Special Editions 1.31.17
Ep 12 | 1.31.17

2017 Cyber Security Forecast: A CyberWire Special Edition


Diana Kelley: [00:00:03] We're probably going to see an increase in the weaponized internet of things.

Dave Larson: [00:00:08] The good news is everyone is aware of the danger.

Christopher Pierson: [00:00:12] We're going to have to get more automated, but we also need folks that are better trained, better educated and, quite honestly, better equipped.

Dave Bittner: [00:00:21] What are you expecting in 2017 when it comes to cybersecurity? There are sure to be attacks like we saw last year - ransomware and botnets, IoT vulnerabilities we just didn't see coming. And what about all those unfilled jobs? Can automation help fill the gap? Is the boardroom finally going to give cyber the attention it deserves? And, oh, yeah, there was that presidential election in the U.S. How will President Trump affect cyber policy? We don't have all the answers, but we've gathered up some industry experts to share their thoughts on what 2017 might bring. And later in the show, we've got a roundtable with Sara Sorcher from the Christian Science Monitor's Passcode and our own editor of the CyberWire, John Petrik. Stay with us.

Dave Bittner: [00:01:06] Time to take a moment to thank our sponsor Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:02:04] We begin with threats and vulnerabilities. Christopher Pierson is chief security officer and general counsel for Viewpost.

Christopher Pierson: [00:02:12] I think that we're going to continue to see ransomware moving forward and business email compromise moving forward at the same speed that we're seeing now. I do think that we're going to see a lot more of activity here, though, in terms of destruction of data. Instead of ransom and, you know, requesting the data back for bitcoin payments, I think that we're going to see things really morph into a how do we get a hold of the cloud instances of X, Y and Z company or corporation. How do we go ahead and take over those instances, those environments?

Diana Kelley: [00:02:50] Unfortunately, more ransomware.

Dave Bittner: [00:02:52] Diana Kelley is an executive security advisor with IBM.

Diana Kelley: [00:02:55] More malware that's very sophisticated, that changes very rapidly and very quickly in an attempt to avoid detection. So we're probably going to see an increase in the weaponized internet of things - where we saw a little bit of that at the end of last year with the Mirai malware and taking over IoT devices that were using the default logins - usernames and passwords - and using them to create massive denial-of-service attacks. So I think that we're probably going to continue to see that kind of activity going forward in 2017. And, again, I hope that this is really going to encourage companies and encourage end users to go in and change those default usernames and passwords because, again, being - understanding the threat and understanding the attack vector and taking steps to be prepared is the best way for us to defend ourselves.

Dale Drew: [00:03:51] We've seen a significant explosion in bad guys embracing IoT in a malicious way.

Dave Bittner: [00:03:58] Dale Drew is chief security officer at Level 3 Communications. He's a regular contributor to the CyberWire.

Dale Drew: [00:04:04] Yeah, there are no security solutions for IoT. There is no endpoint protection. There's no intrusion detection. There is no nothing, and there's no standards. And so the bad guys have found that when they gain access to an IoT device, they have a much longer life on those devices before they are detected. Their bots are now capable of controlling millions of endpoints, as opposed to just thousands of endpoints. And that's all because of this sort of attraction to IoT. So we really think that the bad guys are going to be doing significant research in IoT exploits, and that's going to cause a significant amount of reaction from the community - especially in the IoT space - to react to all these security threats until we can get a lot more proactive.

Dave Larson: [00:04:48] The good news is everyone is aware of the danger.

Dave Bittner: [00:04:52] Dave Larson was chief operating officer and CTO at Corero Network Security when we spoke to him. He's since moved on to HP.

Dave Larson: [00:04:59] At the very first stage, I think you're going to see significant more attention paid to setting up devices without default passwords. The good news on the Dyn attack is that it took down Twitter and Okta and Reddit and made it onto the mainstream news for that entire day, which means even the average person is aware of it now and that passwords are probably something that you should have, you know, put some thought into.

Dave Larson: [00:05:25] So I think in one respect, the attack itself has probably diminished the future capacity and scale of these attacks because people are going to take proper practice and procedures to lock things down. This is a pretty vibrant community. The attacks are large enough and devastating enough now that people realize you can't just ignore them. It isn't just fear and uncertainty and doubt of the possibility of IoT-based attacks. They are real. In general, though, the internet community is very good about banding together and taking care of these kinds of issues. So I think, in general, we will be better off a year from now.

