FSB got NSA with an assist (witting or unwitting) from Kaspersky? Germany calls off mass surveillance investigation. Reality Winner stays in jail.
Dave Bittner: [00:00:00:24] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:13:13] More on what happened with NSA material at, allegedly, Russian hands. Kaspersky security software is alleged to have been exploited for intelligence service reconnaissance of contractor machine. Germany cancels a post-Snowden surveillance investigation. A conversation with Timothy H. Edgar about his book "Beyond Snowden: Privacy, Mass Surveillance And The Struggle To Reform The NSA." And reality winner will not be released on bail.
Dave Bittner: [00:00:45:12] A brief note about our sponsor E8 Security. We've all heard a lot about Artificial Intelligence and Machine Learning. Hey, who of a certain age doesn't know that Skynet achieved self-awareness and sent the Terminator back to take care of business? But that's science fiction, and not even very plausible science fiction. But the Artificial Intelligence and Machine Learning E8 is talking about aren't science fiction at all, and they're here today. E8's white paper, available at e8security.com/cyberwire, can guide you through the big picture of these still emerging, but already proven technologies. We all need to turn data into understanding and information into meaning. AI and Machine Learning can help you do that. See what they can do for you at e8security.com/cyberwire. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:41:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, October 6th, 2017.
Dave Bittner: [00:01:51:16] On Thursday, the Wall Street Journal reported that Russian hackers obtained highly sensitive material from the US National Security Agency. The material is said to be related to both network attack and network defense. It was obtained from a machine belonging to a contractor on which the sensitive information had been placed. It's not known who the contractor was, or for which company he or she worked.
Dave Bittner: [00:02:15:13] As we saw yesterday, the story as it's known so far indicates that the contractor's machine had Kaspersky security products installed. Kaspersky software has the reputation of conducting very thorough scans of the machines it protects. The company touts this as a feature, not a bug, something that enables its products to provide better protection against novel threats. Eugene Kaspersky put it this way in a recent blog, "We aggressively protect our users and we’re proud of it."
Dave Bittner: [00:02:43:23] The breach is said to have occurred in 2015, but wasn't discovered until spring of 2016. NSA veterans say off-the-record that they're not surprised by the latest incident, and some researchers are beginning, tentatively, to "connect the dots," perhaps seeing early signs of an explanation of the ShadowBrokers leaks, which began a few weeks after NSA discovered the compromise. Late last year, the Washington Post reported that there was another, unknown leaker - a third man, after Snowden the first and Martin the alleged second - and the Post has indicated that this latest revelation is that third man.
Dave Bittner: [00:03:19:08] Kaspersky has been under a cloud within the US Government for the better part of the year. The cloud appeared this Spring with FBI discussions about the possible risks the Russian software maker posed. And it boiled up into a storm when the Department of Homeland Security issued Binding Operational Directive 17-01 on the 13th of September. That directive, as DHS described it in their announcement, "Calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days. To develop detailed plans to remove and discontinue present and future use of the products in the next 60 days. And at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems."
Dave Bittner: [00:04:08:10] Kaspersky and the company's defenders have asked for evidence. And the Kaspersky line has been that the company is an innocent victim caught in the ongoing diplomatic crossfire between Washington and Moscow. But even such open-source grounds have seemed to the Government, and to many observers, sufficient grounds for prudent suspicion. The latest development suggests there are indeed other, very specific grounds for suspicion of Kaspersky Lab and its products.
Dave Bittner: [00:04:34:22] Kaspersky researchers, coincidentally or not, delivered a major paper on the difficulties of attribution this week. It focused on the way false flag operations are carried out by intelligence services.
Dave Bittner: [00:04:47:21] Russian semi-official media see the outcry against Kaspersky as a case of Western security services carrying water for Kaspersky's non-Russian competitors. Ars Technica wrote today that whatever the outcome of the investigation may be, "the accusations almost certainly mean the end of Kaspersky as we know it."
Dave Bittner: [00:05:07:21] Kaspersky has long maintained its innocence of nefarious cooperation with the Russians, and Eugene Kaspersky blogged his outrage at the US Congress having canceled his opportunity to clear his company's name by testifying on Capitol Hill. That cancellation came before these latest revelations. It's possible Kaspersky products may have been subverted without the company's knowledge, and some of the initial reactions to this latest story seem to credit that explanation. As we've noted, Kaspersky products do scan aggressively as part of the protection they're designed to provide. In this latest NSA case, that protection may have been exploited as, in effect, reconnaissance for the Russian FSB, showing them where the good stuff was to be found.
