Dave Bittner: [00:00:03] Special counsel Mueller makes his first public statement about the results of his investigation into influence operations surrounding the 2016 U.S. presidential campaign. He says his first statement will also be his last. FireEye identifies Iranian-coordinated inauthenticity in U.S. 2018 midterm elections. And Twitter and Facebook take down the offending accounts. Notes on the BlueKeep exploit, more Pegasus infestations, Reality Winner revisited and updates on Baltimore ransomware.
Dave Bittner: [00:00:40] And now a word from our sponsor, Carbon Black. When it comes to cybersecurity in 2019, traditional antivirus simply doesn't cut it. Carbon Black aims to keep the world, including you, safe from cyberattacks. Protect your endpoints with next-generation antivirus and endpoint detection and response all in one cloud-delivered platform. Simplify your security stack with a lightweight solution. Predict, prevent, analyze and operate at scale. CyberWire listeners can get a 15-day free trial of CB Defense, their EDR cloud-based solution. Don't let attackers scare you into submission. Take the stand with a safe and simplified solution. See the difference by visiting carbonblack.com/cyberwire-podcast. Again, that's carbonblack.com/cyberwire-podcast. And we thank Carbon Black for sponsoring our show.
Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 29, 2019.
Dave Bittner: [00:01:47] In his first public statement since completing his investigation into alleged influence operations and conspiracy during the 2016 elections, special counsel Robert Mueller spoke to the media briefly this morning from the Justice Department. After discussing the scope of his investigation, he quickly reviewed the indictments of Russian actors who engaged in hacking campaign networks - mostly Democratic, although he didn't name parties - and used WikiLeaks to retail the results of their doxing. And he did call out WikiLeaks. He also reviewed the indictment of a private Russian organization, the Internet Research Agency of St. Petersburg, although he didn't name them, for using social media in an attempt to influence the election. The special counsel scrupulously stressed that everyone under indictment is entitled to the presumption of innocence.
Dave Bittner: [00:02:35] He described his report as having two parts. Volume One dealt with efforts emanating from Russia to influence the election. This portion of the investigation concluded that there were such efforts and that there was insufficient evidence to charge any U.S. persons with conspiracy. The second volume dealt with possible obstruction of the investigation. Here, Mueller stressed that the report made no determination of whether the president, in particular, committed the crime of obstruction. The Constitution, he explained, precludes charging a sitting president with a crime. Should a sitting president be suspected of a crime, the Constitution prescribes other remedies. Investigation of a sitting president is, of course, possible, he added. And such investigation can preserve evidence or result in charges being brought against others. But by regulation, the special counsel had no option to charge the president with a crime. Thus, the special counsel ruled out making any determination of whether the president might be charged with obstruction. In addition to Justice Department rules and constitutional considerations, Mueller cited a principle of fairness. It would be unfair for a report to accuse someone with a crime they cannot be formally charged with, and so have their opportunity to be heard in court.
Dave Bittner: [00:03:50] With that, special counsel declined to offer comment on other conclusions or hypotheticals about the president. Special counsel Mueller said he'd asked the attorney general to release only parts of the report, but Attorney General Barr preferred to make the entire report largely public, and Mueller took no issue with this. At the end of his brief statement, special counsel Mueller said he had no intention of speaking again, nor would he take any questions. Any testimony he might render to Congress would not go beyond the contents of the report. The report is my testimony, as he put it, adding that, access to our underlying work product is being decided in the process that does not involve our office. The statement as a whole took less than 10 minutes.
Dave Bittner: [00:04:34] FireEye identified extensive coordinated information operations in support of Iranian interests during the U.S. midterm elections. Inauthentic accounts tended to express opposition to President Trump, but their ideological slant, in American terms, was opportunistic. Some of the lines pushed represented themselves as progressive, others as conservative, but their common goal was to advance Iranian policy. The tendency was, in general, anti-Republican, but again, it's important to bear in mind that this was opportunistic. The overall goal was to advance Iranian views. Both Twitter and Facebook, tipped off by FireEye, have removed the accounts in question.
