Reports of Chinese seeding attacks on the supply chain. Five Eyes and other allies push back at Russia's GRU. NPPD to become Cybersecurity and Infrastructure Security Agency
Dave Bittner: [00:00:03] More on the possibility that China's People's Liberation Army engaged in seeding the supply chain with malicious chips. All Five Eyes denounce Russia's GRU for hacking. Russia responds unconvincingly. Adam Anderson from Element Security joins us to discuss the role of behavioral science in the fight against cybercrime. And the NPPD will become a new agency within the U.S. Department of Homeland Security and the lead civilian agency responsible for cybersecurity and critical infrastructure protection.
Dave Bittner: [00:00:40] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/intel, and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, Oct. 5, 2018. Bloomberg's reporting on a Chinese seeding attack on motherboard supply chains is still developing. Bloomberg is standing by its story. Amazon and Apple, both cited in the reporting as having noticed the malicious chips and reported their presence quietly to U.S. authorities, flatly deny the story.
Dave Bittner: [00:02:13] The U.K.'s National Cyber Security Centre says it has no reason to doubt Amazon and Apple. Amazon says the only issues it found with Super Micro products were some application and firmware issues, relatively minor and swiftly fixed. Apple says that they have over the course of Bloomberg's investigation repeatedly and on the record given them information that refutes the central claim of the story. Apple thinks maybe Bloomberg is confusing this story with a single incident in which Apple found an accidentally infected driver on one Super Micro server they had in one of their labs.
Dave Bittner: [00:02:51] Bloomberg sourced its story to anonymous U.S. officials and industry figures. It's not identifying them, Bloomberg says, because of the sensitivity of material they discussed, but it is standing by the story. They report that the evidence points to an attempt to gain long-term access to sensitive government data and valuable intellectual property. Both Amazon and Apple categorically and unambiguously say that there's nothing to the Bloomberg story, and it's unusual for companies to issue that kind of denial casually. But Bloomberg's story is difficult to dismiss out of hand. They say that their sources include people within the companies who are denying the incident.
Dave Bittner: [00:03:32] However the story eventually settles, concerns about Chinese involvement in the supply chain are unlikely to be resolved quickly. Lenovo and ZTE, neither of which are mentioned in Bloomberg's report, have already seen their stock prices punished today as speculators clearly think the entire Chinese hardware industry is likely to suffer. The global supply chain is thoroughly international, and it will be difficult to unentangle, but it seems likely that many countries will try to bring more aspects of hardware manufacturing home.
Dave Bittner: [00:04:06] The exposure and denunciation of hacking by Russia's GRU that came this week from several Western nations is being regarded as a hard pushback at Russia's assertiveness in cyberspace and offers a good example of what imposing consequences can look like. It is, as Reuters put it, a coordinated effort to expose GRU hacking and misconduct generally. Some of the harshest language came from the United Kingdom, which characterizes Russia as a pariah state.
Dave Bittner: [00:04:35] The most immediate consequences were imposed by the Netherlands, which expelled five GRU officers under conditions that reflected no credit whatsoever on the Russian military intelligence competence and tradecraft. The most comprehensive response came in the U.S. indictment of seven GRU who are, to be sure, unlikely to appear in a U.S. court but will now have American teeth in their lives essentially forever.
Dave Bittner: [00:05:01] The three other Five Eyes joined the U.S. and U.K. in denouncing the Russian organization. Canada assessed with high confidence that the Montreal-based World Anti-Doping Agency was among the targets, and Australia and New Zealand offered their own condemnations. Australia chided that cyberspace wasn't the Wild West, which seems unfair to the actual Wild West, but we're far enough east that we'll let that one pass.
Dave Bittner: [00:05:27] The GRU techniques have been detailed in U.S. documents. They seem to have done quite a bit of brazen war-driving, physically parking in front of hotels and other locations where they expected their targets to be using poorly protected Wi-Fi access points - pretty brazen stuff. Indeed, it's the stuff that got several of them caught red-handed. The informational aspects of this conflict can't be lightly written off. Ridicule and embarrassment are among the consequences Western governments quite wittingly impose.
