were operationally compromised, while 57% experienced data loss. Sixty-two percent of respondents value speed of communication as the most important aspect of communication with stakeholders when a vulnerability is discovered. The survey found that 68% of respondents are very confident that their suppliers and partners have adequate cybersecurity regulations and compliance practices. Seventy-four percent of those surveyed were in favor of greater governmental oversight of open-source software to secure against cyberthreats.
Documenting cyber war crimes.
Dave Bittner: Ukraine and others have been engaged for some time in documenting war crimes with a view to prosecution of those responsible. According to Bloomberg, Ukrainian authorities have also been documenting Russian cyberattacks, also with a view to prosecution of those responsible. These are perhaps best thought of as cybercrimes committed during wartime, especially given the still-fluid state of international norms concerning cyberwar. Victor Zhora, chief digital transformation officer of Ukraine's Special Communications and Information Protection Service, said his government was collecting evidence of malicious cyberactivity and sharing it with the International Criminal Court. Zhora said, our intention is to bring this to justice after the war, and perhaps this will be the first prosecution of the first global cyberwar and cybercrimes that were conducted with kinetic operations and war crimes in Ukraine.
CISA issues eight ICS Advisories.
Dave Bittner: Finally, yesterday, the U.S. Cybersecurity and Infrastructure Security Agency issued eight industrial control system advisories. See the details on CISA's site. And if you use the systems mentioned in dispatches, evaluate your implementations and patch as necessary.
Dave Bittner: After the break, Andrea Little Limbago from Interos on the effects of water scarcity and data centers. And I'm joined by Peter Kilpe and Simone Petrella with some exciting news about the CyberWire and CyberVista.
Dave Bittner: Hello, dear listeners, if you will indulge us for just a few moments. Today is a very special day on our journey here at the CyberWire. We are excited to announce a merger with CyberVista, a cyber learning and education company that I'm sure many of you know well, as well as the formation of a new parent company called N2K Networks. Joining us to explain how this came to pass and what it means for all of us are Peter Kilpe and Simone Petrella. Peter, Simone, welcome.
Peter Kilpe: Hey, Dave.
Simone Petrella: Hey.
Dave Bittner: Let me start with you, Peter. So can you take us through the journey here? This started with looking to do an A round of fundraising and led us in a little bit of a different direction, right?
Peter Kilpe: It did, yeah. Thanks, Dave. First of all, it's really exciting to be on this side of the microphone.
Dave Bittner: (Laughter).
Peter Kilpe: In six years of working for the CyberWire, I haven't had this chance to actually sit here with you and talk, so this is a lot of fun.
Dave Bittner: Yeah.
Peter Kilpe: I actually remember the day when you first came to my office, and you were looking at our newsletter and said, hey, Peter, this would make a great podcast.
Dave Bittner: Right.
Peter Kilpe: And here we are, 25 shows later, lots of newsletters, attracting some of the most influential people in cybersecurity. It's a really exciting time. The growth we've had over the years turned us into a profitable company. But we thought we had a lot more to offer, so we wanted to grow. We ended up starting that A round process, like you said, and one of the A-listers that we were looking at for this round was a company called Graham Holdings. They have been part of the journeys of many of the most iconic companies in audio, in media and in education. And we had a great conversation with them, and they were interested to invest in us, and they went back to their group to think about what they wanted to do. Came back to me and said, hey, we want to do this with you, but we have this other idea. And they ended up introducing me to Simone and sharing what her company did.
Peter Kilpe: I think what Graham saw was a path that we knew we were already on, which is news to knowledge. I think we started to realize early on as a company that people weren't just listening to the CyberWire for that situational awareness or to stay up on the news, but they were listening to learn. You know firsthand that people are coming to us all the time saying, oh, you helped me get that job, or, oh, you know, I - you know, I learned a lot about this new topic the other day, or I'm transitioning to cyber and you really helped me. Even some of the icons of our industry literally use us to help them do their jobs better, and they could see - Graham saw that we were on that path and introduced me to Simone, like I said, and we ended up having a really great, like, six-hour deep dive conversation...
Dave Bittner: (Laughter).
Peter Kilpe: ...And thought that this was going to work.
Dave Bittner: Well, let me get your perspective, Simone. You are there minding your own business, running CyberVista, a very successful company in its own right. You were not out and about shopping for merger opportunities, so how did this present itself to you?
