The CyberWire Daily Podcast 12.3.18
Ep 736 | 12.3.18

US Defense Department and UK’s MI6 aren’t buying Russian honey over cyber operations. Iranian influence operations. Marriott breach fallout. Court upholds Kaspersky ban. Ransom and sanctions.

Transcript

Dave Bittner: [0:00:03] Senior U.S. and U.K. officials have harsh words for Russian actions in cyberspace, even as President Putin undertakes a charm offensive at the G20 meetings. In fairness to the U.S. and U.K. officials, it's a pretty dour charm offensive. Iran ups its influence operations game. Legal investigations and legislative responses to the Marriott breach begin. A U.S. court upholds the government's ban on Kaspersky products. And paying ransom to cyber extortionists could violate U.S. sanctions.

Dave Bittner: [0:00:40] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report, "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:01:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 3, 2018. Russo-American relations, further strained by an escalation in Russia's hybrid war against Ukraine last week, have continued to deteriorate. Influence operations provide a familiar cause of contention. At the end of last week, U.S. Defense Secretary James Mattis said that Russia's attempts to influence U.S. elections show that President Putin is a slow learner.

Dave Bittner: [0:02:13] Reuters reported the secretary as saying, quote, "Putin tried again to muck around in our elections this last month, and we are seeing a continued effort along those lines. Mr. Putin is clearly a slow learner. He is not recognizing that what he's doing is actually creating an animosity against his people. What we are seeing Putin do with his ripping-up of international agreements, we're dealing with someone that we simply cannot trust," end quote.

Dave Bittner: [0:02:41] The U.S. isn’t alone. At the G20 meetings in Argentina, President Putin proffered a kind of olive branch or at least spoke with some unaccustomed honey on his tongue, praising Britain as an important partner. Britain, or at least MI6, was having none of it. As Bloomberg reports, MI6 director Alex Younger, in a rare public speech, named Russia as a major state sponsor of terrorism and cyberattacks. He counseled Russia not to take the U.K. lightly and that the British have no intention of abandoning their case against Russia for, among other things, the Salisbury nerve agent attacks.

Dave Bittner: [0:03:18] Younger added that while Britain did not seek escalation, neither would the U.K. remain supine in the face of Russian misbehavior. Asked in Argentina about this sort of reception by much of the world, President Putin said such accusations were a matter for the conscience of those presumably ill-willed or otherwise misguided people who say that Russia did such things. In the case of the United Kingdom, Mr. Putin said, quote, "I hope that someday - and I proceed from the assumption that this must happen as soon as possible - we can overcome the difficulty in our relations," end quote.

Dave Bittner: [0:03:54] Iran has for some time been a rising cyber power. Recent U.S. indictments have focused on cyberattacks and cybercrime narrowly construed. But there are interesting signs that the Islamic Republic is now conducting relatively sophisticated information operations. This fresh capability, as Reuters reports, is currently most clearly on display against targets in Arabic-speaking countries, but it's by no means confined to them.

Dave Bittner: [0:04:21] Some 70 countries worldwide have been targeted by Iranian websites hosting disinformation and propaganda. These operate as what Facebook would call inauthentic sites, sites whose true ownership is obscured through fronts, false flags and bogus identities. The four most heavily targeted countries are Yemen, Syria, Afghanistan and Pakistan, followed by the U.K., Egypt, Iran, the Palestinian territories, Turkey, the U.S., Indonesia, Iraq, Israel, Russia and Sudan.

Dave Bittner: [0:04:54] The line the sites take is directly supportive of Iranian policies and of Tehran's view of the world, but they represent themselves as independent voices carrying important news. Attribution of the sites to Iran is largely the work of researchers at security firms FireEye and ClearSky. Twitter, Facebook and Google have all been used to amplify Tehran's messaging, although these platforms have taken some steps to expunge such inauthentic accounts. About half of the sites use services provided by U.S. companies Cloudflare and OnlineNIC, which say they've looked into the matter and are confident they're not in violation of U.S. sanctions against Iran.

Dave Bittner: [0:05:37] Authorities are beginning their investigation of the major data breach Marriott disclosed last week. As is often the case, the state of New York is first out of the gate. According to the New York Law Journal, the state's attorney general on Friday announced that her office was opening a probe that would not only look into the circumstances of the breach but that would also determine whether Marriott's delay in disclosure constituted a violation of New York law.

Dave Bittner: [0:06:03] And if you're an affected guest wondering if there was anything you could have done to protect yourself, cyber company Rook Security says, essentially, no, there was nothing you could have done against this sort of breach. Security firm Carbon Black calls the attack an instance of island hopping, in which attackers pivot across distinct but interconnected parts of a corporate target. Attribution of the attack remains unclear. But many observers think the two proximate risks it raises are identity theft and espionage. The breach has added impetus to congressional movement toward national breach legislation for the U.S. as a whole.