Simone Petrella: [00:05:59] 2017 - I think workforce development is finally getting the attention it deserves, although we still have a ways to go.

Dave Bittner: [00:06:07] That's Simone Petrella. She's chief cyber strategy officer at CyberVista, a training development and workforce initiative company.

Simone Petrella: [00:06:14] The current workforce - just as a - if you use as an example, you know, the CISSP, which is the biggest certification that's currently in demand in both government jobs as well as in a significant portion of the private sector, there are 65,000 jobs that are available that require a CISSP and, like, only a fraction more of actual CISSP holders globally. And so clearly, you know, those ostensibly all have jobs.

Simone Petrella: [00:06:42] And so you see that just the demand in requisitions and hiring is outpacing the graduates that are coming out of universities as well as other avenues where people are transitioning from, say, IT fields. And that probably, unfortunately, can't really catch up until we either develop academic or university programs that can fill those gaps, or we do start to more conservatively transition folks that maybe have an IT or ancillary background that could really be successful in cybersecurity.

Diana Kelley: [00:07:14] If you look at who are the cybersecurity experts right now, unfortunately only 10% of them are women, for example.

Dave Bittner: [00:07:23] That's Diana Kelley from IBM.

Diana Kelley: [00:07:25] So we're missing out - we've got a big shortfall on who's doing work in cybersecurity, but we're missing out on a whole bunch of potential workers just because we don't have a lot of women in the field. Also, looking at people from diverse backgrounds, I actually have an English degree from college. I didn't come out with a PhD in cybersecurity. I was self-taught. Now, granted, back in the '80s, there weren't a lot of cybersecurity degrees (laughter).

Dave Bittner: [00:07:53] Right.

Diana Kelley: [00:07:53] I don't think we even used the term. But there are still people that are coming out from very different areas that, when they get interested and start to learn in security, they can add so much, creating a much more and supporting a far more diverse workforce both from, you know, the gender of the people, but very much also from the background that they bring in because when you look at cybersecurity, it's a really broad discipline. So being able to bring people in from other disciplines, I think, can really help us to round out our knowledge base.

Christopher Pierson: [00:08:24] Is it quite possible that some of that can be mitigated through automation?

Dave Bittner: [00:08:28] Chris Pierson from Viewpost.

Christopher Pierson: [00:08:30] I think the answer is yes, absolutely yes. As our technologies have grown, I believe that once we have these tools in place, it's going to allow our individuals to focus on more of the high-risk items as opposed to chasing some of the needles in the haystack that they've been chasing, given the amount of - the number of alerts that they've had, as well as poor indications of are they truly risks or not and risks that need immediately dimensioning or not. We're going to have to get more automated. But we also need folks that are better-trained, better-educated, and quite honestly better-equipped to be able to handle the cybersecurity needs of our country.

Dale Drew: [00:09:13] We really think that machine learning and behavior analytics to be able to detect things that you've never seen before, in ways you've never seen it before, and then tying that knowledge directly into all of your existing security infrastructure is going to be the thing that is going to have a step function above anything else in protecting enterprise assets and critical infrastructure capability.

Dave Bittner: [00:09:40] That's Dale Drew from Level 3.

Dale Drew: [00:09:41] I cannot look forward enough to turning things like machine learning from a buzzword into a more practical product capability that is embedded in a vast majority of our security technology.

Dave Bittner: [00:09:55] Christopher Pierson thinks that not only will artificial intelligence be an important tool in the toolbox, it's going to be at the center of a lot of action from a purely business point of view too.

Christopher Pierson: [00:10:04] The playing field in 2015 and 2016 is quite littered with a lot of companies in this space that are startups that are trying to really hone out AI. And so I think that it's an overcrowded market. I think that it may be overfunded in some form or fashion. And so what you're going to see - and you saw a low - a lower amount of public exits in 2016. It's - the exits have definitely dropped. So I think you're going to see some smart shoppers over there. I think you're going to see some nice acquisitions and nice opportunities for acquisitions in 2017 of these types of companies.

