Equifax decides to tell people it's been breached. Notes from the Intelligence and National Security Summit. WikiLeaks dumps missile guidance documents from Vault7. The ShadowBrokers are back, with a new offer.
Dave Bittner: [00:00:01:10] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:19] Equifax discloses a massive data breach it discovered on July 29th. Does that mean they're about a month delinquent? WikiLeaks' weekly Vault7 dump departs from past practice with respect to content. The ShadowBrokers are back, and offering a twice monthly twofer. And Intelligence Community leaders agree on at least three things: they need a better security clearance process, they need Section 702, and nowadays all intelligence involves cyber intelligence.
Dave Bittner: [00:00:46:06] Here's a quick note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self-awareness and sent the Terminator back to take care of business? But that's science-fiction, and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today, and E8's white paper, available at e8security.com/cyberwire can guide you through the big picture of these still-emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:41:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, September 8th, 2017.
Dave Bittner: [00:01:52:00] The big story in cybersecurity is yesterday's disclosure by Equifax, one of the big-three US credit bureaus, that it had sustained a data breach. And this breach is a big one: it affects 143 million individuals, mostly Americans, although data belonging to smaller numbers of citizens of some other countries, notably Canada and the United Kingdom, were also hit. It's known that the data was lost. Equifax disclosed that it had detected unauthorized access. So this isn't simply a case of, say, potential exposure of data inadvertently left out there on the Web. Someone came in and took it.
Dave Bittner: [00:02:29:14] Among the information lost are names, Social Security Account Numbers, dates of birth, and addresses. Large subsets of the affected individuals also lost credit card numbers, dispute documents, and driver's license numbers. You'd say that seems like about everything, but Equifax would differ. The company says in its statement that its core credit record databases were uncompromised. Those are records of things like late payments, bad debts, and so on. Most observers have found that cold comfort at best. The data lost are more than sufficient to commit all manner of fraud and identity theft.
Dave Bittner: [00:03:04:14] How the breach occurred remains publicly unknown, and Equifax has been close-mouthed about the details. But there's considerable speculation online that the hackers exploited a patchable but unpatched flaw in Equifax's website. The company says it noticed the breach on July 29th, and that it's called in a security company to help with remediation. They're also offering their identity protection and credit monitoring services free to affected individuals. Why affected individuals would sign up for such monitoring is unclear. Many journalists and security experts have looked into the proffered service and found it dodgy, hard-to-use, generally insecure, and probably an opportunity to be hit up for a paid renewal when the free offer expires.
Dave Bittner: [00:03:48:10] The company's response has struck most as tone-deaf. In most large-scale cyber incidents, there are varying degrees of sympathy for the victim and an acknowledgment of the victim's difficulties. Equifax is, as far as we can tell, getting none of this. The Twitter storm over the incident is massive and utterly unsympathetic. A great deal of this is Schadenfreude from those who have found themselves at some point in their lives caught up in the iron web of credit evaluation. A lot of it comes from security people who are aghast at the apparent degree of carelessness with personal data. And no one appears to think that a 49-day delay between discovery and disclosure is acceptable. It may be difficult for the credit-rating industry as a whole to continue in its present form.
Dave Bittner: [00:04:33:15] Equifax stock is down about 13% today, but there are a few things to point out. First, it's not necessarily the company's customers who are being hurt. It's the consumers those customers are paying Equifax to rate. Second, three senior Equifax executives sold significant blocks of their shares in the company between July 29th and yesterday. The company has said none of the three, they included the CFO, knew about the breach when they sold, and that anyway they didn't sell all the shares they owned.
Dave Bittner: [00:05:05:20] There will be as many if not more lessons to be learned from this episode as a case study in incident response as there will from the forensic post-mortem itself. Further exploitation may already be in progress. We've seen creditable but unconfirmed reports that an extortion threat has been made online to Equifax.
Dave Bittner: [00:05:26:24] The annual Intelligence and National Security Summit, sponsored jointly by INSA and AFCEA, concluded yesterday in Washington, DC. You'll find our continuing coverage of the Summit on our Website, thecyberwire.com. But here we'll mention three themes that came across very clearly to us at the conference.
