CyberWire Live - Q2 2021 Cybersecurity Analyst Call
There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.
Rick Howard: I think that's our cue. Hello everyone, welcome to the CyberWire's quarterly analyst call. My name is Rick Howard and I am the CyberWire's Chief Security Officer, Chief Analyst and Senior Fellow. I'm also the host of two CyberWire podcasts, the CSO's Perspectives on the pro side, the subscription side and Wordnotes on the ad supported side. So, you know, please take the time to give those two a listen. But more importantly I'm also the discussion leader here for the program. I am joined by my long time friend and colleague, Dr. George Shea. She is currently the chief technologist for the Foundation for the Foundation for Defense of Democracies and joining her is Ben Yelin, the Program Director of Public Policy in external affairs at the University in Maryland, Center for Health and Homeland Security and he's also Dave Bittner's co-host on the CyberWire's caveat podcast. George, Ben, welcome to the show and thanks for coming on. Just say hello.
Georgianna (George) Shea: Thank you for having us. Hi.
Benjamin (Ben) Yelin: Thanks Rick, good to be with everybody.
Rick Howard: This is our sixth show in the series and where we try to pick out the most interesting and impactful stories of the last 90 days and try to make sense of them and this second quarter of the year has been jammed with all kind of great stories and I wish we had time to cover them all. But, here's some we considered, but we're not talking about today. An update to the solar winds activities, I think that's still ongoing, we don't know enough to do anything definitive yet, President Biden's Cyber Security directive, we'll do some of that probably in the next show. Supply chain attacks in general they seem to be in the news and finally, China companies, Huawei in particular, and whether or not you should deploy those products into your organizational I.T departments. But, George, let's start with you, okay, what's the topic you chose as being the most impactful for this past quarter?
Georgianna (George) Shea: Well, I, I wanted to approach it from an internationals perspective and you can't look back at this past quarter and not see the Colonial Pipeline and scream "What's going on with Colonial Pipeline?" So from, from an international perspective, looking at it from a policy view. I'm doing ransomware as a service and just in this past quarter aside from the Colonial Pipeline, because I'm not talking about that, there were ransomware attacks on Australia, Germany, Italy, U.K., Japan and I think two in Germany. And they've also charged over $4 million to some of these other organizations and since October, October to May, ransomware as a service organization has made over $90 million in Bitcoin alone. So I don't know what other currencies they're using or they take checks, cash, credit card.
Benjamin (Ben) Yelin: I feel like we're in the wrong business. Okay, I feel like maybe we should moonlight somewhere.
Georgianna (George) Shea: Yes. Which is really the part that I wanted to get too, because it is a business, but it gets really blurred with the nation state, peace of things and the international policy and attribution. So I'm going to just start with ransomware as a service and what that means. So, the Colonial Pipeline attack, and I don't know about you guys, but I get really frustrated when I read different articles and the information isn't, isn't accurate. So when I saw the Colonial Pipeline, I saw the Dark Side committed this attack. And when I saw they used Dark Side ransomware. So is this Dark Side ransomware or is this Dark Side the group? And then I see that it's Dark Side Affiliate and I'm like, well these are all different things and what does this really mean?
Georgianna (George) Shea: So, I'm going to try to explain what that means. So Dark Side is the ransomware, but then the group name themselves, and it depends on which security company's going through and doing the profiling on them, are known as a couple of different names. For example, FIN7, Carbon Spider, Gold Waterfall. So then when you read multiple articles and if they talk about different names, you're like wait, is this the same group or a different group? But, I'm just going to refer to it as the Dark Side provider. So the Dark Side provider, the Dark Side's ransomware, which is the weapon or the tool that's used. They have a website that they go to on the Dark Web and they recruit what I'll call them customers, also known as affiliates, that can use their ransomware that they developed for a part of the ransom.
Georgianna (George) Shea: So the customer provides the, the access point. So, the customer, the affiliate, we don't really know who they are or where they are associated, but a customer can go there and say hey, I'd like to partner with you and use your ransomware, I have access to whatever you want all over the world, these different countries. They then can figure the attack together, they execute it and then they pull all the data out and go through the files. And I wanted to mention the insurance aspect of this because we'll get into this later. But, they go through and they make sure that the actual victim can pay the ransom. So if you're poor and you're not going to be able to pay, you're not going to be a very lucrative target for them, but, if you have cyber insurance or some other type of backing that they know they're going to get paid, then you are a very advantageous target to them. So they are in your system before you know that you have been compromised, making sure that you are a lucrative target and then they extricate your data, they put it on a website, a data leak site and they are just located in Iran.
