Podcasts
Special Editions
Ep 95
Special Editions 3.29.26
Ep 95 | 3.29.26

CyberWire Daily at 10: The breaches we still talk about.

Show Notes
Transcript

Maria Varmazis: Hi, Maria Varmazis here, and thanks for joining me today. We are celebrating the 10-year anniversary of the CyberWire here at N2K Networks. Last week, we kicked off with the origin story of the CyberWire Daily, and in today's N2K CyberWire Special Edition, we're taking a trip down memory lane regarding notable data breaches over the last 10 years, and for reflections on the ones that stand out and why, who better to ask than Dave Bittner, host of the CyberWire Daily. [ Music ] Dave Bittner, host of the CyberWire for the last 10 years. Dave, thank you for joining me today.

Dave Bittner: No, it's my pleasure. It's hard to believe that it's been 10 years so far and still going.

Maria Varmazis: Still going. So it is my distinct honor that I get to pick your brain today and ask you about data breaches specifically. Now, this is going to be a challenge, mainly because I think we were just saying I have the memory of a goldfish, personally, and I think if you asked me about data breaches, even just in the past three years, it all becomes a bit of a mush in my mind about sort of overarching themes and color, but we're going to try and go back to the very start of the CyberWire. We're going to try.

Dave Bittner: Well, yeah, I just want to -- yeah, let's warn our listeners that, you know, this is not an exercise in absolute accuracy when it comes to dates and numbers and all that sort of thing. It's more sort of tracking experience and trends and feelings for those of us who have been at this for a little while and acknowledging that there are people who are listening to this who have been at this a lot longer than either of us.

Maria Varmazis: That's true, yes.

Dave Bittner: So give us some grace and forgiveness at the outset, that if we blow some of the details, please accept our apologies.

Maria Varmazis: We're doing our best, everybody.

Dave Bittner: There you go.

Maria Varmazis: And truly --

Dave Bittner: As we've been doing for 10 years.

Maria Varmazis: And for 10 years. And truly also, Dave, for me, this is also about your specific perspective from the host chair of the CyberWire. So again, 10 years is a long time to be thinking through the memory banks, but anything that pops out to you as you look back, any personal color, anything like that, that's the kind of stuff I'm always fascinated by. So yeah, with that said, let's go [makes sound effect noise], Wayne's World, go back 10 years. Right now it's 2026 when we're recording this, but honestly, 2014 feels like a good place to start, even though it's -- okay, math, 12 years ago, with the Sony hack, because that just feels like a good starting point. So walk me through that one.

Dave Bittner: I think it was a milestone. I think it was -- I think the Sony hack was one that gained national attention. It was a -- it had a lot of geopolitical influence. There were elements of intelligence gathering. Sony, of course, hard to get a bigger, well recognized brand for a multinational organization.

Maria Varmazis: They make my TV.

Dave Bittner: yeah, I mean, yeah, I mean, it's a brand that many of us have great affection for, you know, dating back to our first Walkman.

Maria Varmazis: Oh, gosh, yes. Yeah, yeah.

Dave Bittner: So I think it grabbed a lot of people's attention that a big major brand could get hit this way and sort of, I think, set the global stage for these large-scale breaches.

Maria Varmazis: Yeah, and there was that intrigue with the movie, wasn't there? Yeah, so there was this kind of made-for-the-headlines story. I think it added this layer.

Dave Bittner: Yeah, then the South Park guys were involved with it, and it was -- it had a little bit of everything, and when it comes to intrigue, something for everyone. So yeah, it really was kind of a starting point. And then I guess the one that really was on my radar when I switched careers and started being a cybersecurity professional was the OPM breach.

Maria Varmazis: Oh, yeah. Yeah.

Dave Bittner: And that had just happened when I joined the CyberWire.

Maria Varmazis: Oh, baptism by fire.

Dave Bittner: Yeah, well, and several of my co-workers had been personally affected by that because they had security clearances, and so the OPM breach, which was 2015, I believe.

Maria Varmazis: That's the Office of Personnel Management for the U.S. Federal Government.

Dave Bittner: That's right, that's right. And so this was a major breach of all kinds of information that they were in charge of keeping safe, including things about people's security clearances. So some of our nation's greatest secrets were revealed. It turns out our adversaries, who we think was China, was in there for a long time. So they got all of this information that was extremely valuable and extremely sensitive. Turns out it was because they had outdated equipment and outdated security protocols and, you know, it wasn't -- how do I say this? We contributed to that breach through retrospective negligence --

Maria Varmazis: Retrospective negligence.

Dave Bittner: As much as the Chinese did through their own -- retrospective negligence, right?

Maria Varmazis: I love that.

Dave Bittner: Yeah. I feel like that's how all of us GenXers grew up, right? With retrospective negligence.