Dave Bittner: [00:05:14] Politico observes that the Iranian activity indicates that other governments are cribbing from Russia's information ops playbook. Exposing that playbook can be dangerous, as the Times explains in a profile of troll-hunting Finnish journalist Jessikka Aro, who's drawn death threats for her work.
Dave Bittner: [00:05:32] The Cyber Risk Services team at Deloitte partnered with the Financial Services - Information Sharing and Analysis Center - that's the FS-ISAC - to survey members on how they handle budgeting and risk management for cyber vulnerabilities. They recently published their report titled "Pursuing Cybersecurity Maturity at Financial Institutions." Julie Bernard is an advisory principal in Cyber Risk Services at Deloitte. And joining her is John Carlson, chief of staff at the FS-ISAC.
Julie Bernard: [00:06:02] Financial planners look at efficiency ratios and leverage ratios as they evaluate companies. Is there an equivalent in the cyber marketplace for measuring the effectiveness or efficiency of a cyber program?
Dave Bittner: [00:06:17] Yeah, there's a lot of data in the report. One of the things I want to focus on in the time we have today is you go through what you describe as cybersecurity maturity levels. Can you walk us through what they are and how you came up with the different categories?
Julie Bernard: [00:06:31] We did not come up with the categories. We have borrowed them from the NIST Cybersecurity Framework. So whereas in my history serving firms and doing maturity scores, we often use, like, a CMMI Level 1 through 5, in this case, we borrowed from our friends at NIST. They have a more one-to-four-type relationship, and so they use partial, informed, repetitive and adaptive as their descriptors of maturity level.
Dave Bittner: [00:07:03] And let's focus in on the highest level there, which I suppose is adaptive. What are the aspects of an organization that falls into that category, John?
John Carlson: [00:07:12] Well, I mean, adaptive in the sense that our members are constantly monitoring what the threat environment is looking like through the sharing of volunteered information, by disseminating information that we receive from U.S. government, partners and other companies that do threat intelligence work. So they're constantly looking at that information and making adjustments to their information security programs to respond to the changing threats. So it's that ability to constantly adapt the cybersecurity program to deal with the evolving threat. And that also means leveraging best practices both in terms of governance, in terms of intelligence and information sharing, and then resiliency in the form of exercises and developing crisis response playbooks that will ultimately help the firms that they work for improve their security and protect their customers.
Dave Bittner: [00:08:12] Now, Julie, one of the things the report digs into are the defining characteristics of advanced cybersecurity programs. These are the organizations that are, you know, running at a high level. What are the characteristics that set these companies apart?
Julie Bernard: [00:08:26] Well, to reinforce what John just said, it's the adaptive nature of that. Most often, they have C-suite visibility, whether the CISO actually reports to the CEO or CIO, chief operating officers, chief risk officers and the (unintelligible) financial service's clients, usually there is a straight line to one and a dotted line, potentially, to one or more of those types of roles. So that helps because it gets them visibility at an executive level.
Julie Bernard: [00:08:56] There is also a higher level of board interest and board involvement, reporting to the board on a fairly regular cadence on both their strategy, as John mentioned, what the current threat and risks are that are impacting them and the environment, and a little bit on their program status. And almost half, 48% of the respondents, said that cyber is on the board agenda at these companies at least once a quarter.
John Carlson: [00:09:20] Cybersecurity is a team sport. And that's why it's so important to have a strong tone set at the very top of the organization. As Julie noted, it's on the agenda for most of the board meetings. It's a top priority for the CEOs, as well as the chief risk officers, in addition to the chief information security officers, which we work with most closely.