Georgianna (George) Shea: They take your information and then they let you know, hey, we've compromised you and we're locking up your stuff and unless you pay we're going to go through and expose all of this information that we already stole and we have on our data leak site located in Iran. So I mentioned Iran, because I'm going to get to the attribution piece of this and there are a couple of different rules that this ransomware as a service organization requires of their other customers. They have to speak Russian, they're not allowed to attack targets in Russia or Russia-affiliated countries, they're not allowed to attack schools or non profits, governments or charity organizations. And then, I find this to be a little, I guess something ironic, they actually give some of their ransom earnings, I don't know can I say earnings?
Rick Howard: Sure why not. [LAUGHS]
Georgianna (George) Shea: They take some of those ransom earnings and then they donate them to charity.
Rick Howard: That's so nice.
Georgianna (George) Shea: Yeah, they give their money to charity and they don't allow attacks on different charities. So after the big Colonial Pipe hack which I'm not talking about, they did get a lot of attention. It wasn't the only hack, like I mentioned, it was a lot of different companies, a lot of money. They were then banned from that forum when they were going through and recruiting people and one of their affiliates had come forward and said hey they didn't give me my cut. They kind of ran away, hid, took things down, they were bringing too much attention to themselves and so some of their partners, affiliates were, were not getting paid. So I don't know if there is a dark web court of justice that will allow them to get their share of their theft, I don't know how that works. But that's how ransomware as a service works. It's a business.
Rick Howard: Well let's put the poll question up for this particular topic so that the audience can weigh in here and I'm so glad that you brought this up, George, because, you know, it wasn't that long ago, five years ago, that the business model for a ransomware groups was that they didn't go after corporations they went after the grandmas and grandpas of the world. You know, they would come in, compromise grandmas computer, encrypt her hard drive, right? And then send her a note saying hey, if you want your pictures of your grandkids and your cats back, pay us $100 in Bitcoin. What's amazing about that is that they developed this business-backing process to handle customer service like that. They were so good that they could walk grandma through a Bitcoin transaction and I can't even do a Bitcoin transaction it's so complicated. And then what happens in 2017, we get WannaCry from the North Koreans we get NotPetya from the Russians and the criminals say, hey, the corporations look like they could be a big target and they pivot to this big pay day and instead of getting $100 from grandma, they can get millions of dollars from big corporations.
Benjamin (Ben) Yelin: Even the cyber criminals have gone corporate, it's just so sad. So bad.
Rick Howard: They sold out, totally sold out.
Georgianna (George) Shea: It's big game hunting. They moved from the point of sales when COVID hit because people aren't going out and now they're doing this big game hunting.
Rick Howard: So it looks like 64% of the audience say they do table top exercise for ransomware. That's good. Just general purpose cyber exercises it's a good idea anyway. Because I guarantee you, you are going to find broken processes in your organization that those table tops reveal. So George, has there been a change in the way we think about ransomware or what's the next steps for network defenders out there?
Georgianna (George) Shea: Well for network defenders, I like to back it up to engineers really, like network engineers and the way they develop their systems and really taking in requirements that look at the performance of the system, and ensure that it would be resilient through a ransomware attack. Looking at encryption at rest, encryption of data in motion, encryption and distributed storage of information, so you don't don't have a single target that's going to be the victim. And then your choke points, so if it gets compromised everything is out. I mean there's technology available now, you can go through and take your data, you can shard it out, you can hash it, you can encrypt it, you can ensure that, let's just say you are a victim of ransomware, you can just bring up another system, log back in and reconstitute your data from the distributed mesh types to the system you might have, versus the all of our eggs in one basket development process that goes on right now.
Rick Howard: Yeah, these are typically not the sexy part of network defender operations. It's encryption and key management, and even back up systems to make sure that not only can you do the back ups but you actually practice restoring. I've been doing this a long time and made the mistake on a couple of different occasions where we had good back ups, but we never practiced restoring and realized oh good, we don't have our data anymore. And those are typical things that network defenders need to think about as you know.
