Russia does the info ops dance. An indictment of a Lazarus Groupie. FOIA shares too much. British Airways breaches. Silence makes some noise. Notes from the Billington Cybersecurity Summit.
Dave Bittner: [00:00:03] Russia says it had nothing - nothing - to do with the Salisbury nerve agent attacks, but no one really seems to be buying the denial. The U.S. indicts a North Korean hacker in matters pertaining to the Lazarus Group. British Airways sustains a data breach. The Silence gang makes some noise in the underworld. We've got notes from yesterday's Billington CyberSecurity Summit. And Twitter bans a grandstander for life.
Dave Bittner: [00:00:36] Now I'd like to share some words about our sponsor, FireEye. They're hosting their annual Cyber Defense Summit in Washington, D.C., from October 1 through October 4. The first two days are devoted to introductory, intermediate and advanced training. It's hands-on, small group and interactive, and it's going to be conducted by some of the best in the business, FireEye's experienced cybersecurity experts. Check out the list of courses at summit.fireeye.com. But, of course, there's more, and you won't want to miss that, either. The 64th U.S. Secretary of State Madeleine K. Albright will be there to deliver the guest keynote. Her topic - economy and security in the 21st century. And former Home Depot CEO Frank Blake will share what he learned from his company's 2014 data breach. Don't miss it. To learn more and to register, go to summit.fireeye.com. That's summit.fireeye.com. And we thank FireEye for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 7, 2018.
Dave Bittner: [00:01:52] Russian authorities responded to British accusations before the U.N. that the GRU carried out an attempted assassination in England by doubling down on increasingly implausible denial and counter-accusation. The Moscow Times reports that Ambassador Vasily Nebenzya said of the Skripal incident that, quote, "we take it very seriously, and we have been asking for cooperation from the U.K. authorities from day one," end quote. - as if the aggrieved party here is Russia and no one else.
Dave Bittner: [00:02:25] The information operation may be wearing thin, but it would probably be a mistake to regard the apparent recklessness of the GRU operation as evidence that Moscow's hoods are stumble bums. The brutal directness of the attack carries a message of its own. The U.K., and in all probability, its closest allies, are preparing to strike back in cyberspace. It's all lies, says Moscow. But the U.S., France, Germany and Canada, at least, are all in full official agreement that Putin done it.
Dave Bittner: [00:02:57] One clarification - Mr. Nebenzya did tell the press that, quote, "there is no GRU, by the way. I forgot to tell the U.K. ambassador. It was renamed to the Chief Directorate of the General Staff. It's no GRU anymore," end quote. The proper acronym would be GU, that is Chief Directorate as opposed to Chief Reconnaissance Directorate. People reporting on Russia know this, but most of them have preferred to hold onto the former letters, not only for familiarity but for the three-letter genre common to many intelligence services like SVR, FSB and so on. So pedantically noted, but we're going to keep saying GRU. The name change barely amounts to a rebranding. We'll continue to say we're going to Dunkin' Donuts even after they rename themselves Dunkin'. It's the same reliable product.
Dave Bittner: [00:03:53] Some observers think the GRU - yes, we'll say it again - is becoming an embarrassment for Russian President Putin. Disdainful accounts of the GRU officers’ carefree wanderings in front of British surveillance cameras by U.K. authorities have fed this line. Other observers aren't so sure and think it means instead that the GRU has become Mr. Putin's preferred tool for instilling shock and fear. The second alternative seems likelier.
Dave Bittner: [00:04:21] GRU operations have attracted international attention, while those of the KGB heirs SVR and FSB have been much less obtrusive. The GRU has certainly become the noisy one of the trio. Fancy Bear is often in the headlines, but Cozy Bear usually is not - and when Cozy is, it's usually by association with Fancy. The GRU's motto may be the greatness of the motherland in your glorious deeds, but oderint dum metuant - let them hate us as long as they fear us - might be better. And we'd be willing to bet that when Mr. Putin is among friends, he calls them GRU just like us.