Dave Bittner: [00:05:45:23] First, the US Intelligence Community and its stakeholders find themselves in general agreement that a new approach to talent management is necessary, that what Marine Corps Major General Groen, of the Joint Staff's J2, called an "industrial age" approach to the workforce is no longer adequate to current realities. And it's likely to grow even less adequate over time. People with essential expertise, both linguists and cybersecurity professionals were repeatedly singled out for mention, need to have career paths designed that will challenge, develop, and retain them.
Dave Bittner: [00:06:21:01] And there was as close to complete and universal agreement as we've ever seen that one aspect of the legacy approach to talent management, the security clearance process, is irretrievably broken. How it could be fixed remains unclear, but fixed it must be, senior Intelligence Community leaders agreed. They advocated in a general way two lines of reform that might be pursued: moving away from the current practice of regular re-examinations in favor of some form of continuous evaluation, and moving toward a serious risk management approach to personnel security.
Dave Bittner: [00:06:55:02] Second, the US intelligence executives who spoke were unanimous in their support of Section 702 reauthorization. This section of the Foreign Intelligence Surveillance Act authorizes the Intelligence Community to target the communications of non-US persons located outside the United States for foreign intelligence purposes. They thought that without Section 702 authority, their ability to accomplish their mission would, given current global communication realities, essentially vanish. All were at pains to stress the multiple layers of oversight designed to shield US citizens' privacy from 702 surveillance. Representative Schiff and Senator Warner, ranking members respectively of the House and Senate Intelligence Committees, both said in their remarks that they thought Congressional reauthorization of Section 702 was likely.
Dave Bittner: [00:07:46:03] And the third point was obvious on reflection, although it could easily have been lost by the routine way in which it was treated. All intelligence is now, effectively, cyber intelligence. None of the traditional intelligence disciplines, not even IMINT - imagery intelligence, mostly photos taken from aircraft or satellites - or HUMINT - human intelligence, the traditional spycraft of recruiting and running agents, among other practices - are conducted entirely outside of cyberspace any longer.
Dave Bittner: [00:08:16:05] As usual, WikiLeaks offered another dump from Vault7 yesterday. It involved no cyber tools, but rather a missile control system. Two things are worth remarking on the dump. First, the classification level of the leaks appears to be dropping. No juicy, highly-compartmented stuff here. And second, WikiLeaks had adopted a kind of Tribune-of-the-people stance with its earlier dumps: see how we take your side against the overweening surveillance of the Deep State, and so on. But that fig leaf seems to have dropped, at least this time. A combat system is tough to cover with a fig leaf of civil libertarian concern.
Dave Bittner: [00:08:54:02] And the ShadowBrokers are back, too. Have you missed them as much as we have? This time it's with an announcement: they now plan to move from one exploit dump per month to two of them.The twofer offer gamely maintains the Brokers' pose of selling stuff to make some coin at the Equation Group's expense. They're in it for the money, don't you see? As they say, "If you be paying, the ShadowBrokers be playing!" Don't be playing, kids. Or paying, either. Just say, "No."
Dave Bittner: [00:09:28:24] And now a message from our sponsor, ThreatConnect, that we're sure you'll find interesting. Security analysts make decisions every day that can save, impede, or even wreck an entire organization. If they're going to win against the fast-moving, shifting threats in the wild, they need to be able to inform their analysis with threat intelligence, and use it to orchestrate their security controls. ThreatConnect's Andy Pendergast and the Enterprise Strategy Group's Jon Oltsik, are two experts who will help you get your team ready to do just that. And they'll share their insight in a free webinar on September 14th. You can register at threatconnect.com/webinar. They'll explain how you can organize and inform your teams to put them inside the opposition's decision cycle for good. Go to threatconnect.com/webinar and reserve your place. Remember, that's 1:00 PM Eastern Time on September 14th, and we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:28:02] Joining me once again is Emily Wilson. She's the director of analysis at Terbium Labs. Emily, we've seen some stories lately coming out of the UK, where, after some terrorist attacks, some of the politicians there have been saying perhaps we need to dial back encryption. And this has lead to people saying, "No, that'll just drive people underground onto the dark web."
Emily Wilson: [00:10:48:16] Yeah. I think there are two interesting points on that, one of them is that it comes around, time and again, every time something pops up, you know, a terrorist attack, for example, where technology of some kind was involved, which is basically anything at this point. People were communicating about their plans. It's really easy for people to say, "Oh, we should end encryption." In the same way, people pop up and say, "Oh," you know, "We should have back doors, but only for law enforcement." It is overly simplistic in a way that I struggle to articulate clearly, because I get so frustrated, because it is entirely unreasonable to say that we need to end encryption because that would solve our problems. Sure. Okay. Great.