Dave Bittner: [00:05:58] The GRU is convincingly portrayed as a crew of vicious stumblebums. They would be hilarious, a Times of London op-ed says, if they weren't so sinister. And it's no accident, surely, that so much commentary has linked today's GRU to its even more sinister predecessors in Russian and Soviet history. Russian counterthrusts in this information battle include angry dismissal of the accusations. Angry and aggrieved, but also mocking. The Russian Foreign Ministry called the whole shebang a diabolical perfume cocktail emanating from someone's rich imagination.
Dave Bittner: [00:06:36] This response seems to be reaching the limits of its usefulness. Soviet propaganda usually had some legs no matter how preposterous it became, in part because of the ideological cult that underpinned the Communist regime. It's not clear that President Putin can count on similar reinforcements. There was a Communist International. It's not clear, that except perhaps in a few tax havens, that there's really an oligarchic international, and weariness with political classes may prove unlikely to sustain any implausible systematic messaging. And some of the information operations take the form of an elaborate and phony tu quoque.
Dave Bittner: [00:07:18] Moscow has made the fairly preposterous claim that the U.S. is running a secret bio-war facility in the country of Georgia. There's a certain symmetry with the well-founded British account of the Novichok attack, but this seems to be overreaching. There is a Georgian public health and veterinary research center in Tbilisi, established in 2013 and named in honor of former U.S. Senator Richard Lugar, who was instrumental in working to secure the very active bio-war program left behind when the Soviet Union broke up. Russia's Ministry of Defense hopes Georgia and the U.S. will come clean in an investigation. The Pentagon calls it all hogwash. An international investigation is unlikely.
Dave Bittner: [00:08:03] The Department of Homeland Security's National Protection and Programs Directorate will become the Cybersecurity and Infrastructure Security Agency. The U.S. Senate has unanimously passed Cybersecurity and Infrastructure Security Agency Act of 2017, a bill that cleared the House also unanimously late last year. This will make the newly named Cybersecurity and Infrastructure Security Agency the lead civilian agency for cybersecurity and critical infrastructure protection.
Dave Bittner: [00:08:33] And finally, Elon Musk is unhumbled by his encounter with the Security and Exchange Commission over his tweets that appeared to speculate about Tesla. He's been back on Twitter trolling the SEC as the Short-Seller Enrichment Commission.
Dave Bittner: [00:08:53] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box Insider Threat Library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult, even for the most technical users, to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:10:02] And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R & D manager for security at Accenture Labs. She's also a New America Cybersecurity Fellow. Malek, welcome back. Over there at Accenture, you all recently published some information on pervasive cyber resilience. Take us through what's going on here.
Malek Ben Salem: [00:10:22] We did a survey with a number of C-Suite executives, and our goal was to identify how companies are securing the enterprise today, but how are they building cyber resilience in order to secure the future enterprise? As you know, companies are racing to adopt new IT-based business models in order to achieve higher growth. But they're not prepared for the new risks that come with those business models. And I'm thinking of the increased connectivity, the increased risk due to the automation of processes and the risks that come from the intelligence being used to derive automated decision-making through data.
Malek Ben Salem: [00:11:08] And as security professionals, we keep reiterating the message that companies ought to be cyber resilient, that they need to infuse security into everything they do today, but also into everything they do or they're preparing to do in the future. And so through that survey where we interviewed about 1,400 C-Suite executives, including CISOs, about how they prioritize security in their business initiatives, how their security plans address future business needs, what security capabilities they have, and the level of internal and external collaboration that they're working on as security.
Malek Ben Salem: [00:11:46] We found out that only 38 percent of companies bring CISO into all discussions at the beginning stage of considering new business opportunities. So there is a lot of room for improvement. If companies are serious about building cyber resilience - not just for today, but for the future - as they consider new business opportunities, they need to get CISOs involved into that discussion.