Dave Bittner: [00:05:04] The U.S. indicted a North Korean hacker yesterday in conjunction with Lazarus Group attacks on Sony and the Bangladesh Bank and also in connection with WannaCry. Park Jin Hyok worked for Chosun Expo Joint Venture, a reconnaissance General Bureau front with offices in both North Korea and China. This marks the first indictment of a named North Korean for state-sponsored hacking offences. Now agents of each of the familiar four - Russia, China, Iran and North Korea - are under U.S. indictment. It's unlikely that any of them, of course, will appear in a U.S. court, but the indictments are part of the naming and shaming process. Of these regimes, at least three of them seem pretty shameless. On occasion, Beijing looks a little red-faced.
Dave Bittner: [00:05:52] There are other red faces elsewhere for reasons having to do with carelessness over data. Foya.gov, an information site administered by the U.S. Environmental Protection Agency, inadvertently exposed enquirers' personal information. This issue was a self-inflicted misconfiguration, not a hack.
Dave Bittner: [00:06:13] British Airways has reported a data breach - 380,000 sets of payment details were obtained by criminals who hacked into the airline's data.
Dave Bittner: [00:06:24] Group-IB is tracking an underworld development. The small, two-person but scrappy gang called Silence is giving the Cobalt group a run for its ill-gotten money in the ATM jackpotting field.
Dave Bittner: [00:06:38] The 9th Annual Billington CyberSecurity Summit was held yesterday in Washington, well-attended by roughly a thousand registered participants. The theme was partnership and partnership's place in strengthening cyberdefenses. A number of senior U.S. federal IT and cybersecurity executives presented overviews of their agency's priorities. There was a general consensus that cybersecurity increasingly pervades everything their enterprises do, but that everyone needs to do more security by design. That legacy systems remain a field of vulnerabilities and that their modernization and replacement represents an opportunity to improve security, and that the government competes for cyber talent at a disadvantage and must look for creative ways of attracting people into federal service.
Dave Bittner: [00:07:25] There's a more nuanced approach to cyber deterrence emerging in both British and American official thinking. It must become, several speakers said, more graduated and proportionate than the mutual-assured destruction of the Cold War's nuclear deterrence regime. Mark Sayers, deputy director for national security strategy at the U.K. Cabinet Office, pointed out that there are a great many different actors with many different motivations, and they operate against an expansive attack surface, so cyber requires agility and nuance. Consensus among the speakers was that retaliation must be calibrated to the threat. Lawfare remains very much a part of that complex deterrent. A number of speakers expressed satisfaction at the U.S. indictment of a North Korean Lazarus groupie.
Dave Bittner: [00:08:15] Senior representatives of the intelligence community wanted everyone to understand very clearly that they were fully committed to securing the upcoming U.S. elections. General Nakasone was particularly direct. He closed his keynote by saying, there is no higher priority for U.S. Cyber Command and NSA than the security of the midterm elections.
Dave Bittner: [008:36] And recent proposals that companies be permitted or even encouraged to hack back at their tormentors in cyberspace - nobody on either side of the Atlantic seemed to like that idea very much. So if you're among those who've yearned for privateering in cyberspace, you may have to wait a bit for your letter of marque and reprisal. But if those privateers eventually do sail, we're betting they'll home port in Baltimore, just as they did in 1812.
Dave Bittner: [00:09:04] And finally, Infowars' Alex Jones, best known for his repellent theory that the parents of children murdered at Sandy Hook Elementary School were faking it for political reasons, was last seen vigorously tugging on Superman's cape as he vamped for the camera in the background during testimony by Twitter's CEO, Jack Dorsey, before the Senate Wednesday. Mr. Jones got his wish yesterday. Twitter just banned him for life.
Dave Bittner: [00:09:36] I'd like to take a moment to tell you about an exciting CyberWire event. It's the 5th Annual Women in Cyber Security Reception. It takes place October 18 at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region, and women at varying points in their careers. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event - it's just about creating connections.
