Alleged DIA leaker. Europol cybergang study. Protecting the DIB. Chinese information operations.
Dave Bittner: [00:00:03] A U.S. Defense Intelligence Agency analyst has been charged with leaking national defense information. Europol releases its 2019 Internet Organized Crime Threat Assessment. NSA Director Nakasone says the agency's Cybersecurity Directorate will first focus on protecting the Defense Industrial Base from intellectual property theft. CISA wants subpoena power over ISPs. And U.S. companies are criticized for caving to Beijing's demands.
Dave Bittner: [00:00:36] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:43] Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 10, 2019. A U.S. Defense Intelligence Agency analyst has been charged with two counts of willful transmission of national defense information. The government alleges that Henry Frese gave two reporters highly classified material. The Washington Post says Mr. Frese was interested in advancing the reporters' careers. One reporter worked for CNBC, the other for MSNBC.
Dave Bittner: [00:02:36] The indictment doesn't name them, calling them simply Journalist 1 and Journalist 2, and while we'll follow that proper circumspection, their identities are being fairly widely reported. Journalist 1 is said to have been in a relationship of some sort with Mr. Frese and is said to have introduced him to Journalists 2, described as more senior. The head of counterintelligence for the FBI's Washington field office, Alan E. Kohler Jr., told The Washington Post that, quote, "Mr. Frese not only provided this information on his own, but the government believes he was taking direction from members of the media," end quote. Those members would have been Journalists 1 and 2. Some of their reporting cited sources with direct knowledge of U.S. intelligence reports and sources who have seen U.S. intelligence reports, which is one way of putting it. The government has said it didn't access the journalist's phones or other devices. How did the feds determine that Mr. Frese was allegedly up to no good? Special Agent Kohler explained to the Post, quote, "He was searching for and accessing information that he had no reason to access. He did not need to know the information in the intelligence reports," end quote.
Dave Bittner: [00:03:50] Two aspects of the case are attracting comment. First, it's being compared to the case of Reality Winner, also prosecuted for leaking classified material to journalists. Second, it's drawing observations about the use of honey traps, a longstanding technique in espionage but perhaps a characterization that's unfair in this incident involving working journalists. Still, maybe Miss Benatar had it right. Love is a battlefield.
Dave Bittner: [00:04:17] Europol's 2019 Internet Organized Crime Threat Assessment is out. Its conclusions are unsurprising but worth mentioning. Ransomware remains the biggest criminal problem, and organized crime continues to defraud e-commerce and financial organizations. While ransomware attacks have decreased in volume, they've increased in targeting and sophistication, leading to greater financial losses. This is largely due to the fact that attackers are increasingly targeting organizations rather than individuals. In addition to ransomware, the report highlights DDoS attacks with extortion as a motive. As gangs become more audacious and sophisticated, Europol wants to enhance its ability to investigate crimes touching the dark web and cryptocurrencies.
Dave Bittner: [00:05:04] U.S. NSA director Nakasone said yesterday that the first priority of NSA's new Cybersecurity Directorate will be to shore up the defenses of the defense industrial base with particular attention paid to secure the companies in the DIB from intellectual property theft, MeriTalk reports. We hope to learn more about that mission today after we hear from cybersecurity director Anne Neuberger. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is also interested in securing businesses, and it's pursuing some expansive authorities to do so. CISA is interested in obtaining power to issue subpoenas that would enable it to inspect networks and systems that may have been compromised or that may have been subjected to cyberattack. The proposal, just revealed, is already drawing controversy.
Dave Bittner: [00:05:55] Ping Identity recently published research from their CISO Advisory Council titled Securing Customer Identity Data. Robb Reck is chief information security officer at Ping Identity.
Robb Reck: [00:06:07] Interestingly enough, I like to start it off with - there was two different surveys that we reference in the paper that give two really interesting data points. Number one, they say that 73% of consumers say that good experience is key to brand loyalty. They're not going to stick with you if your experience is bad. Number two, 70% of consumers - so 73 versus 70 - 70% say that they would be more likely to buy from retailers when they assure them that the data is secure. So those two things tell you you got to have a good experience and you want to make the data secure. Initially, you might ask - you might expect that those things are going to have really different outcomes - right? - good experience versus security. We don't necessarily think that that's going to be the case in all - all the time, though. So as we talk to these different companies - and interestingly, if you look at the paper, there - we have four different companies that we tell a little bit about their story - so BlueCross BlueShield of Tennessee, American Red Cross, Allegiant Air and PowerSchool. And what's interesting is when they talk about customers, it doesn't necessarily mean the same thing. You know, everyone I think - when you think of online customers, you're probably thinking about, like, a retailer or someone who sells knickknacks.