Dave Bittner: [00:12:18] No, I can certainly understand that impulse, that we want to get out there. We want to start doing business. We want to beat the competition, be first to market and all those sorts of things. But you're saying that that might not be a successful long-term strategy.
Malek Ben Salem: [00:12:35] Absolutely. I think companies ought to be thinking about all the implications of new business initiatives. And we actually dug deeper into what this means for companies. And we asked the survey respondents about individual technologies that they're thinking of adopting in the future and how much they think they're already protected for those types of technologies.
Malek Ben Salem: [00:13:04] So we asked about things like robotics, virtual work environments, obviously IoT, cloud services. We found out that there was an acknowledgement that for certain technologies, these organizations didn't feel as protected or adequately protected. And that appeared clearly, for instance, for virtual work environment, where 42 percent of the respondents said that they don't think they're protected.
Malek Ben Salem: [00:13:35] On the other hand, they thought that for the adoption of IoT and IoT devices, they think they're much more protected. What's interesting also, to me, is that for AI technologies, that was one of the technologies where the survey respondents felt very confident that they're protected, which is - which I found very interesting and, you know, which I think is a blind spot to them, particularly as we start - as a security research community - start being more involved into the issues of AI security and how machine learning models need to be protected.
Malek Ben Salem: [00:14:18] This is a very nascent field that's being looked at by the research community. So I think they're - for AI in particular, there is an overconfidence that this technology, you know, is protected versus what we think of as a research community that this AI technology actually is creating a new attack surface for companies.
Dave Bittner: [00:14:43] Malek Ben Salem, thanks for joining us.
Dave Bittner: [00:14:49] A few words from our sponsor Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operation center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with a threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:15:54] My guest today is Adam Anderson. He's scholar in residence at Clemson University's Center for Corporate Learning and founder of Element Security Group. Our conversation focuses on his efforts to integrate behavioral science into the fight against cybercrime.
Adam Anderson: [00:16:09] I've gotten very frustrated with the arms race of we develop new security measures and they develop ways to get by it. And I constantly felt like I was losing no matter what I did or product I installed. And it wasn't until I really started addressing behavioral science, talking to people about what good cyber hygiene is, how to act correctly, that I felt that I was actually having an impact. And that really showed inside of small and mid-sized businesses.
Adam Anderson: [00:16:39] I feel like the enterprise typically does a fantastic job building a cyber fortress and keeping the gates shut. But with supply chains and trusting vendors, I find that the small business is really the big security risk that I'm most interested in. And for those guys, you move the needle with behavioral science, not with spending a lot of money on technology.
Dave Bittner: [00:17:04] Yeah. I mean, it strikes me that folks - like you say, the small-business people are the least prepared, certainly budget-wise, to build that moat around their business. Why do you find that behavioral science gives them the best bang for the buck?
Adam Anderson: [00:17:20] Well, because they have messed up beliefs. There's not a CSO in the Fortune 500 that's not going to have a voice with the executive management staff. They're going to be able to say, cybercrime's important, and everyone nods their head and says yes. But for a small business owner, they have three core beliefs that screws everything up. They think they're not important, and no one's looking for them. They think they have nothing anyone would want. And they think, hey, there's nothing I can do to stop you guys anyway. So that leaves (ph) a victim mentality on the table that they put their head in the sands, and they just don't act.
Dave Bittner: [00:17:54] So let's walk through those, I mean, one by one. What are the ways to combat those beliefs?
Adam Anderson: [00:17:59] The thing is, is their correct beliefs are just old beliefs. A small business owner is going to think, I don't have intellectual property or a whole lot of data that a hacker is going to want to steal and then sell on the black market. And so my message to them is like, hey, you're absolutely right. But you know what you have? You've got money. And they're going to screw with you until they get you to actually pay them something.
Adam Anderson: [00:18:23] So the mind shift that happens on those three beliefs, at least the first two, is to say, you know, you do have what you want. And if you have low self-esteem, good news - you're just what the cyber criminal's looking for. So at the end of the day, the first two are all about changing the mindset from I've got intellectual property or I've got trade secrets that people want versus I've got cash flow and money, and I can buy bitcoins and send them.