Dave Bittner: [00:10:22] We're grateful to our sponsors. We mentioned some of them yesterday. Here's a few more. Our art sponsor is ZeroFOX. Our silver sponsors include Delta Risk, SecureStrux, CyberSecJobs, Symantec, Lewis, Talos and Revolutionary Security. Our women-owned spotlight sponsor is Edwards Performance Systems and Shared Assessments. Our nonprofit supporters are Code Like A Girl and DreamPort. If your company is interested in supporting this important event, we still have a limited number of sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is an invitation-only event. We do this as a way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you, and we hope to see you there.
Dave Bittner: [00:11:38] And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. Saw some news recently about the state of Virginia - in their annual budget, they included $25 million for a Virginia Tech-led Commonwealth Cyber Initiative that you all at Virginia Tech are going to be a key part of. Can you sort of walk us through this? What's the - what does the state of Virginia see that they think this is a good place to invest their money?
Charles Clancy: [00:12:11] Well, there's two major things that the Commonwealth is looking to accomplish with this investment. First is the workforce gap. I know we've talked about this on prior shows in the past. There is a total of 43,000 open jobs in the Washington, D.C., metro region in cybersecurity. And the Commonwealth is looking for how they can make some targeted investments in university programs that will shrink that gap by increasing the pipeline of students coming out of universities. And it's not just coming out of four-year degrees or coming out of master's programs.
Charles Clancy: [00:12:45] It's really a whole pipeline, so looking at K-12, how those students go into either community college or four-year degrees and from there, post-baccalaureate training, master's programs, advanced degrees and professional certifications, which are obviously critical to the workforce in this area. So figuring out how to map that pipeline, identify the hot spots and the bottlenecks to really make sure that we're producing as many people as possible is sort of the first objective of the overall initiative.
Charles Clancy: [00:13:13] The second objective is around innovation. So if you look at the Washington, D.C., cyber economy, it's heavily driven by government services contracts, for the most part. We're not selling software licenses in this region. We're selling man-hours of labor on government contracts. And that provides for a stable economy, but it doesn't provide an economy with a lot of upside potential and a commercial scale. So the idea is that if we can amp up the university research that's happening in cyber, we can connect that with a growing venture capital ecosystem and really try and foster and support and nurture the startup ecosystem and bring some of the larger tech companies from the West Coast in to augment the defense contractor base that we already have. Then we can begin to start to push this economy more towards commercial products, certainly continuing to support the government ecosystem that's critical to the region.
Dave Bittner: [00:14:12] So $25 million certainly sounds like a sizable sum of money. How do you spread that around? How do you calibrate where it goes to get the best effect for the taxpayers' dollars?
Charles Clancy: [00:14:26] Well, we're looking at a couple of targeted investments with those resources. And the goal really is to invest in programs that will be able to sustain themselves long term. Keep in mind, this is only one-time money. And once it's spent, it's spent. So the goal is to use it to stand up new degree programs that will ultimately be self-sustaining with tuition revenue and stand up new research programs, which will ultimately be viable based on grants and contracts that those teams are able to win. So it's really about sort of focused investments in certain areas that will build these self-sustaining programs.
Dave Bittner: [00:15:02] Dr. Charles Clancy, thanks for joining us.
Dave Bittner: [00:15:09] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out the report "Security: Using AI For Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:16:07] My guest today is Rich Baich. He's a graduate of the United States Naval Academy and the Naval War College. Following his service, he was a principal at Deloitte, where he led their global cyberthreat and vulnerability management practice. Today, he's the chief information security officer at Wells Fargo, where he manages a security organization with over 2,000 staff, securing and enabling Wells Fargo's enterprise.
Rich Baich: [00:16:33] Responsibility here at Wells Fargo includes kind of the overall strategy and execution of our information security program. And that's kind of looked at in different facets and capabilities. So that would include things such as access management, technology engineering - or I should say information security engineering, network security, cryptologic services, distributed engineering, policies, security awareness, governance, risk assessments, third-party information security and what we call cyberdefense, which would be things such as our traditional security operations center, which we call our Cyber Threat Fusion Center, our red teams, our operational security cyberthreat intelligence and then, of course, all the governance that goes into running a program.