Dave Bittner: [00:07:12] Right.
Robb Reck: [00:07:12] But for a health care organization, that's different. For a volunteer - you know, American Red Cross, it's going to be your volunteers that are your customers, or maybe its volunteers plus it's also the people who you're helping. If you're an airline, you know, it's people who are traveling. PowerSchool - it's either - it's teachers and students and all of these have really different use cases. The thing that kind of ties them all together for us is - what we've realized during this process is the use cases are different, but all of them are where the value for your organization resides. This is what your organization exists to do, to serve these customers. And we were so excited to see that this is away for the CISO - that the CISO can go from that back-office support functionality to the front lines of offering the highest-value stuff. It's kind of a strategy - right? - to say, well, we're going to do authentication, but we're not going to just do the highest level of authentication for everything, where we make - you know, do biometrics and make you give us a blood sample.
Dave Bittner: [00:08:07] (Laughter).
Robb Reck: [00:08:08] But we want to say, you know, if you're - you know, let's talk about medical, right? If it's someone requesting highly sensitive medical information, we probably do need a high level of assurance that might include multifactor authentication. But if what they're looking for is, like, a listing of medical providers in their area, we could probably have a lower level of requirement there, right?
Dave Bittner: [00:08:25] Yeah. I mean, it's an interesting thing. As I think about my own experience, I think in a way we're conditioned to have so many of these online interactions be in some way frustrating or come up short, that when that doesn't happen, when we have something happen seamlessly without any speed bumps, you walk away with a feeling of delight, like, wow, that was - that actually worked.
Robb Reck: [00:08:50] The fact that you just said that - I love that you said that because this is a place where security teams, who are so often, you know, the bad guy in the back corner, have a chance now to actually go impact your business in a positive way, right? Let's go into the - imagine being the CISO who walks into the COO's office or the CEO's office and says, hey, I've got a way that we can delight our customers, and we can also make it more secure along the way, right? That's a really powerful conversation that can get us a seat at the table we might not otherwise have had.
Dave Bittner: [00:09:20] And so what is the change here? What's different in the way that you're recommending approaching these sort of security elements that you can dial it in that way?
Robb Reck: [00:09:31] Well, so really what the change is - we actually have five steps to kind of starting your program here. And it starts off, you know, like any other thing - it's really knowing your current state. I say that in - you know, as we talk to our council members and as we talk to other folks in the industry, it's just really common that folks don't actually know where customer data is, or they don't know - they're not the ones who own it. They - it's got a really - security has to step in and say, I want to understand the current state. That's step one, and it might sound simple, but it's not as easy as it sounds. Step two is really assigning ownership for that data. I guarantee you right now, in an organization that hasn't already gone through this maturation process, there's different pools of data that are stored - that are owned by different groups. Whether that's marketing, IT, your web development team, maybe product - those different groups have different purposes for it. And you really want to assign a central ownership to this data so that you can actually apply some standards to it and actually do things in a consistent manner.
Robb Reck: [00:10:30] Once you have that central ownership, we go to step three, which is let's simplify, right? Let's not have this data in 12 different places. It makes it a whole lot easier for bad guys to get something that's accidentally not secured. Let's find a central place to put it, and whoever owns it - there's not a right or wrong answer here. Marketing can own it. Product development can own it. Security or IT can own it. But it should be in one place, and they should understand what data they have there. And this is, of course, critical to complying with things like GDPR and CCPA as they're coming down the pipe. And then once you have a central owner, you have a central place to store it, then you want to define your process for the future. How do we avoid this issue where, in order for the business to go fast, they create brand-new, you know, kind of one-off solutions that are building us new tech debt? So the process has to include all the right stakeholders. Don't forget about, you know, the fact that sales wants to go fast - marketing, new product development. The CEO is going to have a stake in saying, let's do a new fast thing. Let's create a process that enables the speed you want, but that can be flexible within that central repository that you have. So everything's there, and everything's manageable, right?
Robb Reck: [00:11:37] And then the last element - you know, now we have a process, and then we say, OK, well, how do we get smarter with - as we're securing individuals out here? Smarter around the authentication we already talked about, where we're applying multifactor to those high-risk transactions, not to everything else, and smarter to identifying what does risky behavior look like in our organization? In a medical place, it might look like someone submitting, you know, fraudulent claims. In a school environment, it might look like someone going and changing grades inappropriately. What does fraud look like in your organization? And use that central repository and the learning that you can put on top of that to help identify that high-value fraud or that high-value inappropriate activity that you could see on that customer data
Dave Bittner: [00:12:19] That's Rob Reck from Ping Identity. We're discussing their CISO Advisory Council's new research on securing customer identity.
