Dave Bittner: [00:00:03] Venezuela's government says the country's massive blackout is the work of sabotage by foreign actors - read, the Yanquis - who took down the grid with an electromagnetic attack. Documents leaked from Huawei indicate that the electronics giant did essential work for North Korea's infrastructure. Both Facebook and Equifax suffer major fines over privacy issues, but there's growing sentiment that the fines were on the low side. And coders, you're better off making loyalty programs than logic bombs.
Dave Bittner: [00:00:39] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast. But for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first. It's time to build your security the same way. ExtraHop's Reveal(x) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(x) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 23, 2019. Venezuela sustained another nationwide blackout yesterday, with the country's telecommunications and other basic services heavily affected. Over half of Venezuela's states were left substantially without power. The government is working to restore electrical service, but the grid remains, for the most part, down.
Dave Bittner: [00:02:19] Local blackouts have been commonplace in Venezuela for some time. And large-scale outages aren't unknown either. The last series of those took place in March. The Chavista government blamed those on a cyberattack, but this explanation convinced few, with only committed supporters of the regime or opportunistic foreign governments - notably Russia's - affecting to take it seriously. This time, CNN reports that the government blames an electromagnetic attack on a hydroelectric plant as the cause of the grid's failure. CNBC points out that the officials have neither specified what they mean by electromagnetic attack nor provided evidence of the foreign activity they blame for the disruption. The expression electromagnetic attack perhaps deserve some explanation. Caracas had blamed the March outages on cyberattacks. But presumably, this time it's different. There is a kind of side-channel attack that's called an electromagnetic attack, but that's a method of extracting information. And it's doubtful that the Venezuelan regime means that. They more likely intend to suggest that the outage was caused by an EMP attack by an electromagnetic pulse. The kind of EMP everyone thinks about, when they think about it at all, is nuclear EMP. That is an intense electromagnetic pulse produced by the detonation of a nuclear weapon. This is known to be able to interfere with and destroy electronic systems, with low-power solid-state components being particularly vulnerable. However, since an awful lot of people would have noticed even the high air burst of a nuclear device, we can probably rule that one out.
Dave Bittner: [00:03:56] Power surges in electrical transmission equipment can produce a damaging electronic pulse. So perhaps the government in Caracas is saying that it was that sort of outage. Opposition leaders, on the other hand, claim that the blackouts are due to neglect, corruption and mismanagement. Betting on form, we'd offer the Venezuelan Energy Ministry a shave with Ockham's Razor and suggest that the opposition in this case probably has it right. The story is developing, and the lights are still out. Before yesterday's blackout, by the way, Newsweek reported that Russia had announced plans to dispatch more specialized military to help secure Venezuela against American economic terror. Maybe they should bring some generators with them.
Dave Bittner: [00:04:41] The Washington Post has obtained and reported on internal company documents a former Huawei employee leaked to the paper. The material shows Huawei's work with a partner, the Chinese government-owned IT firm Panda International Information Technology, to establish and maintain North Korea's commercial Wi-Fi networks. A Huawei spokesman neither disavowed nor authenticated the documents, saying merely that the company was, quote, "fully committed to comply with all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations," end quote. Panda had no comment.
Dave Bittner: [00:05:20] The Democratic People's Republic of Korea is, of course, under very tight international economic sanctions for its nuclear and ballistic missile programs. The U.S. Commerce Department, which also had no comment, has been investigating Huawei for possible North Korean connections since 2016, but so far has not established that the Chinese company was in violation of sanctions. The documents indicate that Huawei and its partners supplied antennas, base stations and other equipment necessary to standing up North Korea's network. The U.S. Justice Department has already charged Huawei with crimes connected to evasion of sanctions against Iran. Should the latest revelations be substantiated, they would amount to more legal hot water for the Shenzhen company. TechCrunch points out the DPRK's network is only 3G. But Huawei's role in building it won't look good when countries think about the equipment they're willing to use to roll out 5G.
Dave Bittner: [00:06:17] Last year, the team at Ping Identity assembled a CISO advisory council made up of a dozen CISOs from various industries. One of the goals of the group has been to share their knowledge and experience with the rest of the industry through a series of white papers. Their latest effort covers the creation of an insider threat program. Robb Reck is CISO at Ping Identity.