Dave Bittner: [00:17:39] Now it's a lot going on there, as you describe it. What is your strategy for keeping an eye on all of that? What's your management style?
Rich Baich: [00:17:50] Yeah, so from a management style standpoint, we're really focused on risk management. At the end of the day, when I think about how we make decisions in where we invest and how we define good, the best analogy I can think of is the decisions either you make as a personal investor, like a portfolio management, or something like credit risk, when a financial institution grants somebody credit, they are granting credit with the possibility and a risk that an entity may not, you know, pay it back. But you come up with guidelines and data points that allow you to accept that risk.
Rich Baich: [00:18:37] So when we look at what we're doing here, we're trying to make sure that we understand the risk and allow to make good decisions on that risk. You could keep buying more, you could keep doing things differently, but the risk will probably always remain because we're connected to the, you know, to the internet.
Dave Bittner: [00:19:01] Right. And so for the people who are working for you, what are your expectations in terms of the way that they communicate things to you, the way they describe their needs, set their budgets and their priorities, things like that?
Rich Baich: [00:19:15] Great question. So my expectation of my leadership team is to run their organizations like a business. And what I mean by a business is I want them to feel ownership and accountability of the capability portfolio that they establish and to understand that the capabilities that they are funding, what risks are they trying to address. And I encourage them to - when they're thinking about it - to use, you know, kind of a formula to help drive their decision.
Rich Baich: [00:19:52] And that formula is risk equals vulnerabilities. There are always vulnerabilities, and by the way, not just technical vulnerabilities, human vulnerabilities. You and I might fall victim to a phishing email. There are vulnerabilities associated with where you decide to put your data center. If it's in the path of the hurricane, you know, you incur some risk. So vulnerabilities times the threat, the threat changes pending what's going on geopolitically, what's going on with vendors, what's going on with customers, the threat changes, which means the risks change, times the asset value. We want to obviously understand and protect our highest value assets, you know, maybe more so than a lower classified asset.
Rich Baich: [00:20:37] And then the most important thing, which, really, I think drives the decision process of where you invest your money and the actions that you take is what's called the probability of occurrence. And what that means is, is that particular risk, that particular security issue, that vulnerability, that exploit, is it being capitalized out anywhere else? Because there's a lot of theory associated to information security risks about what you can do, and then there's the actual reality of somebody - for lack of better terms - weaponizing something. So when that becomes kind of weaponized, the risk goes to what I would call the actionable level of risk.
Rich Baich: [00:21:24] You have to make it a priority because if another entity has fallen victim as a result of a particular action or exploit, it's just a matter of time before they potentially turn and focus it on your organization. So that should help them with their priorities. My goal is to know about it, get it and use it. The most important thing is a lot of people like to know about things, but they may not get it. Or they may know about it and get it and not use it. And then some people may use it but not the right people get to use it.
Rich Baich: [00:22:04] At the end of the day, if that information can help us get awareness, whether that be proactive, preemptive, situational, to the right decision maker in the organization, the right risk manager - because everybody should be a risk manager when you're making decisions - if the information - if we can get the information to the right person and help them make the best risk-based decision that they can, we've done the best that we can do. But that, ultimately, is the real value of threat intelligence. It's how does it get baked back into the decision process and where.
Rich Baich: [00:22:46] And what's nice about intelligence these days - at least what we're able to do - is it's across many disciplines. You may help the fraud teams make better decisions. You may help the ANL team make better decisions. You might help the social networking team make better decisions, physical security make decisions and, of course, your traditional information security teams. So, you know, ultimately, it's how you use that information that's most important.
Dave Bittner: [00:23:17] That's Rich Baich. He's the chief information security officer at Wells Fargo. We'll have an extended version of this interview over on our Patreon page. That's patreon.com/thecyberwire. Our Patreon supporters will get access to it first. And then in a few days, it'll be available to everyone.
Dave Bittner: [00:23:39] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:24:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.