Dave Bittner: [00:12:28] Some of the concerns about the supply chain centers on fears of the sort of attack Airbus and some of its subcontractors recently sustained. But there are other concerns, too, about the software supply chain, especially the prospect of buggy open-source code finding its way into larger projects. A study of code snippets available in Stack Overflow confirms that quality control is a small but real problem. But apparently, developers tend to think the propagation of such vulnerabilities is an acceptable cost when balanced against the benefits of fast coding and project completion.
Dave Bittner: [00:13:05] And finally, China is enjoying some public success suppressing expressions of support for Hong Kong protesters in Western corporate circles. Apple has removed a police-tracking app used by protesters, Quartz reports. And a bipartisan group of U.S. senators and representatives thinks that the NBA has joined Team Beijing. CyberScoop says NSA Director Nakasone yesterday accused China of weaponizing information with respect to the Hong Kong protests. And it certainly seems to be the case that the Chinese government is succeeding in getting some of its trading partners to carry water for them. Those who think information operations are necessarily subtle or deniable will find a clear counterexample in the pressure currently being exerted by Beijing.
Dave Bittner: [00:13:56] And now a word from our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:51] And joining me once again is Robert M. Lee. He's the founder and CEO at Dragos. Robert, welcome back. I saw you'd made some commenting on Twitter recently about regulations in the electrical sector and the difference between regulations and incentives. Take us through what you were getting at here.
Robert M: [00:15:08] Regulations can set a good base for what we expect to be done either programmatically or performance-based on what actions and minimum standards we want companies to comply with. And across the U.S. electric grid, they've been doing that for over a decade now with the NERC-CIP regulations. And they do set a strong base standard of what we want to see, like two-form authentication or communications under a control center. The problem, though, is that regulations only can apply to a past state that we're interested in. In other words, it's not good at predicting where we need to be. It's not good about allowing innovation. It's saying, hey, here's what we have perceived to be a good base previously. Let's work towards that. And this is ultimately a good thing, but we must understand that regulations can't regulate out the human adversary. They can't - regulations themselves can't protect us. They can just apply to a base level of defensibility and, you know, opportunities for defenders. And in that way, I think that some industries could still do with some regulation. I'm not a huge regulation fan, but there are decentralized industries where that might make sense. But in certain industries where it's much more centralized and a community-driven - and maybe even that we've already had regulations, we open it up for incentives instead.
Robert M: [00:16:23] In the case of the U.S. electric sector, you know, I testified in front of the Senate that we needed to take a pause for a while. New regulations in the power sector come out every two to four years, and that creates an extreme pressure of the companies to keep up with regulations instead of focusing on new, innovative ways to do security. And it would be beneficial to take a three- to four-year period where we stop coming out with new regulations, allow the companies to do anything for security that they deem appropriate for their companies and then have those lessons learned and extract out best practices from that instead of just trying to focus on regulation.
Dave Bittner: [00:17:00] I'm thinking of the political incentives here that - if I'm a politician, it's easier for me to get hit by saying, well, why didn't you regulate these people? Why did you just let them run free and do whatever they wanted to do?
Robert M: [00:17:11] That's actually exactly why this still happens. And I've talked to just about everybody in this discussion in terms of, like, sides of the conversation from the government to regulators to asset owners. And that's entirely what it comes down to, usually. But we know that the regulations have been good, but nobody wants to be the person that suggests less regulations. The power company doesn't want to say, hey, you know what? We've kind of exhausted this - 'cause then they don't look willing to move the needle. The government doesn't want to say, yeah, let's take a - you know, a break on this because if a cyberattack happens, they look like a weak, you know, administration on - or a weak party on taking action for security. The regulator doesn't want to not do regulations because those regulators are generally political appointees, and they're only there for three to four years. So the idea of not doing anything for three to four years looks very bad on them and their party, and this was their opportunity to get involved and try to influence change.
Robert M: [00:18:06] It's a tricky subject because, quite frankly, everybody is incentivized to do regulations whether or not they do anything for anybody. I think they have been beneficial, to be honest. Our power grid today is much better off than what it was a decade ago. But there is a time to say, OK, folks, let's work towards programmatic regulation, or let's work towards incentivizing through tax credits or, you know, programs from the government to find new best practices and innovation and security that's going to be cool and exciting and helpful instead of checkbox.
Dave Bittner: [00:18:46] Interesting stuff. Robert M. Lee, thanks for joining us.
Dave Bittner: [00:18:53] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.