Robb Reck: [00:06:38] So this is meant to really be a high-level guidance to say, what do you need to think about when you're creating an insider threat program? We've broken it into four steps. Number one - think about what team you're going to pull together. While, you know, I'm probably writing this for security practitioners, security is not the only stakeholder and maybe not even the most important stakeholder. We want to make sure we have HR. They're definitely a really important stakeholder. Legal's going to be a part of this, and depending on your company, product is a part of this, maybe sales. It really depends on who is it that's concerned about insiders and what they may do. The second step of creating the program is - what are the risks that you need to address for your company? You know some obvious ones - right? - theft of intellectual property, customer data that may get stolen. Based on what you do, you want to think about sabotage of your organizational systems. You know, are there national security concerns? If you're running a water plant, you know, maybe those are both pretty relevant. The third step that we looked at was identifying the critical controls that you need to watch - once again, you know, some things that are pretty much generally across the board you want to look at. Every company wants to look at their sales folks, their finance folks, their executive team, probably some IT system administrators.
Robb Reck: [00:07:45] Some other areas that maybe aren't so obvious - third parties. While you're going to probably have some kind of a vendor risk management or a third-party risk management program, those people do have access to your systems, and they probably should be scoped in for your insider threat management as well. Customer service agents - so in a lot of companies, you're going to have your most entry-level people having direct access to your customer information and some sensitive systems where they could do you some harm - stealing customer information, leaking it or just making bad choices with how they talk to customers. And a third area that you might not think about so much is developers. Like IT - they could put backdoors into systems to maintain persistence in your organization. The fourth point and the last point here in terms of how to create a program is think about where you put control points in your process. So this is going to be process and technology both.
Robb Reck: [00:08:35] We broke it down similar to how we do other security into pre-employment before your insiders are brought on board, which is really going to be much more HR-focused. Now, a lot of companies are going to have a vetting process where you do a background check, maybe drug testing. But you might want to consider varying the diligence of your vetting based on that role. Maybe for these high-sensitivity roles, you want to have significantly more investigation into them. And then, you know, technology does play a key role here in monitoring while they're on board. You know, strong authentication and least-privileged authorization in your environments - an employee who is going to go rogue can do a whole lot more harm if you have everything open to all your employees.
Dave Bittner: [00:09:11] Yeah. It's really interesting to me. I mean, one of the things that strikes me in what you're sharing here is both the breadth that is covered by the term insider threat - just how many different things are under that umbrella - and also just how dynamic it is; that it is a constantly changing thing within an organization.
Robb Reck: [00:09:31] Yeah, it is changing, and I think it's going to continue changing. You actually just kind of led me into one of my big takeaways. When I was thinking, what am I going to share with Dave and the CyberWire listeners about this? - I had two key takeaways, and the second one was that this program isn't stagnant. You know, what was good enough today is not going to be good enough tomorrow, and it's not just because of technology changing, but, really, the business landscape and, really, the international landscape keeps changing as well. The other big takeaway I had as I've been thinking about this and how I want to update my own is really finding the partners internally that are going to best support your program is critical. A security-only insider threat program really isn't providing a lot of value to your business, but if you understand - what are your business' objectives? Where are the areas that we have some risk? - and you can bring in those leaders - get the leader of product development to talk about how much it would matter to them if a competitor had their code. Well, that conversation starts to be interesting - right? - and that starts to really take security from a back-office function into a front-of-office, value-adding business unit.
Dave Bittner: [00:10:35] It really creates sort of a virtuous circle there, where you were actively demonstrating the value of your own side of the house.
Robb Reck: [00:10:43] Yeah, and to the people whose opinion matters - right? - people in your organization who actually drive revenue, who drive productivity and, of course, manage risk across the board.
Dave Bittner: [00:10:51] That's Robb Reck from Ping Identity. You can find the white paper on creating an insider threat program on their website.
Dave Bittner: [00:10:59] There have been complaints in WIRED and other places that Equifax got off lightly, but things look different, perhaps, if one puts the settlement into a European, as opposed to an American, context. Observing from the U.K., the verdict sees the settlement as a very heavy one. At 21% of Equifax's revenue, it amounts to five times the maximum penalty that would have been allowed under the European Union's GDPR. The Washington Post reports that for all of its record-setting, the Federal Trade Commission wanted the fine to be higher and that there are members of Congress who agree. There's said to be rising sentiment in favor of increasing penalties for privacy missteps.