Simone Petrella: Yeah, that's very true, and I want to echo my thanks, Dave. This is just such an exciting time to be part of this transition and this evolution of both of our companies and into N2K Networks. Yeah, I would say we're there minding our own business and running a cybersecurity training and education company. But one thing that we had always talked about in CyberVista's history was the challenge of bridging the gap between what do you do when you work with a company to train a workforce, upskill them into the role? And once they've kind of gotten those initial skills, a lot of the learning by definition is often on the job. It's through absorbing the current events and the threat landscape and staying up to date on what's happening on a constantly rotating basis. And so we've always been the purveyors and the providers of that evergreen, underlying knowledge.
Simone Petrella: And even in our own history, we have toyed around with trying to provide that kind of newsletter-like content as an after component of our training, and we learned the lesson very early on - that's an incredibly difficult thing to maintain. You can't both build high-quality content and delivery for training and then also be a news provider or an information intelligence provider at the same time. And so Graham Holdings, as our parent company from the get-go and a huge advocate for what we were doing in the space, they understood that from the very beginning. And I think, to echo Peter's point, having a background in education companies and having a background in media, I think they saw the power of what that combination could be.
Simone Petrella: And, you know, I'm sitting there minding my own business, and I get the call. You might want to talk to this Peter guy. might go nowhere. It might be absolutely nothing, but it's at least worth an introduction. And let's see where it goes. And so I think that was kind of the beginning of, you know, what was this very long journey, including a six-hour meeting to kick it off.
Dave Bittner: Yeah. It's - just for our listeners, I mean, it's been months in the making behind the scenes and lots of interesting discussions and planning meetings and all that sort of thing. Peter, for our listeners, I'm sure some of them are thinking, what does this mean to me? How is this going to affect my relationship with the CyberWire? Is everything going to run as usual or are things going to change? What can they expect?
Peter Kilpe: Great question. I think the listeners and people who are users of the CyberWire today and CyberVista are going to get a whole lot more of what they're used to. This opportunity gives us the ability to invest in the CyberWire, to grow it, to invest in the learning tools and technologies that Simone's team is building. Good way to look at it is - Simone, as she takes the reins at the CyberWire, she's going to be going deep into cyber. She has an incredible background. She knows this industry not only from a workforce perspective but from an intelligence perspective, from a technical perspective. She's going to go deep, and we're going to make the CyberWire stronger than it ever has been before. That - the CyberWire brand will always be there. But we're also going to go long, and that's going to be my job, helping invest in the tools and technologies that will help take us into new markets, into new places and deliver the kinds of content that we're going to need for the future.
Dave Bittner: Simone, what are you excited about? What are you looking forward to?
Simone Petrella: I am so excited to get to think about, creatively, ways that we can invest in technology and our products in a way that augment each other. And we've had so many conversations over the last few months around once we hit the ground running, what can we do when we think about providing just in time knowledge with education? How do you start to combine audio elements with video and hands on? So I think there is an entire spectrum of modalities that we can really get creative with and innovate on that will really change the way people consume content at least today in the cybersecurity industry. I think we can bring it up to par with the way people are consuming and learning in a lot of other areas today.
Dave Bittner: All right. Well, interesting times to come, lots of exciting things around here. And thank you both for coming in and sharing your perspectives. Peter Kilpe and Simone Petrella, thanks so much for joining us.
Dave Bittner: And I'm pleased to welcome back to the show Andrea Little Limbago. She is senior vice president for research and analysis at Interos. Andrea, it is always great to welcome you back. I want to touch today - interesting element that affects policy, which is the scarcity of water. I mean, we're seeing with climate change, rivers are drying up, weather is all over the map, and turns out data centers need water.
Andrea Little Limbago: Yeah. You know, shocking - actually shocking to probably no one that works within the data center community at all.
Dave Bittner: (Laughter).
Andrea Little Limbago: But for people who may not have been paying as much attention and absolutely know that the impact of water scarcity and climate change on the human toll obviously is the utmost importance. But when looking at, you know, broader implications as well, one that average people really don't think about all that much - and I think many companies don't think about as much - is the impact of water scarcity on their data centers and exactly where their data centers are located. And I think that, you know, over the last several months, this issue has started to rise in prominence because we're starting to see an actual real-world impact. So it's moved from, you know, hypothetical to a reality where if you look at the London heat wave, both Google and Oracle had to shut down their data centers during the - you know, the unprecedented heat wave that went on there. And then just over, you know, towards the end of summer, early fall, we're seeing, you know, that with California's heat wave, Twitter had to shut down their data center in California.