Dave Bittner: [00:10:46] Speaking of business, Diana Kelley thinks cybersecurity is poised to take its proper place at the boardroom level.

Diana Kelley: [00:10:52] It's got to evolve from just an awareness and continue to go past that, you know, that TLP, the traffic light protocol, where, oh, we're green. You know, we've got a little bit more awareness. We need to continue to build and drive that awareness into the board so that they really own the fact that the company is now - when we talk about risk, it's not just business risk. It is digital and cyber risk too, and they're all one and the same. They're just - they're so entwined that we really can't unhook them from most organizations. So the board understanding that, as they're making risk decisions, they've got to understand the cyber risks decisions.

Diana Kelley: [00:11:34] And the part on the CISO and the security team is to bring up information about what those risks are and, more than anything, to drive a risk-based strategy because there's still a little bit of this reaction as you - oh, today, it's ransomware. And tomorrow, it's going to be the IoT DDoS. We - it's really easy for us to become, you know, the magpies and the - oh, the bright, shiny object of whatever's in the news right now. But the security team bringing to the board this very well-thought-out risk assessment, understanding the strategy of where the company wants to go, that's going to help them to be - make those decisions and to be very proactive about how they build out their defenses. It's really understanding your company's desire to manage and make choices around business and digital cyber risk and then implementing them to a plant over the course of the years.

Dave Bittner: [00:12:34] You may have heard there's a new presidential administration in the U.S. What that means for cyber is yet to be determined, but there are some clues. Here's Chris Pierson.

Christopher Pierson: [00:12:42] We do have a - you know, some inkling of a decreased regulatory model as one administration push. I don't know how we're going to actually do that on cyber. We have recent executive memoranda regarding an all-stop on civilian positions. You know, what are we going to do with these cybersecurity positions that are out there? DHS certainly has the largest billet (ph) of them. But what are we going to do in terms of DOD, DHS, NSA and the other agencies that have open cybersecurity positions? These are now effectively at a stop under that presidential memoranda.

Christopher Pierson: [00:13:20] And finally, we have, at least during the campaign, some notion that president-like Trump - or President Trump now - was looking towards the DOD to play a larger role in cybersecurity. So if he stays true to some of those promises or some of the things that have been communicated there, we're going to see some unique movements that are a little bit different than what we've seen in the past. But remember, the critical infrastructure that is impacted by cybersecurity is still 85% owned by the private sector. And so there's going to have to be huge participation from the private sector in terms of anything to get pushed forward as it relates to cybersecurity We hope to - those of us in the cyber security community, privacy community, and in policy community likewise really hope to learn more in the next 90 days as to what directions we're taking as it relates to cyber.

Diana Kelley: [00:14:22] We do need to, as vendors and as users, start to, you know, have a hand in what we do to help protect ourselves. So if you're a vendor and you deploy a system that's shipped in an insecure state and it becomes an attack vector, then your name could be on the headlines. You're now the device that is used to be, you know, on a headline of a major attack through IoT - then, you know, that can hit your company's reputation. And reputation and brand awareness are something that we found, in one of our studies last year, is becoming increasingly important to organizations.

Dave Larson: [00:14:59] Because if we don't, then government will provide regulation.

Dave Bittner: [00:15:02] That's Dave Larson.

Dave Larson: [00:15:03] From a telecommunication and from an internet perspective, regulation is not always good. It is costly. It is well-meaning, but it does not always solve the problem. And if governments are forced to act because the community does not, we will end up with overlays of controls and compliance initiatives that are just going to make business harder to do. So - and I think people realize that. And I expect them to actually get out ahead of this so that the, you know, Congress and the various governments around the world don't actually have to get involved.

Diana Kelley: [00:15:39] I would say go back to your team and say, give me your full risk assessment for all the areas that we're covering - so everything that's related to cyber and to digital. And then really look over those very, very, very carefully. You know, have that team that reported up about the risk assessment and the risk strategy - you know, did they really get a comprehensive view? Were they looking at - did they have an inventory underneath of what they're looking at and reporting to you on? Because very often, it's so simple, right? What's the inventory?