Maria Varmazis: Drank from the hose, yeah.

Dave Bittner: Yeah, so as much as the Chinese certainly have great tradecraft, I think our government learned a lot from that breach as to what to do and not to do, so that one was another biggie back then.

Maria Varmazis: I don't want to get too into the weeds on OPM, although I probably will, so forgive me. But, yeah, I'm wondering about the nature of attribution, and I feel like with OPM, and maybe even the Sony hack, that things have started to change, and maybe this is way off base, but I'm just curious, your thoughts, especially looking back the last 10 years with all the many, many data breaches, have we gotten more -- I don't know. Has attributing who is responsible for a breach gotten more palatable or more certain? What's your take on attribution, is maybe where I should leave that one.

Dave Bittner: Well, I mean, yes, I think we've gotten better at knowing different groups' signatures, right? They're tradecraft, but they go around impersonating each other as well, so you can't be sure. There are people out there who say attribution doesn't matter. I don't -- I'm not sure I agree with that. I think it's good to know who's doing the things they're doing because it helps inform why they might be doing it and how they might be going about it. But I think we've got a pretty good idea these days when things -- where particular things come from, if it's espionage versus people looking for financial gain, just scammers and phishers and all that stuff. So yeah.

Maria Varmazis: Yeah, yeah. So after OPM, we can go through this chronologically, if you'd like, if there's another breach that sort of bubbles up in the intervening years, is there anything --

Dave Bittner: Well --

Maria Varmazis: Yeah.

Dave Bittner: I mean, what is it? I guess it was 2017 we had WannaCry and NotPetya, which really showed global disruption where shipping companies got affected and systems were actually shut down, and so, again, kind of an aha moment of what happens if somebody can either intentionally or accidentally hit the off switch on a global network or a global basis, how's that going to affect everybody? So yeah, that got a lot of people's attention. And then also 2017 we had Equifax.

Maria Varmazis: Still dealing with the fallout from that one. Tuesday, yeah.

Dave Bittner: Yeah, I'm sure all of us are still enjoying our two years of credit monitoring and --

Maria Varmazis: Yes. Enjoying. Definitely enjoying. Yeah, yeah.

Dave Bittner: And then, you know, 2020 we had SolarWinds, which I think revealed risks of supply chain compromise and trusted software ecosystems that that was really the one that put a big red star on supply chains and third-party providers.

Maria Varmazis: Yeah, yeah. And is that the one also where the CISO -- I mean, I know this is not the only one, but is that is that one of the ones where like the CISO was held responsible for what happened, or am I misremembering that one?

Dave Bittner: Yeah. No, the CISO was in jeopardy of legal criminal charges, and so at that time, if you were a CISO, you were like, "What?" Right?

Maria Varmazis: And he was eventually cleared, if I remember.

Dave Bittner: Yeah, that's my recollection as well, yeah.

Maria Varmazis: I mean, that seems like a huge paradigm shift to say now people are personally responsible for a massive organizational problem. I mean, that's --

Dave Bittner: Right, and to be potentially responsible criminally, especially when you put that against, I think -- I think we can agree that the trend in the U.S. is that when a company does something bad or irresponsible, generally they pay some sort of a fine. They do -- they admit no wrongdoing and nothing really bad happens to the executives. Maybe every now and then someone might get fired or demoted, but rarely, rarely do we see anyone sent to jail.

Maria Varmazis: Yeah, cost of doing business, right? I mean --

Dave Bittner: Right, right, right. And so that that hazard was there, that peril was there for CISOs I think caught a lot of people's attention, had them calling their Congress people and saying, "How do we reconcile this?" You know, "How do we protect ourselves? What kind of insurance do we need?" So there were all those sort of add-on effects to SolarWinds that, again, made everybody sort of sit up in their seats and say, "Hm, okay, this is the future."

Maria Varmazis: Yeah, and not always filling one with hope thinking about stuff, because I mean, quite a chilling effect in some regards, especially from SolarWinds, but I think some long-delayed conversations that had -- needed to happen did happen after that. And another one, looking for -- I'm skipping around a little bit, but I would love to get your thoughts on the 23andMe breach. That was another headline-grabbing one, but just because of what it involves I think that one really stuck out in my mind.

Dave Bittner: Yeah. It was an example of immutable information, right? You can change your credit card number. You can change your address. You can change your name. You can't change your DNA, and --

Maria Varmazis: Not easily.

Dave Bittner: Actually, right. I guess technically you can change your DNA. Anyone who's seen The Fly with Jeff Goldblum, that is theoretically possible. But the idea that that, I think, such deeply personal information that also affects not just you, but people you know, for example, your brother leaves DNA evidence at the scene of a crime, right? And you're the one who submitted your DNA to 23andMe and the police can now come looking for that DNA through your DNA. So I think a lot of people felt like they could be -- their information could be personally violated via a third party. So yeah, it was another one that I think recalibrated people's expectations when it came to privacy and reminded them that there are some things that simply can't be changed.