Dave Bittner: [00:11:38] ZDNet reports that David Tinley, a Pennsylvania man who had, for some years, provided IT services to Siemens' Pittsburgh-area offices, took a guilty plea to charges that he put logic bombs inside spreadsheets he worked on for his customer. The software would crash after a certain date, at which point Siemens would call him in to fix the problem. Mr. Tinley would do so, collect his fee and await further business. The scam was discovered, according to Law360, when Mr. Tinley had to provide Siemens techs with admin passwords to his software so they could fix an urgent problem that cropped up while he was on vacation. Evidently, he hoped his logic bombs would pass unnoticed, but they were spotted and reported. He'll be sentenced later this year and could face 10 years in prison and a fine of $250,000 on the federal charges. He may not draw the maximum, but observers think some jail time is in the cards. May we suggest there are better ways of getting repeat business? Loyalty programs are much more customer-friendly than logic bombs.
Dave Bittner: [00:12:49] And now a message from our sponsor ObserveIT.
Unidentified Person: [00:12:54] Great party, huh?
Dave Bittner: [00:12:55] Yeah, yeah. Great party. Could you excuse me for just a moment? Hey, you. What are you doing? Oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person: [00:13:15] Did someone say trouble? I bet I can help.
Dave Bittner: [00:13:17] Who are you?
Unidentified Person: [00:13:18] To catch insider threats, you need complete visibility into risky user activity. Here. I'll show you how ObserveIT works.
Dave Bittner: [00:13:26] Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person: [00:13:35] Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:13:41] But wait. What's your name? Oh, well. Thanks, ObserveIT, and whoever she is.
Dave Bittner: [00:13:49] ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire.
Dave Bittner: [00:14:08] And joining me once again is Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. Malek, it's great to have you back. You recently attended a conference, and you brought back some interesting points of discussion. What do you have to share today?
Malek Ben Salem: [00:14:22] I was at the Rights Conference in Tunis last week, and this is the largest digital rights conference globally. One of the interesting conversations that happened throughout the conference is actually around the future of the internet. Are we going to continue to see a free internet? You know, when the internet started, it started as a platform for open and free speech, and that was a big argument - for it to be free with, you know, very little governance. But now as we see, you know, disinformation campaigns, content that is hateful, some of the voices are raising the question whether - how can we govern that internet - whether we need to continue to have an open internet or whether we need more governance in place. So a lot of interesting questions were raised around the future of the internet.
Malek Ben Salem: [00:15:20] We know that recently, for instance, the European Union - actually, in March, they approved a copyright directive, which is known as Article 13 and was renumbered as Article 17. But it required technology companies to impose upload filters to scan user-provided content and remove material that was viewed as unlawful, and it clearly said companies that fail to delete copyrighted protected works and other subject matter shall be liable for unauthorized acts of communication. There is movement towards having more regulation and more oversight of the content that is being shared. We've seen the same thing happen with Australia in the aftermath of the Christchurch massacre, where they also had a law that now required online platform providers to review content to make sure that there is no hateful speech, no hateful videos. The U.S. has not had any regulations, but, you know, we've seen the Congress also discuss that. We've seen several public hearings discussing the need for more oversight, for content moderation by social networking companies. Really, that raises a question about the future of the internet. How is it going to evolve? Are we going to see more of a decentralized form of governance of the internet? Is that good or not? You know, obviously, the centralized approach has its own advantages, but the question is, you know, whether that will continue to be the model in the future.
Dave Bittner: [00:16:58] I've heard folks refer to it as splinternet - you know, this notion of things like the Great Firewall of China and Russia, you know, putting a ring around their own internet access as well and certainly other nations doing that as well. It's interesting to see how this great experiment the internet is - to see how it continues to evolve.
Malek Ben Salem: [00:17:21] Absolutely. And with China, for instance, the 2017 regulation that required that all data pertaining to Chinese citizens, Chinese firms, has to stay within mainland China - obviously, that's one thing. The other thing is the infrastructure that China has, right? So as we move into 5G networks, that infrastructure will be coming from China, so what would that mean also to the internet itself - to the de facto, I guess, governance of the internet?
Dave Bittner: [00:17:50] What an interesting challenge because, obviously, it's an international thing, but so many nations have their own interests to look out for.
Malek Ben Salem: [00:17:58] Absolutely.
Dave Bittner: [00:17:59] Yeah.
Malek Ben Salem: [00:17:59] It will be interesting to watch.
Dave Bittner: [00:18:01] For sure. Malek Ben Salem, thanks for joining us.
Malek Ben Salem: [00:18:04] Thank you, Dave.
Dave Bittner: [00:18:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. com.
Dave Bittner: [00:18:22] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: [00:18:37] And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:18:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.