Diana Kelley: [00:16:09] If you're testing your web applications - and you're really testing all of them, for example. So making sure that that team has reported up to you about where the risks are and what they're doing to, you know, prevent an attacker from getting in because, again, it sounds like, oh, well, of course, everybody does that. But they do it at this really high level, like - you said, you know, the TLP. It's like, oh. We're all green. We've got a couple of yellows, 60 yellows, everybody moves on. Really dig down and look underneath of what it is that they're rolling up into the reporting. That's a really important part.

Christopher Pierson: [00:16:45] As it relates to something that we can certainly do a much better job on in 2017 and is just clear as day - is we really have to tackle this problem of authentication. Who are you? What are your rights and privileges? Is that you that's logging on? Or is this a username and password that has been compromised in some type of malware attack or keyboard logging event, and it is not you?

Christopher Pierson: [00:17:09] We have to move, both in terms of consumers and in terms of businesses, towards a pure dual-factor state of things in 2017 so that we can stem the bank account takeovers. We can stem administrative privileges being used by - improperly by attackers. We have to be able to do something here in this area so that our time and attention can be turned to the true and real threats that could have real impact, as opposed to a lack of ability or an inability to keep control of our usernames and passwords. It may not be an end state of dual-factor authentication right now. It may be something that needs to progress further, but we have at least got to make that jump in a material way in 2017 to have any hopes of tackling cybersecurity.

Dave Bittner: [00:18:07] And I'm pleased to be joined by Sara Sorcher. She's the deputy editor at Passcode, part of The Christian Science Monitor. And also joining me is John Petrik, our editor here at the CyberWire. Welcome, everyone.

Sara Sorcher: [00:18:17] Great to be here.

John Petrik: [00:18:18] It's good to talk to you.

Dave Bittner: [00:18:19] Let's start with you, Sara. We've heard from our experts on what they're expecting in 2017. What's your outlook?

Sara Sorcher: [00:18:26] Well, as a reporter in Washington, I am tracking pretty closely the policies of the new Trump administration and what this means for security and privacy in federal governments and in terms of, you know, its relations with the tech industry and all that sort of fun stuff. So there are some early indications of where the administration is going to go. And, you know, his nominees are also weighing in on issues like encryption. So it promises to be a pretty interesting year on that front.

Dave Bittner: [00:19:01] Specifically, I think today, we're expecting an executive order from President Trump when it comes to cyber. What are we seeing in terms of policy? Are there breadcrumbs we can follow? Or are there more overt moves that - where we sense where things might go?

Sara Sorcher: [00:19:17] Yeah, definitely breadcrumbs stage, I think. I mean, you're right. There is an executive order that Trump is expected to sign today. And it's basically commissioning several different reviews of the government's cybersecurity capabilities on both the offensive side and the defensive side. And, you know, he has made cybersecurity a pretty big talking point during the campaign. And, you know, there are some indications of where he might go - some talk about even transferring some of the authority from the civilian Department of Homeland Security to the Pentagon. That's not in order. But that's something that I'm looking out for.

Sara Sorcher: [00:19:58] And, you know, he has tapped Rudy Giuliani, who is one of his - has been one of his close advisers, to be a cybersecurity adviser. And he is going to be convening experts who are working on cybersecurity solutions and business leaders across different industries that have been targeted by hackers, you know, from energy to transportation, trying to get everybody together to have this sort of brain trust discussing these issues and make recommendations back to the administration. So, you know, we're seeing some sort of motion on this front actually pretty early in this administration, which maybe is to be expected after a campaign that was so dominated by hacking news.

Sara Sorcher: [00:20:40] But we're also seeing some things that might be more controversial when you have the nominee for attorney general, Jeff Sessions, submitting testimony to the Hill that while he understands that encryption has a valuable and important purpose, that national security agencies and investigators must be able to overcome encryption under lawful authority. So I think that's promising to be a pretty big issue for security experts and the administration in the next couple of years.

Dave Bittner: [00:21:12] John Petrik, what are you seeing in terms of reactions to possible policy directions with this new administration?