Georgianna (George) Shea: I would say one other thing for the network defenders, so I talked about engineering, but the network defenders are really understood in the response plan for this. So the ransomware cyber table top question that came up is really geared at how do you respond to this and who do you inform because it's no longer just your stakeholders, for ransomware you need to contact SISL letting them know, contact the F.B.I, letting them know, contact the Office of Foreign Assets, because maybe you're paying ransomware to a country that we have sanctions against and now you're breaking the law. You also need to contact the Department of Treasury and then who do you talk to first and what is the order of operations and do you pay or not pay. So aside from how are we going to go through and protect and detect from the defenders, but then, okay, what are we doing on the response side, other than bringing our systems back up or trying to, about notifying the right individuals.
Rick Howard: Well that's a question that I'd like to give to you Ben because you know the U.S government's talking about more offensive operations to take down these more offensive operations, these networks of criminals. Do you see that happening anytime soon? There's hack backs, I guess, but there may be some other things we could do. What's going on there?
Benjamin (Ben) Yelin: Yeah, I mean that's why the government, with good reason I think, has been reluctant to engage in hack backs. I think that's going to start to change, especially as some of our foreign adversaries are more involved and as some of these ransomware incidences are high profile and when they affect critical infrastructure, like we saw with Colonial Pipeline. I think that might change the political calculation. I mean they are obviously inherent risks in whatever offensive measures our government takes. Certainly organizations who have been affected by ransomware attacks understand these risks, which is why many of them have decided to pay the ransom. I'd like to see our government take a more offensive posture to help prevent these attacks from taking place. It's certainly not something that would go without substantial risk to the rest of us.
Georgianna (George) Shea: Can I jump in there real quick.
Rick Howard: Yeah go George.
Georgianna (George) Shea: It really scares me because I don't really ever see anything on solid attribution. We read the articles and we hear Russia is behind Dark Side and I question, why? Why is Russia behind Dark Side? I'm not saying that they're not but if we're saying that it's Russian because you're required to speak Russian to use the ransomware or maybe there's Cyrillic characters in the code or maybe it's Chinese because there are Chinese characters in the code. Does that really mean that it belongs to that country? I don't think so. And when you apply the art of deception to any type of cyber campaign, you really want substantial proof that this is the country that it's coming from. With cyber attacks it's so easy to go through and emulate some other type of activity - I could be Iran, making it look like I'm Russia, attacking the United States or Italy or Germany or anywhere else and then I can just sit back and watch Russia and the United States fight this out.
Georgianna (George) Shea: So, so before we get into hack backs, I would like to see, you know, real, solid technical attribution, I guess definitions. Because right now the way the U.S. does it under D.N.I. we look at the trade craft and ask is this a pattern that we're familiar with? Who did it before? Who did we think did it before, what kind of tools are they using? Is there a code there that kind of gives us clues? For example Cyrillic characters, Chinese characters. Is there some kind of conflict going on between the two parties? Well there's conflict going on between everyone all the time anyway. There's a fourth component, slipped my mind what it is but they are all pretty superficial to me. So I know that there is an intelligence community and maybe they are doing SIGINT, maybe they are doing HUMINT but we don't get that on the civilian side to say oh, I firmly believe this is who it is because I was told that they have collected SIGINT and they've admitted to it. We don't even get that, we just get Russia and I think why? I'm not saying they didn't, I would just like a little more attribution.
Rick Howard: Well you brought that up at the beginning. Go ahead Ben, go ahead.
Benjamin (Ben) Yelin: No, I mean I'm just going to say attribution is critically important because we could be starting an international incidents or damaging our own foreign relations, through mis attribution. And you know, that's, certainly if you work at the State Department that's not something you want to deal with, if Russia, Iran or China is falsely accused if there just happens to be Chinese code in the malware. So I think that's a really important point.
Rick Howard: You brought this up at the beginning George, and it's one of my pet peeves about how the industry names things so we get so confused about stuff. There are names of adversary groups, there are names of campaigns that they run and then there are names of tools that they use within those campaigns, and they all can't be the same name or else we're going to be totally screwed up. And just because we named Dark Side, Dark Side as an adversary group, it doesn't necessarily mean that the Russian government is behind it. And that's okay, because they have two different purposes, attribution for adversary campaigns and so for people like us, we can say well, Dark Side did these 20 things along the intrusion Kill Chain, let me put prevention controls in place, for those things. It doesn't matter what country ran it.
