The CyberWire Daily Podcast 2.22.19
Ep 786 | 2.22.19

Influence operations in Ukraine’s elections. Australian hacks look more like China’s work. Huawei and the 5G future. Objectionable content in comments. DrainerNot. No more soldier-selfies in Russia.

Transcript

Dave Bittner: [00:00:03] Kiev alleges complex, large-scale Russian influence operations in Ukraine's presidential election. Australian investigators are said to be closer to concluding that recent hacking attempts were the work of Chinese intelligence services. There's also plenty of ordinary crime to go around. Huawei continues its charm and affordability offensive. User comments drive advertisers away from YouTube. Linda Burger is here to tell us about the NSA's Technology Transfer Program. DrainerBot sucks power from phones. And Russia outlaws soldier selfies.

Dave Bittner: [00:00:43] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Are log-in credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day. But without complete visibility inside your network, your investigation could take hours or even weeks. And that's assuming you were able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of the complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Look for ExtraHop at RSA or be the Blue Team in the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:43] The CyberWire podcast is made possible in part by RSA Conference, taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at RSAConference.com/CyberWire19.

Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 22, 2019. Kiev's SBU security service has charged Russia with organizing a large influence campaign to secure election of its preferred candidate in Ukraine's upcoming presidential election. Which candidate Moscow favors isn't specified, but the methods used cover everything from state-of-the-art information operations and troll farming to the kind of ground-game bribery and get-out-the-vote hustle an early 20th century Chicago ward heeler would immediately recognize - passing out holiday turkeys in the 10th ward, that sort of thing - plus inauthentic online persona, hacking and so on.

Dave Bittner: [00:02:51] The Sydney Morning Herald reports that investigators are closer to singling out Chinese intelligence services as responsible for attempts to gain access to Australian parliamentary and political party systems. The attempts are thought to be consistent with Beijing's long-term goal of gaining insight into the Five Eyes' intelligence products and operations. A preliminary attribution by the cyber company Resecurity, discussed yesterday in the Wall Street Journal, cited Iran's Mabna Institute as the likeliest suspect in the incident.

Dave Bittner: [00:03:23] The Mabna Institute has been indicted by the U.S. for cyberattacks against American enterprises. And Resecurity thinks the activities reported and observed around Australian targets seem to follow techniques Mabna has used in the past. Thus, the hints pointing to China would amount to a false flag operation. But this seems unlikely. The evidence publicly cited is circumstantial and ambiguous at best, including documents retrieved from a cloud server that may or may not have been used by the hackers.

Dave Bittner: [00:03:54] Sources close to the investigation dismiss suggestions of Iranian involvement as far-fetched. They can't yet speak on the record, but the anonymice in this case seem pretty certain that the attacks are traceable back to Beijing. The investigation continues, and signs still point to China. Canada's Communications Security Establishment has said it's working with its Australian counterparts to investigate the incident. The episode has increased tensions between China and Australia.

Dave Bittner: [00:04:25] A wave of other attacks disclosed in Australia seem more straightforwardly criminal in their motivation. Ransomware has afflicted a number of targets over the past few months, including the Melbourne Heart Group, which is a cardiac care practice, the large corporate superannuation fund TelstraSuper, and the Roman Catholic Archdiocese of Melbourne. These are being read as the work of organized criminal gangs.

Dave Bittner: [00:04:49] The attack on Toyota's Australian operations is a more mixed case. Employees were locked out of the systems for several days. Media coverage in Australia has tended to bracket this incident with the attempts against Parliament and political parties. But that may amount to little more than a circumstantial association of ideas. But that case remains a more open one.

Dave Bittner: [00:05:11] To return to security concerns about Chinese operations, U.S. Secretary of State Pompeo has cautioned allies that the presence of Huawei in their infrastructure would make the U.S. wary of sharing intelligence with them. Huawei isn't out of the woods yet. And the Americans would still love to talk to the company's CFO, currently detained in Canada.

Dave Bittner: [00:05:31] But the tide seems now to have begun running against U.S. efforts to convince other countries to exclude Huawei from their 5G networks. Huawei's lower cost, general reliability and good-enough devices may be too attractive for the telecom sector to forego. It's not classically disruptive technology since it's not displacing an entire family of technology the way, for example, digital imaging replaced film. It's rather a case of offering commodity equipment at competitive prices.

Dave Bittner: [00:06:02] European telecommunications operators have generally opposed a ban on Huawei. So have carriers that serve rural U.S. markets. They, too, like cheap, reliable and good-enough gear. Britain's National Cyber Security Centre's dance with Huawei continues. On the one hand, the company is regarded as presenting a risk to U.K. networks. But on the other hand, it believes that risk may be manageable. In any case, NCSC hasn't reached a public decision yet. Its full report on telecom security is due out in March. In the meantime, NCSC boss Martin tells British telcos to up their security game.