Andrea Little Limbago: And so we're seeing the real-world consequences of the climate change and the heat waves causing these shutdowns. And what that then, you know, leads to - the natural progression on that is, well, to keep them up and running, to keep them cool, it requires hundreds of thousands of gallons, if not millions of gallons, depending on the size of the data center, to keep those data centers cool. And if they're in areas that are in - you know, have significant water scarcity, that's going to increasingly be a problem. And if they're in areas that are increasingly prone to these kind of heat waves and have water scarcity, that's - you know, that's just a perfect storm for really causing enormous disruptions across the global economy. And that - you know, data centers across the globe really are the - you know, the backbone of the digital economy. And so it's one of those things isn't just going to, you know, impact, you know, a company here and there. It's going to increasingly impact a broader range of companies across the globe.
Dave Bittner: And so what are the considerations here as organizations decide where to put their data centers? I mean, are they thinking we should put our new data centers somewhere where it's cold?
Andrea Little Limbago: I think those are the conversations that I think are - that are starting to happen now. And perhaps more of the forward-looking organizations have already been thinking about this a little bit. But, you know, what we can see - we just did an analysis just overlaying where data centers were in areas that are really at extreme risk of water scarcity over the, you know, next decade or so. Now, at least 15% are, you know, high to moderate risk right now across the globe. And that's a pretty substantial amount in extremely, you know, risky areas. And, you know, as companies start thinking about the impact of climate change, really, what they're - for the most part, they look at where the supply chain is, are there major companies in those areas that might be hit by, you know, hurricanes or forest fires or, you know, flooding.
Andrea Little Limbago: One areas that may not be getting as much reflection are, where are their data centers, and are their data centers going to be especially prone to these kind of activities? And so that's the kind of consideration that leadership across, you know, government and private sector need to really start thinking about, is where is their data? Where is it being stored? You know, the data centers, cloud infrastructure provide so much, you know, technological innovation. At the same time, it also can be a vulnerability if it's in these areas that are at really, you know, extreme risk. They just need to really start thinking about this as part of their broader strategy for their global footprint.
Dave Bittner: And how much of this comes down to, you know, unexpected change? I mean, in other words, if I'm building a data center in Dubai, I know it's going to be hot and I've built it to handle that from the outset. But it seems to me like some of what's going on here - like you say, in England, you know, they weren't expecting - you have unprecedented heat waves, and so they weren't engineered for this. The data centers weren't built to take this kind of heat.
Andrea Little Limbago: Right, and, you know, we're still seeing data centers popping up in Arizona, for instance, and - you know, relatively new ones. And - which makes me think that it still isn't as much of a consideration. It's - you know, it becomes areas where - you know, similar to everything I tell you. Are there good tax breaks? Are the - you know, is the government providing, you know, the labor and resources and, you know, whatever other kind of carrots to help incentivize a company to go there?
Dave Bittner: Maybe if you have solar and wind power, then that offsets the need for it to be cooler.
Andrea Little Limbago: Right, and that would be nice, but I - at least, I haven't seen much of that kind of discussion going on. It still really is, you know, getting into the - still moving to some areas that really are not looking like they'll be great providers of water in the foreseeable future. So they're - you know, I think it's - the risk calculus is still looking very short term versus, you know, medium to long term. And what we're seeing, though - I think this year has been unfortunately indicative of it - is that, you know, do these changes that we thought were farther down the road are starting to come now, and so what is considered far term is really becoming, you know, near and medium term, but that's...
Dave Bittner: Yeah.
Andrea Little Limbago: ...But are still treated as far away. So we haven't seen much like that. I will say, there are companies that are starting to acknowledge this challenge and are starting to look for innovative ways to cool data centers. And ideally, those kind of innovations can then transfer to dealing with water scarcity in a broader sense across the globe. There are some, you know, new research innovations starting to - you know, start to emerge to address this problem.
Dave Bittner: All right. Well, interesting stuff. Andrea Little Limbago, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.