Rick Howard: The government needs to figure out if it's Russia, China, Japan or Iran, and let them use their assets to do that. So I totally support what you just said.
Georgianna (George) Shea: I'm going to jump in with another comment. That was another reason why I picked this ransomware as a service, because of the affiliates associated with it. So if we had absolute attribution that said Dark Side is Russian, they are still using affiliates to get into the system and maybe the affiliate is a U.S citizen. So then what kind of retribution is that? How does that work when the attacker is the United States and Russia against the United States or another country? Or maybe it's a, it's a private organization and the affiliate is a government. So it's a really muddy world of how do you deal with this, with the nation state and the privateers, and the fact that now you can put them together, because you can just start up your own business on the dark web and anyone can join.
Georgianna (George) Shea: But, I also wanted to mention the insurance aspect. I mentioned that earlier, looking for insurance. And I found it interesting, earlier this month the G.A.O put out a report on cyber insurance and the cost of cyber insurance is based on the sector that you're in. So if you're in a very risky sector you pay more, but it didn't say anything about how well does that organization within that sector implement cyber security practices. So, if I'm a company in a risky sector I'm just like oh I'll transfer my risk to the insurance company. Maybe another organization says no, we're going to invest in cyber security we're going to put a lot of money there. Now the insured, but not cyber secure protected organization, then becomes a platform for attackers to then launch attacks against other countries. So, getting back to the hack back, now the U.S is hacking all these other countries and we're the bad guys. But we're, we're not, we're a victim.
Georgianna (George) Shea: So it's, it's a very confusing thing to kind of work out, especially on the policy side.
Rick Howard: So clearly, this is a deep, deep, topic, we could probably spend the next five hours talking about that but we're going to have to cut it off there. Good stuff George, great topic, so thanks for bringing that to the table. Ben, let's move over to your topic, what do you have for us today?
Benjamin (Ben) Yelin: Sure, so I hate to run a re-run here, but six months ago, I talked with all of you who are on our quarterly call, about the upcoming case at that point, Van Buren v The United States which was a case that was going to determine the scope of the Computer Fraud and Abuse Act, our anti hacking statute that goes back to the 1980's. And sure enough, just a few weeks ago we finally got a decision in Van Buren v The United States at the Supreme Court. It's such a wide ranging and important decision that has such broad applicability in our every day lives that I think it's worth re-visiting to see how the Supreme Court actually came out on the issue. So, just a very brief background on the case. This guy Van Buren was a law enforcement officer in Georgia. An undercover officer tried to pay him $5,000 to search somebody's license plate in a database.
Benjamin (Ben) Yelin: Now, Mr Van Buren was authorized to be in this database, to search this database but was not authorized to randomly stalk people as he had been asked to do by this other undercover agent. So he committed the crime and he was prosecuted, arrested and was convicted under the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act has two separate elements to it, one is prohibiting unauthorized access, so that's relatively standard, it's pure anti hacking statute, you shouldn't be on a computer, a device or a network that you don't have the authority to be in. It has this more nebulous provision about exceeding authorized access and that was the nature of the dispute in this case.
Benjamin (Ben) Yelin: So the question was did Van Buren exceed his authorized access when he used this database, which he was authorized to use, for nefarious purposes? To just stalk somebody and not for a normal, legal law enforcement matter. What Van Buren was arguing is that the statute should be construed very narrowly, that it should only apply when you're exceeding your authorized access by being in a part of a network, a part of a system or a part of a computer where you're not authorized to be. So, let's say there's a locked folder on your device that is only available to an administrator, you would be exceeding your authorized access if you were to open that folder using a passcode or by somehow finding your way into that folder, violating your companies policy.