John Petrik: [00:21:19] I think we're going to see more continuity than discontinuity, actually. And you, being an optimistic guy, are probably looking toward a surge in restraints on surveillance, an increase in privacy, an increase in internet security, things like that. So you probably think that we are really living in 1789, which is when Congress passed the Bill of Rights, especially our favorite amendment, the Third Amendment, which says no soldier shall in time of peace be quartered in any house without the consent of the owner, nor in time of war but in a manner to be prescribed by law. So right. You know, there's a guarantee of privacy there because, of course, one way in which you're conducting surveillance in the 18th century was you quartered soldiers in people's houses, so they could keep an eye on things. But I don't think so. I don't think we're living in 1789. I think it's really 1791.

Dave Bittner: [00:22:09] All right.

John Petrik: [00:22:10] And that's the year Jeremy Bentham began to push his idea of the panopticon. And Bentham, of course, was a utilitarian philosopher and a political economist who was devoted to all sorts of reform causes. And one of his causes was prison reform. And he thought prison should be designed in such a way as to be circular, have a tower in the middle where the guards could watch all the prisoners at any given time. And they could either keep the prisoners under continual surveillance, or, more importantly, the prisoners would never know whether they were being watched or not. So that's the panopticon. And, of course, Bentham's idea was never fully implemented to his satisfaction. But we see elements of the panopticon, I think, in cyberspace.

John Petrik: [00:22:51] And while a lot of people are afraid, for example, that the NSA's got this terrific appetite for their personal information, I think those fears are, in many ways, overblown. And I think whatever appetite you see at Fort Meade for personal data is positively picky and dainty compared to the way marketers crave your information. So the sites follow you. They know your interests, and they know your predilections. They know who you are, what you're like, what you're up to. And do you know when you're being surveyed? Not really. But the safe assumption is probably always. So, you know, somewhere in utilitarian heaven, I think Mr. Bentham is smiling.

Dave Bittner: [00:23:27] But I think there's an important distinction there. I mean, obviously, the marketers are gathering up information about us. But the marketers don't have guns. And the feds do. And isn't that a - in terms of, you know - if we're talking about the Constitution and the Bill of Rights, isn't that an important distinction?

John Petrik: [00:23:44] Yeah. Sure, it is. Of course, it's an important distinction. But I don't think that we're going to see any major changes in surveillance policy in 2017. I do think we're going to see a considerable increase in what marketers and corporations know about us and what they do with it.

Dave Bittner: [00:24:01] Sara, you know, getting back to what we're talking about with this executive order that we're expecting today in terms - with regard to cybersecurity, I think a lot of people are sort of holding their breath because, with some of the previous executive orders, we've seen untraditional ways of handling things, to say the least. Do you think that's a fair assessment?

Sara Sorcher: [00:24:21] Yeah. I think it is. I think that you've seen a very busy eight days - nine days? I was sort of losing track of time with all of the, you know, different executive orders that are being signed and just - I think the pace is really dizzying to a lot of people in media these days just to try to keep up. And I think when you look at some of these issues, I agree that, actually, there could be a lot of continuity on the security and privacy front from the Obama administration and the Trump administration, even though the rhetoric about it is really different. You know, you saw during the campaign, as a candidate, Trump was talking, you know, a lot about the need to go harder on terrorists. And, you know, he called for a boycott of Apple, you know, when they did not help the investigators get into the San Bernardino shooter's phone. So, you know, he's taken a really tough stance.

Sara Sorcher: [00:25:15] But, you know, you could end up seeing in the end a more moderate policy on cybersecurity. But I think that the public perception of it could be different at this time of uncertainty. And the public view of surveillance tools that they might have said, meh, I don't really pay so much attention to this under Obama, either - whether that's for political reasons or because it just wasn't so, you know, such - paired with such loud talk about it then maybe they might feel differently during the Trump administration. So you're already seeing some pockets of this swirling. I mean, even with the immigration executive order this weekend where you have a ban on travel from seven majority-Muslim countries and on refugees, you're seeing, you know, other things paired with that, too, where the Trump administration is reportedly discussing the possibility of asking all foreign visitors to give up their cellphone contacts, social media data, browsing history or risk being denied entry to the country.

Sara Sorcher: [00:26:16] So you're already seeing some talk, at least, of going further and, you know, intertwining even deeper with people's data, whether they know that they're giving it up, you know, to a point that John made earlier or whether they - maybe they don't know. And, you know, what the motives are of the administration will be a big question because you still might have the same surveillance capabilities as you did before and the same - you know, the same tools that you were you - the Obama administration was able to you before. I think that people will be paying a lot closer attention to how that actually plays out, you know, what you can do with lawyers and what you can do with who you're targeting and why. I think all of those things are going to be really scrutinized in the coming years.