Dave Bittner: [0:06:43] The U.S. Court of Appeals for the D.C. circuit ruled Friday that the government's ban on Kaspersky products can stand. It's not, after all, an unconstitutional bill of attainder. The U.S. government's decision to keep Kaspersky products out of its networks will therefore stand.

Dave Bittner: [0:07:01] Finally, Bleeping Computer points out that ransomware victims now have another self-interested reason not to pay ransom. Under current U.S. law and regulation, if such payments go to the wrong place, ransomware victims could find themselves in violation of U.S. sanctions. Two possible illicit destinations for such payments would be Iran and North Korea.

Dave Bittner: [0:07:29] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's ObserveIT.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [0:08:38] And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. We wanted to touch today on cybersecurity and how that can affect growth, innovation and productivity. What can you share with us today?

Daniel Prince: [0:08:54] So this has been a bit of a passion subject for me for a long time. And, you know, it's the classic question - how can you measure return on investment in cybersecurity when, you know, you don't know whether something's going to happen, and you're not sure whether you're going to protect against those losses because you never know when you're going to be attacked? I've got to the point now I think that's the wrong way of thinking about cybersecurity and that return on investment.

Daniel Prince: [0:09:21] So the - some of the stuff that we're doing here, particularly working with businesses, is to flip the question around on its head. How do you actually build a business growth strategy with cybersecurity at its core? And I - we've been working with a number of other universities in the greater Manchester area in the U.K., so University of Manchester, University of Salford and Manchester Metropolitan area - University. And we've got a project that we're going to be supporting a large number of businesses to actually take them through a structured process that puts cybersecurity at the heart of their business growth strategy.

Daniel Prince: [0:09:55] So this is a different question. This isn't how you use cybersecurity to prevent against losses. This is how to use cybersecurity to grow your business. And we firmly believe that cybersecurity doesn't just have to be related to protection against that losses. We can actually use this and help you get market advantage. And we're certainly starting to see a lot of evidence in the market that if you can differentiate yourself inside that market because you are more secure than your competitor, you're starting to lead with something with a client base that enables you to get bigger, get more sales and so on and become more productive.

Daniel Prince: [0:10:29] The other thing that is key for me is that cybersecurity is - has always been an incredibly innovative space. We're always having to innovate. We're having to innovate against the attackers that are coming in. We're having to innovate to new defensive strategies. And the - one of the things for me is to take that innovative approach of cybersecurity professionals and thinking about how we can start to apply that natural innovative capability to sort of digital businesses and how can we drive those forward so that we have that really great combination of highly productive digital business, but also it's secure for their - the customers.

Daniel Prince: [0:11:07] During the last space, one of the other things is I often liken cybersecurity to health and safety. And when I talk about this - so people kind of get a little bit of upset with me because they don't like health and safety. But actually, health and safety is there within your organization to ensure that people don't get injured, don't go off sick. They're - you're there - the health and safety is there to help them to be a productive worker, and they're not taking unnecessary risks that could potentially damage themselves or their equipment or the people they're working with. So in that way, cybersecurity is also related to the productivity. It's there to help your employees really work more effectively, take less risks that will potentially damaging the company and the equipment that they use.

Dave Bittner: [0:11:55] Now, I'm curious, you know from a business point of view, I mean, is this a situation where, you know, some of the folks from the cybersecurity side of the campus need to walk over to the folks in the business school and have a sit-down with them and say, you know, you need to integrate our stuff deeper into your business classes?

Daniel Prince: [0:12:16] Yeah, definitely. I think this is one of the vital things. And I think it's really important that the folks in the management schools start to look at how cybersecurity can be this mechanism for growth, innovation and productivity, not just a mechanism to manage risk or defend against losses. But certainly, some of the conversations that we're having here at Lancaster University, I've been working with a behavioral economist for quite a while now looking at some of these questions, thinking about how we can have these organizational structures but really support productivity and growth but deliver a secure and safe working environment for the employees and for the customers.

Daniel Prince: [0:12:54] It's true now that, you know, every business is digital, so we can't - you know, cybersecurity can't just be a separate thing. And it can't just be a thing that we use to protect against losses. We have to internalize that within our business strategies to really drive forward business growth, certainly within a sort of modern climate where companies are really pushing to find that competitive edge. And, you know, this - cybersecurity can give you that competitive edge.

Dave Bittner: [0:13:22] No, it's really interesting. As always, Daniel Prince, thanks for joining us.

Dave Bittner: [0:13:31] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [0:13:59] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [0:14:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.