Maria Varmazis: Yeah, yeah. Not only is it scary, but I think it was also a precursor to a lot of the discussions we're having about AI now, and that is a whole other rabbit hole, but it feels like a spiritual ancestor, I don't know. Maybe I'm getting a little woo-woo on that one. Anyway, I'll move past that. I'm curious about your thoughts on threat actors and the kinds of threat actors that you've been seeing the last 10 years. Are they predominantly one type of group, or are we seeing more differentiation, or are things sort of converging in terms of who tends to be behind a lot of these major breaches that you've covered?

Dave Bittner: Yeah. I mean, I think it's two main groups, of course. You have the folks who are doing espionage on behalf of nation-states, and that's a tale as old as time, but then you've got the financially motivated threat actors. Again, a tale as old as time, just with updated tools, and that can be everything from gift card fraud to major ransomware campaigns. One of the things that I've noted along the way is that a few years ago, and I'm guessing probably about six years ago when ransomware was really starting to ascend and simultaneous to that was crypto mining, and the thought at the time was that crypto mining was going to outstrip ransomware because ransomware operators, they were going after small potatoes still. The idea was that crypto mining was almost a victimless crime and that I could infect your machine so it's doing mining while you're asleep and you won't even notice and it doesn't affect you --

Maria Varmazis: And it's free money.

Dave Bittner: It's free money. All it requires on the part of the bad guy is patience and maybe a little bit of cleverness, but it's non-confrontational. Chances are it could fly under the radar, and of course, the opposite happened. Crypto mining kind of fell off. There's still plenty of people doing it, but it wasn't the huge thing that people feared it would be, and then ransomware just took off when we had the eye-opening numbers when people started ransoming huge companies for millions of dollars. I don't think we expected to see that, and of course, that was -- we could say cryptocurrency was an accelerant for that process.

Maria Varmazis: Very politely, yeah, yes. Lighter fluid right on there. Yeah.

Dave Bittner: Yeah, a way to sling money around the globe in a way that's hard to track. That really made it a lot easier for the folks to do this sort of thing. So I found that noteworthy along the way, that it's a good reminder that sometimes don't -- sometimes things don't play out the way even the experts think that they're going to play out, and you never know the way the threat actors are going to behave. But to get back to your question, I think another thing we've seen over time is more blending of the threat actors where you'll see perhaps state actors, state-sponsored actors who are doing a little side work, who are out there getting some money, and the nation-states are willing to look the other way to allow them to supplement their incomes, their activities through theft or selling illicit things, all that sort of thing. So I think the lines have gotten fuzzier, and yeah, so that's definitely one of the trends we've seen.

Maria Varmazis: I'm curious, and I don't know how I would answer this question, but I'm curious if there are specific industries, verticals that you feel have really borne the brunt of the way that attacks have evolved, or I don't know, ones that you think of just really just gotten hit, taken it on the chin with a lot of these breaches.

Dave Bittner: Yeah, well, I think health care. I think there are a few things more despicable in the world than taking down a hospital, right? You know, we have laws of armed conflict that say you don't attack hospitals in times of war. Here we have ransomware operators going after hospitals and healthcare organizations because they know lives are on the line. They know that there will be a response and those folks have to get up and running as quickly as possible and are under all kinds of pressure, both obviously from their patients, but also regulatory pressure, so -- and, and, they are often underfunded, understaffed when it comes to security. So that's just a sort of a perfect storm for providing a potential victim on a platter for the bad guys to go after, and some of the stories are heartbreaking. I think we've only had like one documented death as a result of --

Maria Varmazis: That we know of.

Dave Bittner: That we know of that is direct. You certainly, I mean, any time an ambulance gets redirected or surgery has to be delayed, it's hard to measure those sorts of things, but again, intentionally going after a hospital. I remember there were times early on in ransomware where someone would inadvertently hit a hospital.

Maria Varmazis: Yes, that's right, yeah.

Dave Bittner: And then they'd say, "Oh, sorry, here's the decryption key, we did not mean" -- right? It was --

Maria Varmazis: I remember that, yeah.

Dave Bittner: Hard to imagine the honor among thieves, but it was different, and now it's just heartless. It's become so much of a game about money and greed and all that sort of thing. So that troubles me and breaks my heart when you see people out there in good faith trying to do their best in a medical care situation and having to fight against these unnecessary things.

Maria Varmazis: It's the last thing they need. Yeah, I was actually in the hospital when the hospital I was in was part of a situation like that and I remember it was not great. Yeah, I had just given birth to my daughter, so it was kind of --

Dave Bittner: Oh, yeah, kind of a big deal.