Dave Bittner: [00:06:40] Huawei itself continues its pricey charm offensive, promising to invest billions in security and associated confidence-building measures. The company will probably face its toughest sledding in the U.S. and Australia where strong signs of renewed Chinese espionage have put security officials on their guard. An Op-Ed in Forbes notes that 5G security touches control systems as well as IT devices. In fact, its biggest impact may be precisely on the internet of things. Should 5G technologies be widely open to hostile manipulation, the damage to be feared might well prove to be as kinetic as it is informational.

Dave Bittner: [00:07:21] This week saw renewed calls for online platforms, especially social networks, to do more to control harmful content. The parliamentary report on fake news took Facebook harshly to task in the U.K. And Facebook and other big tech firms are getting letters from members of the U.S. Congress this week as well. Congress is asking about children's safety and public health - always a reliable entering wedge for regulation. One hitherto largely overlooked form of content, user comments, drew close attention this week from advertisers.

Dave Bittner: [00:07:53] Some large companies, including AT&T, Nestle and Hasbro, are considering pulling their advertising from YouTube unless the Google-owned platform can guarantee that their ads wouldn't appear alongside objectionable content. This is a far taller order than one might think. Even filtering adult content is harder than it seems. But moderating comments for signs of objectionable use is tougher, still.

Dave Bittner: [00:08:18] There are increasing signs that people are making bad use of perfectly innocent videos of children to offer lewd commentary and suggestions for going to particular points in the videos. Again, the videos themselves are usually innocent in intent and generally innocent in content, too, by any rational interpretation. But comment sections don't excel at rational interpretation. The devil here is in the details, and the details are in the comments.

Dave Bittner: [00:08:45] If your phone seems to be losing its charge much faster than it ought to, Oracle may have a diagnosis. Its researchers have discovered an ad-fraud scheme they're calling DrainerBot that sucks prodigious amounts of both power and data.

Dave Bittner: [00:09:01] Finally, we mentioned earlier this week the results of a NATO exercise in which troops were socially engineered by red teams egging them on into doing stuff they shouldn't via social media. Russia had a similar but different concern - operational security lapses enabled by social media. If people aren't supposed to know you're in the Donetsk, then you shouldn't take a selfie in front of a welcome to the Donetsk sign and post it to Instagram where mama and babushka can enjoy it. The rest of the world will see it, too.

Dave Bittner: [00:09:32] Similarly, if your government has assured the world your forces aren't using cluster munitions in Syria, that thumbs-up shot of you loading such munitions into an Su-25's hardpoints is probably unhelpful to the cause. So now there's a law in Russia designed to make it a crime to do this kind of thing. How well that will work on a group of soldiers who are, after all, essentially teenagers remains to be seen. Tell it to the Marines. It can be hard enough to keep Terminal Lance from charging his Samsung phone by connecting it to SIPRNet.

Dave Bittner: [00:10:09] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? Akamai's edge security defends your business, your customers and your users from threats by deploying defense measures closer to the point of attack and as far away from your people, applications or infrastructure as possible. Security at the edge is dynamic and adaptive. With the world's only intelligent edge platform, you can surround and protect your users wherever they are - at the core, in the cloud or on the edge and everywhere in between. If you're going to RSA this year, visit Akamai in the North Hall, booth 6153, to take part in their crack the code challenge for an opportunity to win a new 3D printer. Akamai, intelligence security starts at the edge. Learn more at Akamai - that's akamai.com/security. That's akamai.com/security, and we thank Akamai for sponsoring our show.

Dave Bittner: [00:11:18] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, great to have you back. An article from Ars Technica - this is written by Cyrus Farivar who has been a guest on our show before. The title here is "Man sues feds after being detained for refusing to unlock his phone at airport." What prompted this? What's going on here?

Ben Yelin: [00:11:41] So this is an individual who was flying outbound from Los Angeles International Airport to Saudi Arabia, was actually going on his hajj - is the Muslim religious pilgrimage. This occurred at the beginning of 2017, and this individual Haisam - I'm probably pronouncing this incorrectly, but Elsharkawi was pulled out of a security line by Customs and Border Patrol agents. They started to question him about where he was going, what he was doing. And he became very frustrated by that line of questioning and said, do I need a lawyer to answer these questions?