John Carlson: [00:09:43] But it's also about kind of embedding security into the culture, into the business lines, so that firms take advantage of the protections that are necessary given that cyber is really everywhere in the business these days. So that aspect of it's a team sport, you've got to have leadership at the top, you've got to have strong implementation that goes deep into the business lines. And it's not just something that a security officer is imposing standards and requirements. It's something that's built into the DNA of the company.
Dave Bittner: [00:10:15] That's John Carlson from the FS-ISAC. He was joined by Julie Bernard from Deloitte. The report is titled "Pursuing Cybersecurity Maturity at Financial Institutions." You can find it over on the Deloitte website.
Dave Bittner: [00:10:29] Errata Security thinks that roughly a million machines are susceptible to exploitation of the BlueKeep Remote Desktop Protocol vulnerability. Trend Micro has looked at the risk BlueKeep poses and concludes that while it may seem easy to trigger, actually achieving code execution on a target would be incredibly challenging. A more realistic danger, they think, is inducing DHCP server service crashes, a denial-of-service condition that could enable attacks via a rogue DHCP server.
Dave Bittner: [00:11:00] Forbes reports that other Saudi dissidents were infected with Pegasus spyware before the apparently Pegasus-connected, perhaps enabled, murder of Jamal Khashoggi. One of those affected is a Saudi dissident. The other is a well-known comedian, by YouTube standards, who's long devoted himself to lampooning the kingdom of Saudi Arabia. Both targets reside in London, which lends an unpleasant international complication to the matter from the Saudi government's point of view.
Dave Bittner: [00:11:29] An essay in The National Interest argues that Abu Bakr al-Baghdadi, sometimes self-proclaimed leader of the now territory-less caliphate, is reorganizing ISIS. The terror group would now survive as a virtual community with local franchises operating murderously on the ground. The Easter massacres in Sri Lanka would serve as a template for further inspiration.
Dave Bittner: [00:11:54] Huawei alleges that U.S. sanctions amount to an unconstitutional bill of attainder. The company claims that Section 889 of the National Defense Authorization Act 2019 is the offending legislation. A bill of attainder, forbidden by Article I, Section 9, paragraph 3 of the U.S. Constitution, is legislation that imposes an extra judicial criminal penalty on an individual or group. Huawei says that the National Defense Authorization Act, by barring U.S. federal agencies from using the company's products, amounts to exactly that. Kaspersky Lab took a similar line in court against its own ban. They weren't successful, and most observers think it unlikely that it will work for Huawei either. But Huawei's real audience is probably the media and not the federal bench.
Dave Bittner: [00:12:42] Reality Winner, the former U.S. Air Force member and post-service NSA contractor, is currently serving five years and three months under the Espionage Act for taking a classified report and sending it to a news outlet, in this case, the Intercept. Her mother understandably thinks Reality is a patriot being held unfairly and hopes to see her pardoned by the president. Some of President Trump's tweets have in the past suggested he might be open to such a pardon despite the strong and intemperate language Ms. Winner used about him in her various social media accounts - pre-arrest, that is.
Dave Bittner: [00:13:20] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:14:30] Joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back.
Dave Bittner: [00:14:38] I wanted to touch base about what's been going on in the city of Baltimore with their ransomware situation. There's been a lot of attention - The New York Times, The Washington Post and security pros on Twitter and other places have weighed in on this notion that some of the tools that perhaps had enabled this attack on Baltimore came from NSA.
Ben Yelin: [00:14:58] Yeah. So we're in Week Three of the ransomware attack here in Baltimore City. It's certainly had tangible effects. I haven't gotten a water bill, which might be a blessing for the moment, but I'm sure I'm going to be...
Ben Yelin: [00:15:11] ...Owing back pay...
Dave Bittner: [00:15:13] Right.
Ben Yelin: [00:15:13] ...In the month it comes. But it's had far more serious effects in terms of people being unable to record real estate deals. You've heard about - there are these health databases that notify the public about bad batches of recreational drugs. That's been down. So it has life-and-death consequences.
