Norsk Hydro recovers from LockerGoga infection. Cyber conflict, cyber deterrence, and an economic case for security. EU out of compliance with GDPR? Big Tech in court. Thoughts on courtship.

Dave Bittner: [00:00:00:13] A quick reminder that in addition to the CyberWire Podcasts that you know and love, we also publish our CyberWire Daily News Brief. It has all the day's cyber security news and stories, more than we can fit in our daily podcast. It's free and you can check it out and sign up to have it delivered to your inbox every day when you visit our website, thecyberwire.com.

Dave Bittner: [00:00:30:18] The Norsk Hydro recovery continues with high marks for transparency; some notes on the challenges of deterrence in cyberspace from yesterday's CYBERSEC DC conference, along with context for US skepticism about Huawei hardware. Cookiebot says the EU is out of compliance with GDPR, its sites infested with data scraping ad tech; Google and Facebook get, if not a haircut, at least a trim in EU and US courts and some animadversions concerning digital courtship displays.

Dave Bittner: [00:01:09:07] It's time to tell you about our sponsor, Recorded Future, the real time threat intelligence company, whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:06:02] From the CyberWire studios at Data Tribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 20th, 2019.

Dave Bittner: [00:02:14:09] Norsk Hydro has made significant strides toward recovery from yesterday's LockerGoga infestation. The company said this morning that it had recovered many of its affected systems and is on its way towards restoring normal, stable operations. The disruptions had affected both business and production systems. Some speculation about nation-state or hacktivist involvement aside, the emerging consensus seems to be that this was low level, commodity criminal activity with far-reaching effects.

Dave Bittner: [00:02:44:18] We heard from CrowdStrike's vice president of intelligence, Adam Meyers, who wrote that LockerGoga was also behind the infection of the French engineering company Altran, in January of this year. Meyers wrote "While details of the Norsk Hydro incident are still developing, CrowdStrike intelligence has been able to identify a new sample of the LockerGoga ransomware that was uploaded to a public malware repository in two ZIP files from an IP address based in Oslo, Norway."

Dave Bittner: [00:03:15:08] Norsk Hydro is engaged in the electricity-hungry production of aluminum. CyberX VP of industrial security, Phil Neray, pointed out to us in an email that manufacturers like Norsk Hydro have some particular concerns about ransomware. He said "Downtime is measured in millions of dollars per day and companies producing metals or chemicals are at additional risk should production disruption cause safety and environmental incidents."

Dave Bittner: [00:03:43:19] Norsk Hydro itself is getting pretty high marks for the speed and transparency of its response to the incident. Dragos' CEO, Robert M Lee, has tweeted Norsk a thumbs-up for their transparency. He offers a simultaneous thumbs down - that's two thumbs, indicating way down - to those in the industry who would use the incident as FUD-fodder to flack their products.

Dave Bittner: [00:04:07:06] We were able to attend the inaugural meetings of CYBERSEC DC in Washington yesterday. Their focus was on the connection between economic development, particularly in the rapidly advancing tech sector, and cyber security, particularly as that linkage evolving along NATO's eastern flank.

Dave Bittner: [00:04:25:12] Sponsored by the Center for European Policy Analysis (CEPA) and the Kościuszko Institute, the conference's announced goal was to advance the transatlantic quest for cyber trust.

Dave Bittner: [00:04:37:15] The discussion inevitably turned to the threat of hybrid war from Russia, something of which the 12 nations of the Three Seas group are uneasily aware. The Three Seas Initiative is a cooperative arrangement among the Central and Eastern European nations that stretch from the Baltic, to the Black and Adriatic seas: Austria, Bulgaria, Croatia, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovakia and Slovenia. With the exception of formerly neutral Austria, these states all either former Warsaw Pact countries or former Soviet Republics and are therefore very much attuned to the risky ministrations of what several panelists called "our friends to the east."

Dave Bittner: [00:05:23:02] Several of the speakers pointed out that the challenge the Russian adversary poses is in operations that fall below the threshold of armed conflict. While NATO has made it clear that cyber attacks can trigger the collective defense the alliance's article five commits its members to, cyber operations are still too new for there to be a clear set of proportionate responses.

Dave Bittner: [00:05:45:14] The participants recommended full use of the NATO toolbox, including diplomatic and economic tools and they argued that imposition of costs need not, and probably should not, be symmetric. In other words, threatened retaliation for cyber attacks need not confine itself to cyber counter attacks.

Dave Bittner: [00:06:04:22] The other challenge the conference took up was the different, more long term threat that China poses as it continues to advance its position in the global technology market place. In this respect, Robert L Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy at the US Department of State, had some observations that placed in context the well-known American reservations about participation by companies like Huawei in 5G networks. These are worth mentioning as they're often glossed over in discussions of the controversies around Huawei.