Ben Yelin: [00:12:20] Now, that led the Customs and Border Patrol agents to become more suspicious. And they decided that, simply by asking that question, it justified additional searches. So they searched his stuff and came across his cellular phone, which the individual refused to unlock, refused to share. Eventually, under pressure from Customs and Border Patrol agents, he did unlock his phone simply to sort of get out of what was a difficult situation. So he sued them on constitutional grounds, on violating his First, Fourth and Fifth Amendment rights.

Ben Yelin: [00:12:59] And this gets at, really, a broader problem, which are these border searches. So we've talked about on this podcast before - there is an exception to the Fourth Amendment as it relates to the searches of digital devices at the border. Because this goes beyond the traditional law enforcement justification - i.e. we're trying to catch a criminal in the commission of a crime - courts have held that the government is justified in conducting these searches, even if they don't have a warrant, basically because we need to protect our national security, the integrity of our borders. What's interesting about this case is that most of the previous cases involve people who are entering the United States.

Dave Bittner: [00:13:43] Right.

Ben Yelin: [00:13:44] This involved an individual who was traveling abroad.

Dave Bittner: [00:13:48] So this is a U.S. citizen, right?

Ben Yelin: [00:13:50] This is a U.S. citizen who's traveling abroad, who's actually leaving the country. And that's why I don't think the special needs justification is applicable here. The reason we have the special need is because we want to know who's coming into our country and whether they're going to do us harm. That's the stated justification for having a border search exception to the Fourth Amendment, but that - it seemingly would not apply when the individual is a U.S. citizen that's actually leaving the country. If they wanted to inspect his device when he came back, even as a U.S. citizen, I think you could justify that under the border search exception, but you certainly couldn't justify it when he's taking an outbound flight.

Ben Yelin: [00:14:32] And one of the reasons I think this issue has become more prevalent is we're starting to learn about the extent to which the Department of Homeland Security is engaged in data mining based on their border searches. The Office of the Inspector General at the Department of Homeland Security released a report recently, and they said that though customs officials are required to expunge data that they don't need to use in national security or criminal investigations, that data is very frequently not expunged. And as a result, Department of Homeland Security has and maintains a database of digital information collected as a part of routine border searches.

Ben Yelin: [00:15:16] And, you know, I think this is something that rubs a lot of people the wrong way because there is this Fourth Amendment exception that means that there are a lot of border searches. According to Customs and Border Patrol, more than 29,000 travelers in 2017 who came across our borders, whether they're U.S. citizens or non-U.S. persons, had their devices searched. And the fact that we are going against DHS protocol and retaining this information, I think, presents a major civil liberties threat. And I think that's the threat that this individual in the Los Angeles case is trying to get at with his lawsuit.

Dave Bittner: [00:15:56] All right. Well, Ben Yelin, as always, thanks for enlightening us on the details of these sorts of things. Thanks for joining us.

Ben Yelin: [00:16:04] Thank you very much.

Dave Bittner: [00:16:09] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:17:08] My guest today is Linda Burger. She's director of the technology transfer program at the NSA, the National Security Agency. Her team is tasked with creating partnerships between government and the private sector to license government patents and enable the use of scientific breakthroughs and technical advances to boost economic growth. Linda Burger joined us at our studios in Maryland.

Linda Burger: [00:17:31] Technology transfer is a government-wide initiative to return dividends to the American taxpayer for the research and development investment that the government makes annually. At the NSA tech transfer program, we have four main ways that we engage in technology transfer for the agency, and big part of it is building partnerships. And we do that with industry, academia, other government agencies.

Linda Burger: [00:17:57] And the first one I'll talk about is something that started at NSA that we do on our own - TTSAs, or technology transfer sharing agreements - and that's when we share, at no charge, with other government agencies technologies or capabilities that were developed at NSA for mission use that can be used broadly across the government. Taxpayers already funded them. We want to make sure that the government has best-in-breed capabilities, and so we share those readily with other government organizations. So again, that's tech transfer sharing agreements.

Linda Burger: [00:18:25] Patent license agreements are what we highlight when we're out talking to the public because we want to have businesses to work with to commercialize technologies, to move them from the lab to the market space. Patent license agreements are where the federal government has patented technology and ownership in that technology. And we license it to companies so that they can commercialize it because the government is not in the business of commercializing technologies. We need commercial partners to do that.

Linda Burger: [00:18:51] So that's patent license agreements, or PLAs. Another one that's a very agile powerful tool for the federal government is CRADAs, and those are Cooperative Research and Development Agreements. Those are so much fun. There's an army attorney in tech transfer who says you can build a battleship with a CRADA.

Dave Bittner: [00:19:11] (Laughter).