Ben Yelin: [00:15:31] And because of this New York Times article that came out over the weekend, we found out that the tool used by the hackers - and we still don't know who these hackers are, whether they are rogue foreign actors, whether they represent a nation-state. But now, apparently, we know that the tool they used is something called EternalBlue, and it was originally developed by the National Security Agency several years ago.
Dave Bittner: [00:15:58] Right.
Ben Yelin: [00:15:59] The NSA, as we know, has both offensive and defensive purposes. They are charged with protecting the cybersecurity of our entire country, including states and localities. And as part of their work, their job is to identify flaws in the most commonly used systems and networks. They had discovered a flaw in Microsoft's system several years ago, and they developed this tool to potentially expose that flaw.
Ben Yelin: [00:16:29] In the intervening period, two things have happened. One, Microsoft very quickly came up with a patch to that vulnerability.
Dave Bittner: [00:16:36] Right.
Ben Yelin: [00:16:37] So all of its updates include that patch. So theoretically, if states and localities had been updating their systems, that patch would've been in place. But most dangerously, the information in regards to this EternalBlue tool was released online in 2017 by a group called The Shadow Brokers.
Dave Bittner: [00:16:59] Right.
Ben Yelin: [00:16:59] And two years later, we still don't know who this group is, whether...
Dave Bittner: [00:17:02] Yeah.
Ben Yelin: [00:17:03] ...They are rogue actors, whether they represent a nation-state. There's been this sort of discussion as to whether the NSA can be blamed for both developing this dangerous hacking tool and, you know, having it leak publicly on the internet to be used for some of the world's worst cyber actors.
Ben Yelin: [00:17:21] I certainly think it's a legitimate debate, although I understand the NSA's role in doing what they can to identify vulnerabilities in our system for the purpose of protecting them against bad actors and knowing that these types of NSA leaks or their own security vulnerabilities are going to happen. We saw it with Edward Snowden, a low-level contractor, in 2013, and we saw it with The Shadow Brokers.
Ben Yelin: [00:17:50] Just because the NSA was unable to protect that information, there is something that states and localities could have done, which is to institute all updated security patches. And I think that needs to be the lesson going forward. Microsoft reacted quickly as soon as this vulnerability was identified. They came up with a security patch. And for whatever reason, cities and states across the country have been slow to update their networks. And that's opened the door for bad actors to find these vulnerabilities and cripple our networks.
Dave Bittner: [00:18:25] It's interesting. I mean, a couple of things come to mind. First of all, my understanding of this attack on Baltimore is that while it made use of EternalBlue, that was primarily - it allowed the ransomware to spread - to move laterally within the network. It wasn't the way that they got in, which is interesting. It was, you know, an additional functionality that they were able to use there.
Dave Bittner: [00:18:50] I have to say, and I suppose that part of this is just a local affection for the city, but, boy, my heart goes out to Baltimore on one side because it's a city that has had a lot of trouble lately. It's sort of kicking them when they're down. But on the other hand, as you say, it's been two years. And since the basic functionality - it was something as serious as EternalBlue when there's patches available, at some point, you have to scratch your head and wonder, why couldn't the city have been more up to date or just kept on top of this?
Ben Yelin: [00:19:26] Absolutely. And, you know, I think our first instinct really should be sympathy. Baltimore has been through a lot, particularly since 2015. We are a city that is strapped for resources, and it's always easier after the fact to say that you should spend time and resources updating Windows software on every single device at City Hall. I get that. And, you know, I think we have to come at a place of understanding. But this is really just a lesson going forward. And institutional knowledge to institute these patches - this is just a lesson learned as we go forward.
Dave Bittner: [00:20:02] Tough. An expensive lesson, for sure.
Ben Yelin: [00:20:04] Absolutely.
Dave Bittner: [00:20:05] Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:07] Thank you.
Dave Bittner: [00:20:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.