Dave Bittner: [00:06:38:20] Strayer observed that vendors from countries that subject their companies to extra judicial processes are fundamentally untrustworthy and should be viewed with particular suspicion with respect to participation in 5G networks. Such extra judicial processes would include non-appealable demands to contribute to state surveillance and espionage activities. The much-expanded attack surface 5G will present makes accepting this risk a high stakes proposition and Strayer argued that no source code review will be sufficient to reveal all the problems equipment from such companies may bring with it.+

Dave Bittner: [00:07:16:15] He offered two other economic reasons to be wary of Chinese companies and specifically of Huawei: its engineering seems not to be up to par and while the equipment might be cheaper up-front, it's likely to be costlier over its life cycle. Thus, Strayer therefore found it surprising that Europe flirted more with Huawei than with European champions like Ericsson or Nokia. And he also argued that the financial terms under which Chinese equipment is being offered are unrealistic and ultimately inadequate to sustaining a competitive market.

Dave Bittner: [00:07:49:23] An observation we heard from folks on the ground at this year's RSA conference was that much of the marketing hype surrounding AI and machine learning had died down significantly. Landon Lewis is CEO of security firm Pondurance and he joins us to share his thoughts on our relationship with AI.

Landon Lewis: [00:08:08:06] If we can look back at behavioral analytics as a concept of identifying suspicious behaviors and then marrying both humans and technology to attempt to uncover that, in the past there were enough technologies and not enough people and now there's a capability of enhanced or advanced behavioral analytics that have come to the market. I look at AI, or any technology or tool, as more of an extension of hands providing a way to create more efficient processes for eliminating some of the risks that the market's facing.

Dave Bittner: [00:08:50:20] Walk me through your thoughts on the appropriate place for AI in an organization. Where does it sit in the stack of tools available?

Landon Lewis: [00:09:03:13] Typically anywhere where it's easy to understand good data and bad data. What I mean by that is that we're at the end of this market, what was termed as next generation end points or the EDR space, and there were some early adopters in that space of leveraging what they're calling AI. Essentially they are able to run binaries that they know are bad. That means going out to VirusTotal and downloading everything that has a bad score. If we download everything with a bad score and then download things with a good score, we can separate good from bad. Then we can build a model around bad, and a model around good. It's then all about the gray area between that makes it a differentiator. It is more complex than this simplified model of what you would try to do on a network, or what you may try to do with log data that a machine generates.

Landon Lewis: [00:10:08:21] In any significant quantity of data where you could separate good from bad, the closer you are to building something that is more AI, machine learning driven that can help a stock analyst or an individual engineer.

Dave Bittner: [00:10:25:17] What about intuition? I have heard people describe how they will look at data or a report and think that something just doesn't feel right about it and they feel they should spend more time with it. Is that an area where AI comes up short or can AI sometimes surprise us?

Landon Lewis: [00:10:47:16] I believe if you have the models trained appropriately, we are moving in a future direction where some type of event could basically have suspicious indicators that the models could provide tips to your analyst, as an extension of the hand saying, this is suspicious and here is why. I think it behooves us to start explaining to an analyst how the model was built and translate it back to something that an analyst understands.

Dave Bittner: [00:11:24:18] So the AI can flag something and list the reasons why it requires a second look by the analyst?

Landon Lewis: [00:11:31:23] That's one of the most difficult pieces. For analysts to understand why something is flagged as suspicious activity, they have to go back to understanding who built the model and what type of events was it looking at. You therefore have to have an analyst with the skill level that can almost move backwards and not be a data scientist to really understand why the model may be flagging it.

Landon Lewis: [00:12:01:22] I think AI is something that's typically going to help us. I believe describing it as a silver bullet is somewhat dangerous and I believe that humans are still required to train the models that make AI more useful. I do believe in the long run, it's going to help us extend the hands of our staff.

Dave Bittner: [00:12:20:20] That's Landon Lewis from Pondurance.

Dave Bittner: [00:12:25:00] Physician, heal thyself. Security firm Cookiebot has looked into EU official government services sites and determined that a surprisingly large fraction of them leak personal information of EU citizens to various third parties in ways that contravene the EU's GDPR regime. ZDNet calls it an infestation of third party ad tech scripts.