Dave Bittner: [00:05:50:02] German authorities have dropped their post-Snowden investigation of alleged GCHQ and NSA surveillance of German targets, including Chancellor Merkel's phone. We've also noticed an uptick in German security firms touting their "made in Germany credentials," with not a few of them pointedly adding, "unlike Kaspersky."
Dave Bittner: [00:06:12:00] Turning to some other breach news, Forbes reports that, in addition to its problem with inadvertently exposed data, Deloitte also had some employees successfully catphished by Iranian operators using a bogus Facebook page. The Iranian catphishing seems to be unconnected with the data exposure.
Dave Bittner: [00:06:29:15] And finally, that other accused NSA leaker, Reality Winner, is going to remain in jail as she awaits trial. U.S. Magistrate Judge Brian K. Epps said, in his ruling denying her bail, “By her own words and actions, Winner has painted a disturbing self-portrait of an American with years of National Service and access to classified information who hates the United States and desires to damage national security on the same scale as Julian Assange and Edward Snowden."
Dave Bittner: [00:07:03:16] Now I'd like to tell you about a new infographic from our sponsor Delta Risk. Delta Risk is a National Cybersecurity Awareness Month Champion. As we kick off NCSAM, they put together a handy 31 day cybersecurity calendar full of tips to help the public protect themselves and their communities online. Throughout the month of October, Delta Risk will post additional infographics and blogs that address weekly NCSAM themes, to educate and spread awareness around important cybersecurity topics. You can view the infographic by visiting deltarisk.com/31days-infographic. Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And again, that link for the infographic is deltarisk.com/31days-infographic. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:08:08:23] And joining me once again is Professor Awais Rashid. He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University. Welcome back. We wanted to talk today about cybersecurity issues in supply chains.
Awais Rashid: [00:08:22:19] Thank you for having me back. The key thing that wanted to raise was that we often think of cybersecurity in the context of an organization that we want to protect, but many threats actually arise from the supply chain itself. For example, think of an organization with critical national infrastructure. It will have many complex supply chains with a number of other parties providing software and hardware components, third party services that will be distributors involved, there will be transporters involved, engineers and third party staff coming on site. And all that creates a much more complex environment than we normally think of as cybersecurity within the confines of a single organization. The challenge comes in that we normally focus our efforts on protecting the network and the infrastructure and the information of the organization in question, which is of course very important. But, not enough attention is often paid from the threats that arise from the supply chain. And we have seen various examples where actually threats arising in the supply chain then actually end up impacting the organization under consideration.
Awais Rashid: [00:09:40:13] How do we deal with this kind of issue? I think the key thing has to be to think of the supply chain as a social technical ecosystem that includes technologies, but a multitude of organizations as well. And all the cybersecurity practices of the various actors within the supply chain, actually then have an impact on the overall security and resilience of the whole supply chain itself.
Dave Bittner: [00:10:06:15] And in terms of an organization budgeting for these sorts of things, I guess it's really a matter of having to look outside of your own organization and make sure that you have the resources to be able to properly vet everyone in your supply chain, yes?
Awais Rashid: [00:10:21:09] Yes, I think it's a resourcing question, but also it's a risk thinking question. So, at a strategic level, when decisions are being made about particular organizations coming as part of the supply chain to your organization, you have to ask the question, not only just what kind of security certification or compliances do they have. For example, things like ISO 27001. But what are their actual security practices, and would those security practices have an impact onto your organization? So let's say take Stuxnet as an example of this. We've actually been looking at this in collaboration with a company in the UK called Latitude, and we've been looking at how the supply chain issues arise in critical infrastructure. And if you look at Stuxnet as an example, the worm spread through potentially infected USBs or machines being carried into the nuclear power plant by third party engineers. That's the kind of threat that arises, and the kind of practices of organizations in the supply chain have an impact on what happens to you.
Dave Bittner: [00:11:26:08] Interesting stuff to look out for. Awais Rashid, thanks for joining us.
Dave Bittner: [00:11:33:01] I'd like to take a break and tell you about an exciting CyberWire event happening in a few weeks. The Fourth Annual Women In Cybersecurity Reception. It's taking place October 17th at the Columbus Center on the beautiful waterfront in downtown Baltimore. The Women In Cybersecurity Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region, and women at varying points in their career spectrum. The Reception also provides a forum for women seeking cybersecurity careers, to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connections.
Dave Bittner: [00:12:17:15] This year, we're pleased again to be partnering with the great people over at the Cybersecurity Association of Maryland, CAMY. We're grateful to our sponsors CenturyLink, Cylance, Exelon, E8, IBM, LookingGlass Cyber, Booz Allen Hamilton, ClearedJobs.Net and CyberSecJobs, CyberPoint International, Defense Point Security, Delta Risk and Creatrix.