Van Buren didn't want the statute to apply more generally to situations where you are authorized to use a system but you are doing so for the wrong purpose. What the government was arguing is that we need to have a broader definition. That the C.F.A.A. should cover those scenarios where yes, you might be authorized to use this database for a limited purpose to conduct a law enforcement investigation. But, it should be a crime, a federal crime to use it for something you're not authorized to do. Such as, you know, go search after people to fulfill your personal obsession you might have about them. So the Supreme Court decided with Van Buren. It was a six, three decision, authored by the newest justice on the Supreme Court, Justice Amy Coney Barrett. I will spare you all the minute details on the decision, because it largely was a textualised decision that depended on how the court defined the word "so," which is funny that we have these major legal and policy questions being decided by the interpretation of a two letter word.
But there was this big question about whether that particular "so" referred to the unauthorized access in the previous part of the statute or whether it could stand alone, as a stand alone term and that exceeds the authorized access portion of the statute. I won't get too far into that because that's just boring legalese. What the court also said, what the majority said, is they were also grounding this decision in policy considerations. That if we have this broad interpretation of the Computer Fraud and Abuse Act then things that all of us do every day would be criminalized. If our employer had a policy that we could not use our computer to conduct personal business, personal e-mails, and I went and checked my Gmail account when I was on the clock. If the government's interpretation had been correct, that would subject me to criminal liability.
Technically, I'm not allowed to use Tinder if I lie about my height or my weight, that's a violation of their terms of service.So, if I'm caught using Tinder after having done that am I going to be subject to federal law enforcement knocking down my door and arresting me? I think what the court was saying is, neither congress when it drafted this law nor any reasonable interpretation would lead to that kind of fraud applicability of the Computer Fraud Abuse Act.
Rick Howard: Let's see what the audience says, Jane can you put the poll up where I can see if they agree with the Supreme Court. And George let me go over to you, when we were in the pre-conference, you were talking to Ben about one of the famous cases and would this have changed the outcome, can you talk about that?
Georgianna (George) Shea: Yeah, I hadn't been following the C.F.A.A for a while and I didn't know that there was a case there. But the C.F.A,A as was mentioned has been around for a long time and it's been changed a lot. I don't know if your audience has gone through and done the different certifications, but one of the questions they always bring up is what was the first worm, the Morris Worm? It's not that it was the first worm, it was because it changed the C.F.A.A. It went through and the way it described a computer virus didn't match a worm, so therefore they had to go through and update it. But we were earlier talking about the Aaron Swartz case which was similar, he was, I believe, a researcher at a school and I don't remember the specific details but he was authorized to download journals and reference material from the school library, from their systems, the JSTOR.
Georgianna (George) Shea: So he had authorized access but he had downloaded over 4 million different journals or articles and had put his computer in the closet, which in my mind was sort of the guilty mind, but I think it was dismissed. But they did try to do an Aaron's Law to push this issue earlier but that was ten years ago, 11 years ago now?
Benjamin (Ben) Yelin: I think it was 2013. The Swartz case is tragic, he ended up taking his own life, it has a really awful ending to the story. And I think there are a lot of very legitimate questions to be asked about the discretion of prosecutors to throw the book of the C.F.A.A at Swartz who was trying to make, I think, if not a political point, a point about access to free information.
Rick Howard: He was trying to make a point, yes. It was back in the day when information should be free, that was kind of the mantra of all the early hackers.
Benjamin (Ben) Yelin: Absolutely. I think under the Supreme Court's Van Buren decision that just came out that he probably still would have been guilty, because even under this new definition I think he exceeded authorized access. By going into that server room and plugging in his computer he was in an area where he was forbidden from being, in that case it was a physical area. But he had also been locked out. Once the administration I think it was at M.I.T, had figured out what he was doing, they had, multiple times, tried to lock him out of the system. They ended up shutting down the JSTOR database temporarily and he still proceeded download these files. So even under this definition of the Computer Fraud and Abuse Act, I do think it's possible that he could have been prosecuted. Now again that's completely separate from some of the moral issues about whether it was just to throw this law at him and really complicate his life in that manner.
Rick Howard: It's interesting that the majority of the audience agrees with the Supreme Court but 20% of us don't. So that's interesting and it seems to be that there isn't a consensus here. Can we make the argument, Ben, of why it was the wrong decision? What are the points there?