Linda Burger: [00:19:11] That it's really about broad research and development partnerships between the government and one or more nonfederal groups or entities, and we are solving hard problems together. So it's not an acquisition contract where we're funding you to go find a solution to something. But we need to solve whatever that hard problem is together, and both parties are coming together shoulder to shoulder, and we're applying. We might be applying facilities. We may have a certain kind of facility - we, the government. And the company might be putting in their subject matter expertise, or we might - and we might be adding subject matter expertise, and we work to advance science and solve problems together in CRADAs.

Linda Burger: [00:19:50] For the government, it's always about things we care about from a mission perspective, and for the companies, they get, you know, insight into the government space and what our unique challenges are when they partner with us in that way. The other type of agreement that I want to mention are EPAs, or Education Partnership Agreements, and those are where the government can engage with academic institutions, K to 12 and beyond, colleges, universities, such that we can help develop the workforce, big picture, that we need to hire at some future point in time.

Dave Bittner: [00:20:19] Now, give me an idea of what the ranges of organizations that you're looking to engage with here. Is it everybody from startups to big organizations?

Linda Burger: [00:20:29] Absolutely. We will work with companies that haven't even started yet, but they're thinking about starting up, and we'll become part of that group that helps them launch and come into life around NSA technology, if that's where they are. We will work with mid-sized companies. We'll work with large international corporations. We do have a preference, per tech transfer legislation, to work with small companies. Manufacturing of any device that's licensed from a federal lab has to be substantially manufactured in the U.S. So there are some limitations per the law. However, we will work with anyone. We will structure deals to try to get TS with any company that we're across the table from.

Dave Bittner: [00:21:07] Do you find that - I'm thinking particularly for smaller companies, I would imagine that there could be a bit of an intimidation factor, that people might hesitate to reach out, but that shouldn't be the case.

Linda Burger: [00:21:18] I appreciate your saying that, and I appreciate you're giving us the opportunity to be here today to share information about technology transfer and how it doesn't have to be scary. The idea that a company needs to be able to have advanced research to differentiate their product in the marketplace, they can either do it themselves, or they can license it from any federal lab.

Linda Burger: [00:21:37] From us, specifically, we try to be very approachable on our website, which is nsa.gov/techtransfer. We have a portfolio online with over 100 technologies available for licensing. That, again, is at the same website. You find what you want. You talk to us about it. We'll negotiate terms. You have to put in a business plan. That's, again, by law. To license any federal technology, you have to submit a technology development plan. We have a partner through the DOD that can help you do that for free. It's our - Pentagon-funded through TechLink. I'd like to believe we try to make it as easy as possible for our partners to get TS.

Dave Bittner: [00:22:14] Could you give us an idea of sort of the scope of the patents that are available, the types of things that you have in your portfolio?

Linda Burger: [00:22:22] Sure. So we have four categories in the portfolio based on what people ask us for - cyber, number one, right? And that's our largest portfolio percentage in the portfolio - Internet of Things, mobility and data science. So these are the four main categories that we've separated our technologies into. We have a network routing protocols. We have a technology in flexible integrated circuit manufacture. So, you know, think smart clothing, things like that. You know, that could be an application space for this.

Dave Bittner: [00:22:54] Oh, I see.

Linda Burger: [00:22:55] So we have a technology that we're highlighting this year on removable - on the detection of removable devices like SIM cards or SD chips. Think about on your - you know, your digital camera, you've got those chips that come in and out on your phone.

Dave Bittner: [00:23:10] Right.

Linda Burger: [00:23:10] You've got a SIM card that uniquely identifies your phone. We have a technology that will identify if they've been removed in an unauthorized fashion, and when, and in coordination with what other activities. So all four digital forensics activities, so you can tell what happened when on your device. And it even works for virtual SIM cards. That's one of our hot technologies this year that we're looking to license. So it's just a number of areas. And one more thing that I want to make sure that we touch on that we haven't talked about yet is, you don't need a clearance to license a technology from us. So there's always the chicken and egg of, you know, contracting with - you know, with the IC, with the intelligence community.

Linda Burger: [00:23:46] Well, you know, you do not need to be in this system of award management, the federal acquisition database. You don't have to be registered there. You don't have to have selected your NACE codes. That's not a thing for us, right? So this is not acquisition activity. It's technology transfer activity. So it's normal business-to-business negotiations. Now, yes, we have the statutory things we have to get through, but you don't need the clearance to come talk to us. It's OK. We have an 800 number. We have a - that are at the website and on our materials. You know, there's an email alias, come - you know, the techtransfer@nsa.gov. That you can contact us, and we'll start engaging, and, you know, we're trying to be as accessible as possible.

Dave Bittner: [00:24:26] That's Linda Burger. She's the director of the technology transfer program at the National Security Agency.

Dave Bittner: [00:24:37] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:24:48] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.