Dave Bittner: [00:11:32:14] I think some people are making the case to not end it, but maybe just weaken it. Is there a difference? Is that a distinction without a difference?
Emily Wilson: [00:11:39:03] I think it's a distinction without a difference. I think you say we'll weaken it, I think you say we will only use it for these purposes. You say everything is going to be above board, and that's fine. And I think that is an unrealistic situation, and I think, I think anyone who believes that could work probably hasn't thought it through all the way. If you make it easier for some people to be able to access encrypted messaging, then you are just giving everyone else a good foothold to push through further.
Dave Bittner: [00:12:07:19] Do you think there's anything to this notion, that it'll drive people to the dark web?
Emily Wilson: [00:12:11:12] I wouldn't be surprised. I think people are always going to be looking for a way to communicate or interact securely or privately, and I think, you know, there's a whole separate discussion about the difference between security and privacy. But the more time that passes, the more people have in expectation of being able to conduct their business without being interfered with, perfectly legitimate business, whether this is messaging, or browsing, or what have you. And I think people are going to start looking for what previously were thought to be more extreme measures, and I don't think the dark web has to be an extreme thing, you know. If you use Tor Browser, it doesn't make you a, it doesn't make you a criminal. It doesn't mean you're doing anything wrong, it just means you want to be able to browse anonymously. I think people are going to increasingly find that appealing.
Dave Bittner: [00:12:59:22] Emily Wilson, thanks for joining us.
Dave Bittner: [00:13:05:23] Now, a word about our sponsor, the upcoming Cyber Security Conference for Executives. The Johns Hopkins University Information Security Institute and Compass Cyber Security will host the event on Tuesday, September 19th in Baltimore, Maryland, on the Johns Hopkins Homewood campus. The theme this year is emerging global cyber threats, and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at thecyberwire.com/jhucompass. Learn more about the current and emerging cyber security threats to organizations, and how executives can better protect their enterprise's data. Speakers include cyber lawyer Howard Feldman, IOT Engineering Expert Dr. Kevin Kornegay, and Healthcare Data Security Thought Leader, Robert Wood. You can find out more at thecyberwire.com/juhcompass. And we thank the Cyber Security Conference for Executives for sponsoring our show.
Dave Bittner: [00:14:11:07] My guest today is Alexander Klimburg. He's the author of the book, The Darkening Web: the War for Cyberspace. Mr. Klimburg is a program director at the Hague Center for Strategic Studies, a non-resident senior fellow at the Atlantic Council, and an associate and former fellow at the Belfer Center of the Harvard Kennedy School.
Dave Bittner: [00:14:30:20] In our conversation, I asked him about the notion of a cyber Pearl Harbor, or a cyber 9/11.
Alexander Klimburg: [00:14:37:03] Those terms have become totem poles for those who subscribe all catastrophic scenarios, catastrophe scenarios, only those who have invested interest in gaining something from them financially. In other words, everyone who talks about cyber 911, cyber Pearl Harbor, are selling cyber products. That, unfortunately, of course, a lot of that is true. A lot of people have been getting a lot of money from selling products, and have been gaining a lot from what we call InfoSec world, "Fear, uncertainty, doubt."
Alexander Klimburg: [00:15:08:07] At the same time, it doesn't mean that the scare stories aren't true as well. And this has been the problem for me, I think, that we as a community, so the hacker community, InfoSec community, which I am part of, I think does not address sufficiently. It's a certain amount of honesty when we talk about what really can go wrong. In the close groups that I'm part of, we all know that it's completely possible. But a lot of people who are a part of these working groups won't say so publicly, because they don't want to be accused of fear-mongering. And I find that's really a problem.
Alexander Klimburg: [00:15:41:19] The problem is is that a lot of people who work in InfoSec, and especially who are engineers, don't feel that it's their job to communicate certain fundamental truths to the wider public, such as, "There is no such thing as complete security." Right? Everybody who works in InfoSec knows that. And sometimes, they find that it's not their job to communicate such a simple truth and therefore, since they can't communicate that truth, they're not going to communicate the wider truth with, "Well, yes, of course it's possible to take down the entire United States, and plunge us either back into the 1920s or the Iron Age, depending on exactly how gloomy your scenario is." It's absolutely possible.