Dave Bittner: [00:18:51] Do you suppose some of this is sort of paralysis? You mentioned, you know, thinking that there's nothing they can do about it. And it strikes me that maybe they don't have to build that fortress around their business. It's kind of that old joke about, you know, I don't have to outrun the bear, I just have to outrun you.
Adam Anderson: [00:19:10] (Laughter).
Dave Bittner: [00:19:10] You know...
Adam Anderson: [00:19:10] Exactly right.
Dave Bittner: [00:19:11] If the business down the street is less secure than I am, they're going to be easier pickings.
Adam Anderson: [00:19:17] Yeah. I use an analogy with them with fly fishing, where the hacker walks up into a mountain stream, has got a fly fishing rod. And to me, that's witchcraft technology. I've never been able to get that to work. And they are hunting fish individually. And when they catch one fish, all the other fish are safe.
Adam Anderson: [00:19:32] But I tell them things have changed. It's not a guy in a stream anymore. It's a guy on a trawler. It's a lower-skilled person pulling a giant net behind a boat and catching all of the fish. So the I-can-outrun-the-bear thing, that doesn't work. You need a new skill set, how to avoid nets and then escape them or recover after you've been in them.
Dave Bittner: [00:19:52] How do we go about getting this message to sink in without just, you know, spewing FUD at these people?
Adam Anderson: [00:20:01] Right. So FUD will only take them so far. And I tell folks that, especially small business owners, if you're buying based on fear, then you're buying the illusion of security. And if you're buying based on compliance, you're basically securing someone else. And if you don't think of this as just another business process, like sales or marketing, you're going to suffer analysis paralysis.
Adam Anderson: [00:20:22] So when I can pull them away from thinking about the technology and say, look at business processes, understand which ones are important and then find a smart cyber security person to apply the correct security controls to keep your processes running, that they are very excited about because they understand business process. And I say, don't worry. You don't have to understand the technology. You just have to tell the cyber expert what you need to protect.
Dave Bittner: [00:20:51] So that mindset - I mean, what it sounds like you're describing is not unlike - you know, a lot of small businesses will hire an outside accountant to take care of their accounting because they don't want to hire a full-time person. They'll hire an outside attorney. They don't have the funds to have someone on staff all the time. Cyber security should be given the same approach.
Adam Anderson: [00:21:11] Yeah. I tell folks there's four key things a small business needs - a banker, insurance agent, a CPA and a lawyer. And I believe the future for small business is also going to be a fractional chief security officer, where you're going to approach that person. They're going to help you build a business continuity plan. They're going to keep it updated. They'll help you build your disaster recovery plan. And then they're going to manage the vendors for you. So very much like you said, we're going to add a fifth key role that every small business is going to have in the future.
Adam Anderson: [00:21:43] The message I give to folks is I say, look. Spend somebody else's money. Be Yoda, not Luke. Go to the marketing person who makes all of the technology purchases at this point and has the CFO's ear and say, you know that new mobile initiative you're trying to do and make all of our stores' point of sales - are mobile and all that? You know, there's some cyber security stuff that if we don't take care of, your project might stop. But hey, it's not my call. I'm here just to tell you what's going on. But maybe we should go ahead and ask for another million dollars to fund this project to make sure you don't have a failure in two years.
Dave Bittner: [00:22:21] (Laughter).
Adam Anderson: [00:22:22] So the idea here is the CIO, CSO needs to partner with the other C suites and align the cyber security initiatives up with the stuff that the other C suites are doing because when you CXOs come in and talk to the CFO and they're on the same page, it's really hard for the CFO to say no.
Dave Bittner: [00:22:42] Our thanks to Adam Anderson from Element Security Group for joining us. You can learn more about what he's up to at elementsecuritygroup.com.
Dave Bittner: [00:22:55] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:23:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.