Dave Bittner: [00:12:39:14] If your company is interested in supporting this important event, we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place, to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is invitation only. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request an invitation at our website, thecyberwire.com/wcs.That's thecyberwire.com/wcs. We look forward to hearing from you.
Dave Bittner: [00:13:25:09] My guest today is Timothy H. Edgar. He's the Academic Director at Brown University's Executive Cybersecurity Program, and author of the book, "Beyond Snowden: Privacy, Mass Surveillance And The Struggle To Reform The NSA." Mr. Edgar was a civil rights lawyer with the ACLU, and then a civil liberties protection officer for the Director of National Intelligence under Presidents Bush and Obama.
Timothy H. Edgar: [00:13:49:00] To say it was a culture shock would be a bit of an understatement. When I went into the government was at the end of the George W. Bush administration, really the middle of the second term, and at that time there was enormous tension between the National Security establishment and the privacy and civil liberties community. There was always some tension, but this was really a time when the government was seen as overreaching in its surveillance programs and its counter-terrorism programs. But there was an opportunity there to make a difference by going to a new office, a privacy office, inside the head of the intelligence community. That's the Director of National Intelligence. And so I kind of took a big gulp and decided to make that leap and go inside.
Timothy H. Edgar: [00:14:38:05] And I still remember some of the shocked expressions on some people's faces when they asked me where I had worked and, you know, they were expecting to hear, "Oh, I was at the FB." Or, "I was at the CIA." Or, "I was at the NSA," which is what most of my colleagues would have said. I said, "Well, I was at the ACLU and we were actually fighting you guys on a number of these programs and now I'm here to see how they work in detail and see if I can suggest any kinds of safeguards or improvements in these NSA surveillance programs, and other collection programs, to protect privacy better.
Dave Bittner: [00:15:12:19] There's a point you make in the book about the overall professionalism of people inside the NSA. That they take their work very seriously and they take the rule of law very seriously. I think that's a part of the story that not many people hear much about.
Timothy H. Edgar: [00:15:28:00] I think that's right. And one reason I wrote the book is to provide people with a glimpse inside both camps, and to understand that it's possible to have very dedicated intelligence professionals doing their job, and largely adhering to the law, and still have a massive problem when it comes to privacy and mass surveillance. And it's because of the law being out of date. And because of the pressure that's put on an intelligence community to always get all the data that policymakers want to stop every terrorist attack, to get every valuable piece of intelligence from overseas. And you put people in that position and this is somewhat inevitable. And one of the things I give a lot of credit to Edward Snowden for in the book, and he's not a popular figure among my former colleagues in the intelligence community, but I give him a lot of credit for opening up that conversation, so that we can actually reform some of these programs. And we have in the past four years adopted major reforms as a result of the Snowden revelations. I don't think they go far enough, but we have had an opportunity to talk about privacy rights for foreigners. We've never done that before.
Timothy H. Edgar: [00:16:49:09] To talk about a much more transparent way of dealing with documents like opinions from the Foreign Intelligence Surveillance Court, we've released a lot of those. And we've reformed some of our domestic bulk collection programs. Congress had a debate about that in 2015. Transparency really helps to square that circle, so that the dedicated intelligence professionals that are working for the NSA and these other agencies, can do their job under the law, but those laws can actually protect our privacy better than they do now.
Dave Bittner: [00:17:23:21] What do you hope people take away from the book?
Timothy H. Edgar: [00:17:26:15] Well, I hope they understand that although we have built these massive mass surveillance programs, we are not stuck with either throwing up our hands and accepting that loss of privacy, or just dismantling them all and deciding that that's the price of a free society. That we can have a system of surveillance that protects privacy. But that in order to that, we really need to seriously overhaul the way in which we do oversight of these intelligence programs, the checks and balances we have for them, the laws that apply to them. And we did this before back in the 1970s, but now it's 2017 and we need to do it again, and we need to do it in a way that reflects our mass surveillance age, our digital age and especially our global age, and that's going to need doing a lot of things a little bit differently.
Timothy H. Edgar: [00:18:25:14] So I've laid out a specific set of recommendations for reform. But I think beyond that specific changes we can make, the main point is a hopeful one. The main message is a message that says we actually can reform these surveillance programs, in order to make them more protective of privacy. We've done it in the past. We have started to do it, because of the Snowden revelations, but we've got a lot more work to do.
Dave Bittner: [00:18:49:00] That's author Timothy H. Edgar. The is "Beyond Snowden: Privacy, Mass Surveillance And The Struggle To Reform The NSA"
Dave Bittner: [00:19:02:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of Artificial Intelligence, check out cylance.com.
Dave Bittner: [00:19:15:00] The CyberWire podcast is produced by Pratt Street Media. Out editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend. Thanks for listening.