Alexander Klimburg: [00:16:16:13] But they, at the same time, also fear that anybody who comes up, they is a wide approximation, but it's been a common point of departure that many InfoSec professionals would prefer not to talk about these fear scenarios, because they thought that it always would only advance the interests of those who have a security product to sell, an organization to build, or something similar. So, that's the first part. The first part is that, yes, I do think a lot of these things are a lot more possible than have been described by other technologists in public. I think it is absolutely possible for an advanced cyber power to conflict debilitating damage on the United States, absolutely. And I also think that it's much more likely to occur than nuclear war. But it still means very unlikely to occur, right? Someone has to keep these things in context.
Alexander Klimburg: [00:17:04:20] When I talk about a full-out cybergeddon, you know, an all-out cyber war, I think it's quite unlikely. But the repercussions are still pretty dramatic, and I think it's important, technically, that we are aware of what the repercussions could be.
Alexander Klimburg: [00:17:18:22] The second point we raised, the capability issue. Now, I think sometimes people get this wrong as well, is that there's a nice idea out that we've been floating since the 1990s that the individual can take down a state. It's not really true. It was more true beforehand, and now it's really hardly true anymore, simply because one way to see it is an individual can perhaps disrupt the power supply in a localized area, and maybe a couple of individuals, or a terrorist network, might even manage to shut down the power grid, let's say, in one of the three US power distribution grid territories. Right? But only for a little bit, and it wouldn't be for-- probably only for a little bit, and probably only in a reversible way, so it wouldn't be permanent damage.
Alexander Klimburg: [00:18:04:09] But what a fully-funded, tier-six capability actor, Russia, China, the UK, Israel, what those actors could do is a whole different level of damage. And that, I think, a non-state actor group would have, would have to be very focused to accomplish that level of intelligence, skills, and penetration to be able to cause that level of damage. So, when we talk about the fact that yes, a lot of different countries are not just going to play in this space, it's important to say that many people can play in this space, yes. Some of these can also be non-state actors, and some of these can be even individuals. But where we used to be 20 years ago, 30 years ago, and thinking that one person can really shut down a country, I don't think that's the case, if it ever was. I also think that we can basically say that the top-rated cyber powers are mostly states.
Alexander Klimburg: [00:18:57:21] So, I think it's fundamentally just important to keep in mind, is that there are top-level security and cyber actors out there, and they will use less-empowered actors, cyber crime in particular, to accomplish their mission. But there's a big difference between, like, what the US can do, what Russia can do, and what China can do. And by the way, it's in that order.
Dave Bittner: [00:19:16:19] You make the point in the book that those of us who are in the cyber security business need to do a better job making our case to the general public.
Alexander Klimburg: [00:19:25:03] Number one is just that we need to work on our messaging better. We need to effectively explain how big the threat is, and the threat is not only of the lights going out. There will be a massive cyber war of some sort that will destroy the critical infrastructure. Although that thing is possible, we need to make sure that people understand that it's possible, so that we can avoid it by accidents occurring between states.
Alexander Klimburg: [00:19:49:10] It's also important that we understand that there's a scenario where the lights never go out, that we enter this panopticon-type situation of total controlled information domain. The internet that we know today will be fundamentally weakened by the influence of states, by trying to control the internet, which is consistent, ongoing, has been going on since the '90s and only increasing in scope. And if states, all states, manage to get a controlling interest of how the internet is conceived, then we've surrendered effectively the entire information domain to the control of governments. There's no room for free speech in a world like that. And in that case, also, I don't see how democracy could even survive.
Alexander Klimburg: [00:20:28:15] So, for everyone who has a professional interest in cyberspace, they really have to be a bit more aware of what the larger picture is, of what we work on today, and how this information domain really plays an important role in our day-to-day lives, not only in how we earn our livelihoods, but also how our children will actually live.
Dave Bittner: [00:20:46:11] That's Alexander Klimburg. The book is The Darkening Web: the War for Cyberspace.
Dave Bittner: [00:20:56:13] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out cylance.com.
Dave Bittner: [00:21:09:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend. Thanks for listening.