Maria Varmazis: Kind of a big deal. Yeah, and all the -- their entire computer system was down, and I remember I was thinking, I was in there thinking, this is my day job and here I am living it. Yeah, it was great. It was not great.

Dave Bittner: Listen, we're pretty sure we know which of these babies is yours, but the system's down right now, so we're just going to let you sort of breeze through the maternity ward and you can snuggle with any of these kids that you want to.

Maria Varmazis: They were all very cute. I'm pretty sure the one I came home with is mine. Yeah, I'm pretty confident about that.

Dave Bittner: Until the barcode scanners come back up, we're really not sure.

Maria Varmazis: Yeah. Dave, the question, I feel like you just kind of landed somewhere that I really want to dig into before we conclude, which was a really woo-woo question about your feelings. I mean, you're a host. I mean, your job is to think about these things, right? And you're talking to people all the time and you're reflecting, and I really want to get a sense of when you reflect on the last 10 years specifically about breaches and their trajectories and the kind of stories that you've seen, I mean, I'm curious about your feelings on where we're headed. Is there hope? Are you feeling more positive than you used to? Like, is it complicated? I want to get your thoughts.

Dave Bittner: I would say, you know, when you go through the stages of grief and landed acceptance, I'm kind of there. I mean, we've heard it for all the time I've been at this. People have been saying it's not a matter of if, it's a matter of when, and I think at the outset, I was a little more resistant to that notion, but I think it's true. One of the analogies I like with cybersecurity is comparing it to public health, and in public health, you can do everything right. You can wash your hands, you can do all the right things, and every now and then you're going to get a cold, and every now and then you're going to get something more serious, even if you do everything right, and I think cybersecurity is similar in that way. You can -- you don't want to be the low-hanging fruit. You want to make it as hard as possible, but I think the idea that anyone is fully protected, as we've seen by the most protected organizations in the world, including governments, getting their information popped, nobody's immune. It can happen to anybody. You and I talk about on the Hacking Humans podcast that on an individual level, you don't get violated because you're stupid. You get violated because you're human. And I think that's what it is. So I try to remind myself to maintain my empathy and my sympathy for the folks that this happens to. The last thing in the world -- and I do not like that some people in our industry have a sense of smug superiority when it comes to these sorts of things. I have no time or patience for that because I don't think it's helpful. So look, I think people are out there fighting the good fight, they're doing it in good faith, and we all have to function within the world that we're in, and that world is constantly changing. You look at the shifts and just the political winds and the leaders and the nations and all those sorts of things. People often ask me, when they hear we do a daily podcast, they're like, "Well, how do you come up with enough stuff to talk about every day?" I go, "Hah," right?

Maria Varmazis: Not really a problem.

Dave Bittner: The challenge is narrowing it down to the top 10 things to talk about every day because this never stops. So on the one hand, there's that, and sometimes it can be a lot. It can get you down. You can feel like -- you know, I'll joke sometimes that "Hi, I'm Dave Bittner, and here's today's bad news." But on the other hand, you see the people who are out there doing the good work, who are innovating, who are, as I said, in good faith, trying to make this world a little bit safer, trying to help each other learn more, contribute to the community, and all of those things I find uplifting and they do give me hope, and that's how I keep going every day, knowing that we're in this together, we're trying to fight the good fight, and we're making progress. So it's not as fast as I think any of us would hope that it is, but it's a fight worth fighting. So I'm glad to play a very small part in helping to try to keep people up to date and informed when it comes to all this stuff. And I think the other thing that has made my journey even more meaningful is just that I've had the privilege of taking part in that journey with so many amazing people, people like you, my coworkers, our coworkers. I've learned so much. Particularly when I was just getting up to speed and I really didn't know a lot, people were so kind and so patient, and they supported me and they made sure I had all the information I needed while I was ingesting this fire hose of information to try to become knowledgeable about cybersecurity. And looking back over 10 years or so, I feel like I'm in a good place now of -- with knowledge and background and history and all that sort of thing, but still, every day, it's all the people around us who make it possible for people like me, people like you, the hosts who are the public-facing people, to get out there and share that information. It would be impossible for us to do it without the team that we have behind us. So I have endless appreciation and gratitude for all the folks who make that possible as well. [ Music ]

Maria Varmazis: Thank you for joining us today. See you back here next time. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Maria Varmazis is a podcast producer and journalist specializing in space, cybersecurity, and emerging technology. She translates complex industry developments into clear, engaging conversations and thoughtful storytelling that connects technical subjects to the people and ideas shaping the future. Maria is the host of T-Minus: Space-Cyber Briefing and co-host of Hacking Humans.
Creator: N2K Networks, Inc.