Dave Bittner: [00:27:02] Switching gears to some of the other things that we're certainly going to have to face in the coming year when it comes to cybersecurity issues, everyone agrees that we're probably going to see more ransomware, more IoT attacks. John, on the threats and vulnerabilities landscape, what other kinds of things do we need to have on our radar?

John Petrik: [00:27:21] I think one of the more interesting developments that we saw over the past year and that is certainly going to continue into this one is something the experts you spoke to earlier talked about. And that is the rise of nation-state activity in cyberspace and cyber conflict. There's a very interesting talk that a senior adviser to President Putin gave back in the spring of 2016. A man named Andrey Krutskikh told Info Forum 2016 - we were living in 1948 and that 1949 was about to arrive. And those years are interesting because 1949 is the year the Soviets tested their first nuclear weapon. And in Krutskikh's - and I don't think he's unusual in Russia in thinking this.

John Petrik: [00:28:03] That's the year when the Americans had to take the Russians seriously. They couldn't ignore them anymore. They couldn't just write them off. And Krutskikh was talking specifically about cyberspace. He says pretty soon, the Americans are going to have to take us seriously. And indeed, we do have to take them seriously because we saw how involved they were in attempting to influence the American elections. So I think we're going to see this year a rise in a kind of cyber cold war. And we're going to see a lot of things going on in that cold war that we saw going in the first Cold War. A lot of things we now call information operations or influence operations - well, they're really not that different from Cold War staples like propaganda, disinformation, use of front organizations and employment of agents of influence. So I think we're going to see much more of that on the threat front in 2017.

Dave Bittner: [00:28:52] I want to switch gears and talk some about workforce issues. Obviously, we have this ongoing shortage of qualified people in cybersecurity Sara, we heard people in the piece previously talk about how, perhaps, automation could play a part in helping to ease some of that stress with the shortage of qualified workers. Any thoughts on how we help to close that workforce gap?

Sara Sorcher: [00:29:17] Yeah. I think that automation could definitely play a role and the, you know - simplifying - whether you're just simplifying the technology so that people can learn it faster, make it more intuitive. I did a piece a little while ago about a DARPA program that the Pentagon research arm, the Defense Advanced Research Projects Agency - and how they're trying to make things as futuristic as an app store for cyber operations where cyberattacks are depicted in, you know, maybe something like a fire or something visual that people can intuitively understand.

Sara Sorcher: [00:29:52] So I think automation and visualization, whether it's in, you know, the private sector or in government effort, I think those can really play a big role in getting more people trained up to take these jobs. Yeah, I mean, you see some big progress on that in the last year when you're looking at, also, in the automation front when you're looking at the Cyber Grand Challenge that DARPA ran at Black Hat. I was there. It was pretty crazy. You have a Super Bowl-style machine-on-machine hacking event. And, you know, the more that machines themselves can, you know, patch - find and patch these flaws. And humans can shift into different roles that they're more equipped to play in directing, you know, those operations or doing analysis in more targeted ways and not just, you know, patching things, you know, that, essentially, a computer could do.

Sara Sorcher: [00:30:43] So I think it'll be really interesting to see what happens on that front. And in D.C., policy also play a role in that, too, because, you know, federal agencies are still looking for people to fill their open jobs. We may have some - we use report at Passcode about how there are still some, I think, 1,100 cybersecurity jobs that are unfilled in the government. And, you know, there's also a blanket civilian hiring freeze that's been put in place in the last couple of days, which might potentially hurt the efforts to - that are already trying to fill talent gaps. So, I mean, we'll have to see how some of these things play out both in the, you know, private sector and in the government.

Dave Bittner: [00:31:26] John, I want to switch and talk about critical infrastructure, something we only touched on in the previous segment. You know, we have this ongoing concern - usually, people talk about power grids. And, of course, we've joked about how, you know, squirrels are a greater threat to a power grid so far than cyberattacks.

John Petrik: [00:31:45] And snakes - don't forget the snakes.