Dave Bittner: [00:12:47:20] The EU has fined Google's parent Alphabet €1.49 billion (approximately $1.7 billion) for anti competitive restriction of other companies' ads. This is the last of three formal EU anti-trust actions against the company. It's by no means a business killer, since Alphabet has deep pockets, but it's a large judgment. Some US politicians have already pointed out that maybe more aggressive anti-trust action - like a break-up - should be in the cards but so far that is preliminary posturing.

Dave Bittner: [00:13:21:13] Facebook has settled a lawsuit by agreeing to change its advertising platform to reduce the possibility of discrimination in housing and employment. This particularly affects use of such user demographics as race, age and gender.

Dave Bittner: [00:13:36:09] The number and volume of DDoS attacks dropped significantly after the FBI took down 15 DDoS-for-hire sites in December. Researchers from NexusGuard found that in the fourth quarter of 2018, the number of DDoS attacks sank by 11 per cent and the average size of these attacks fell by 85 per cent. So, bravo FBI, but everybody else? Don't get cocky, kids.

Dave Bittner: [00:14:03:13] And finally, those who have followed the National Enquirer's coverage of Amazon chief Bezos's online courtship display - the one Mr Bezos gamely addressed in his "No thank you, Mr Pecker," blog post - may have wondered where Mr Pecker's Enquirer obtained the texts that constituted this particular expression of ardor. Speculation had run toward Saudi Arabia, the White House, hackers, everywhere, but it appears that the entire transaction may have been much more prosaic than that. The peacock may have spread his metaphorical tail feathers to inspire reciprocal feelings in the peahen, but reports in the New York Post's page six, say that the Enquirer paid the peahen's brother - that would be the peacock's boyfriend-in-law - some 200,000 to send them the goods.

Dave Bittner: [00:14:52:13] Pro tip: during courtship, send flowers, big cookies. Sure, they're traditional but they're almost always appreciated.

Dave Bittner: [00:15:02:13] These kids today.

Dave Bittner: [00:15:08:01] And now a word from our sponsor, LookingGlass Cyber Solutions: when it comes to digital business risk, you don't want a general admission perspective. Get a backstage pass for the LookingGlass Digital Business Risk Roadshow this spring to learn the industry latest on effective third party risk management tactics to protect your employees, customers and brand, taking a proactive security posture to combat today's sophisticated threat actors and a cyber criminal mastermind's insights on manipulating your organization's cyber strengths and weaknesses. Come and see LookingGlass in a city near you. The tour includes Atlanta, Charlotte, Chicago, San Francisco, New York City, DC and Houston. They hope to see you at the show.

Dave Bittner: [00:15:52:00] To learn more about the roadshow and register, visit their web site, lookingglasscyber.com.

Dave Bittner: [00:16:00:18] And we thank LookingGlass for sponsoring our show.

Dave Bittner: [00:16:12:09] And joining me once again is Dr Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back. I saw a recent article about a new GPS satellite that was successfully launched, touted as the first GPS III satellite. What makes GPS III special?

Dr Charles Clancy: [00:16:37:01] GPS technology is 40 years old at this point. The military has been planning satellites since the late 1970s and launching since the 1980s and has been incrementally improving the technology as they have launched more and more satellites. GPS Block III has been in planning now for over a decade and we have just now finally seen the first satellite launch. Some of the features of GPS III include a higher signal strength. The actual signal that's transmitted by the GPS satellite is stronger, meaning that the goal of trying to get more indoor coverage for GPS can be met.

Dr Charles Clancy: [00:17:22:14] Another feature is that they are transmitting a companion signal that is a guide to help you to find the GPS satellites. If you used a Garmin GPS 15 years ago, you may recall that it could take a couple of minutes to lock on to the GPS satellites, now we have a sister GPS technology where essentially your cell phone is using cell tower data to figure out where it is and then it uses GPS to refine that location. It's a fundamentally different system. But there is a companion signal that is going to be part of the GPS Block III that makes it much faster to acquire the GPS signal.

Dr Charles Clancy: [00:18:00:02] There is also a new localization signal called L5 that is part of the transmitted signal. This is a higher bandwidth signal that will give finer grain ability to localize yourself. The idea is that once GPS Block III is fully deployed, you will be able to get more indoor localization on the order of one meter in accuracy.

Dave Bittner: [00:18:28:07] Are we still in a situation where really precise GPS is being limited to the military?

Dr Charles Clancy: [00:18:35:05] No. Back in the 1990s that feature was activated in the GPS constellation as commercial use began to grow and there was the civilian GPS versus military GPS. But in the early 2000s, the White House approved opening up that military level of accuracy to everyone. There really isn't a difference in the level of precision that the military sees versus the civilian GPS receivers.

Dave Bittner: [00:19:01:18] Well thanks for filling us in, as always. Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:19:13:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:25:15] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.