Dave Bittner: [00:31:46] And snakes - right - don't forget the snakes. But, you know, what - as we head into this new year, do we expect to see any significant developments with that in terms of either protecting it or, perhaps, some attacks?

John Petrik: [00:32:02] Well, people are certainly worried about that and with good cause because there have been two attacks on power grids. They were both in Ukraine and a year apart in December of 2015 and December of 2016. So that's something people have to be worried about. And when people talk about an attack on critical infrastructure, they always talk about a digital Pearl Harbor. You know, we're going to be surprised. We're going to be hit by this devastating attack. So again, a lot of people think it's 1941. We're about to see the attack materialize over Battleship Row, with Battleship Row for the modern age probably being the power grid.

John Petrik: [00:32:37] I think there's some words of caution that are in order for that. I think, in many ways, we're in - we're not in 1941. We're in 1964, when the U.S. Navy thought, for a couple of hours, that it had come under attack in the South China Sea by North Korean torpedo boats. And this hit a government that was willing to believe it. And we had the Tonkin Gulf resolution. And President Johnson was authorized by Congress to go into Vietnam in a big way. And the rest, of course, is unfortunate history. So it's possible that we have more to worry about - digital Tonkin Gulf incident - than we do a digital Pearl Harbor. I'll give you two recent examples that point that out.

John Petrik: [00:33:16] You remember EyePyramid? It was the spyware that was discovered mostly in systems belonging to the Italian government, to Italian leaders in the financial sector and in the Vatican. And it just looked like a state-directed espionage effort when it was first detected. It was collecting information. That's what it was doing. It turns out that, in fact, it was probably the work of an Italian brother and sister in their 30s and 40s who were interested in collecting information, so they could use it for illicit trading and speculation. So it looked like a state operation but, in fact, turned out probably not to be that at all. And Trend Micro has just been pointing that out this week that if you want to look for a case study in the dangers of hasty attribution, look at EyePyramid.

John Petrik: [00:34:03] One more interesting one, in some ways for us because it hits closer to home is the Mirai botnet, the big IoT botnet that, in October, conducted a distributed denial-of-service attack against Dyn that took down the internet for a great period - a great - for a great piece of North America, just a distributed denial-of-service with a bunch of dumb IoT bots sending all of this traffic. So shortly after that, I was down in D.C. at CyCon, which is a pretty serious conference that was sponsored by the U.S. Army Cyber Institute and its NATO counterpart. And the talk of the people there was that, you know, Mirai - it's got to be state-controlled. Almost certainly, it's Russian. And it's probably a dress rehearsal or a proof of concept for exactly the kind of digital Pearl Harbor takedown of the power grid that everybody's worried about.

John Petrik: [00:34:52] So time marches on, and what happens? This month, Brian Krebs, who's not only a solid investigative journalist, but he's also kind of the patient zero from Mirai attacks since he came under a DDoS from Mirai himself - Krebs looks into it. And he traces it. And I think pretty plausibly, he thinks that the responsible person was probably an undergraduate at a U.S. university who was interested in all things - in gaining competitive advantage in the "Minecraft" support industry. So if you believe Krebs - and I find him pretty convincing - don't look at Moscow. You know, look somewhere in the general direction of New Brunswick instead - not to finger any particular American university, but there you go.

Dave Bittner: [00:35:33] Well, I think we can all agree it's going to be an interesting year. And we'll all do our best to help keep everyone informed on the latest news and events that are going on. So thanks to both of you for joining us.

Sara Sorcher: [00:35:45] Thanks so much for having me.

John Petrik: [00:35:45] Thank you. It's been a pleasure.

Dave Bittner: [00:35:49] And that's our CyberWire look at 2017. Thanks to Christopher Pierson, Diana Kelley, Dave Larson, Simone Petrella, Dale Drew and Sara Sorcher for joining us.

Dave Bittner: [00:35:59] We're excited to be featuring original music in this Special Edition podcast from local artist Ben Hobby. If you like what you hear, you can check out more of his stuff on Twitter, where he is @benhobby.

Dave Bittner: [00:36:10] Thanks to our Special Edition sponsor Cylance. To find out how they can help protect you, visit cylance.com.

Dave Bittner: [00:36:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. And our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.