Benjamin (Ben) Yelin: So a great question, there was a dissent, authored by three justices, including Chief Justice Roberts. They disagreed with the majorities interpretation of the text, they said really it's up to Congress. What we see congress having drafted is a broader statute that says exceeds authorized access and we think that really means using something for a purpose for which it was not intended. And so I think largely what the dissent was saying from a textualist perspective was, if you think there's a policy problem here it's up to congress to fix that policy. They should clarify the language in the Computer Fraud and Abuse Act, go in and say here's what exceeding authorized access actually means. It does include X, it doesn't include Y. And I think congress certainly would have the power to do that.
The dissent talked about how the majority have this list of normal behavior that would have been criminalized under the government's interpretation of the act. And the dissent said well, even been under your interpretation we could get some absurd results as well. I think it was Justice Thomas in his dissent who wrote about what happens when it's part of an organizations policy that you should not go into your windows games folder during work hours. That means you're forbidden to go into that folder, you have access to the computer, but the rules of your company say you can't go to that folder. So, you open up minesweeper and under the majority's interpretation that would still subject you to federal, criminal liability. So it's not like we are avoiding all types of ridiculous policy consequences, just because the majority is coming up with their particular interpretation and I do think that that is an interesting point.
Rick Howard: I was just going to say I would have been fired many, many years ago because I may have frequently visited the Minesweeper game, I don't know, I'm just saying.
Benjamin (Ben) Yelin: I can never figure that one out. I understood Solitaire, I understood Free Cell. Please teach me how to play Minesweeper. One thing that was not decided in this case, and I think it's a really crucial point that we're going to have to look at going forward is whether it's a company's policy that's the determining factor or whether it's code based. So, we're talking about exceeding authorized access to a certain folder on a computer, a certain network. Is it because that folder is password protected or encrypted or is it because your organization's policies forbid you from accessing that folder? They mention in a footnote that that question went unanswered in the case.
Rick Howard: My question to you Ben is, and I'm not an expert on this law, and like George said it's been changing over time, but it seems to be a really heavy hand when it comes to sentencing. Things that seem kind of minor, people are going to jail, like Swartz, he was going to go to jail for years and years for something that some people think is not that big of a deal. So, do you think that there is any chance that we will re-visit the sentencing piece of that?
Benjamin (Ben) Yelin: One thing about all of these laws is there is prosecutorial discretion and what the government was arguing is nobody is going to use the C.F.A.A. to punish people for going on Facebook on company time. Our Federal prosecutors are not interested in doing that. People aren't going to get 20 year jail sentences. You might as well figure out what the statute actually means and not worry about the what consequences are because let's be real, the Justice Department isn't going to do that.
Benjamin (Ben) Yelin: What the majority has said, and what I think to be true, is you can't give Federal prosecutors these tools expecting them never to be used because in an Aaron Swartz type situation when they have motivation to use those tools for whatever purposes, sometimes it's to make an example out of somebody. Sometimes it's to prove you're tough on a particular crime, then somebody might get sentenced to an extremely long prison term for doing something that seems rather innocuous. I don't think the sentencing regime is going to change as a result of this case, but the case does narrow the type of instances that will lead to criminal liability. So everybody, you are allowed at least under the C.F.A.A. to lie on your Tinder profile. I don't recommend it, but at least under that statute you won't be charged with the crime.
Georgianna (George) Shea: I was just going to jump in and piggy back with the ransomware - I mentioned before the Office of Foreign Asset Control, for countries under sanctions you're not allowed to do business with them so you could also be held liable for that criminal liability. But the Colonial Pipeline wasn't and the FBI suggests that you don't pay ransomware but you could also be breaking the law but they're not going to arrest you, but maybe they will. It's almost like a roulette of who's going to enforce the law and win.
Benjamin (Ben) Yelin: Yes, there is this concept of prosecutorial discretion. That's been invoked in a lot of circumstances, including on things like immigration where the Obama Administration said we don't have the resources to prosecute every single violation of our immigration law, so we're going to pick and choose which crimes to prosecute. Obviously that was very controversial. But that's pretty widely applicable across the Justice Department. They do have discretion, there isn't some sort of automatic charging document where somebody commits a technical violation of a crime and they are charged with a federal crime. A lot of discretion goes into it. A lot of it is based on whether the case is high profile, whether you're trying to make an example out of either some person or some type or behavior and whether it's worth it in terms of using up department resources to try to obtain a conviction.
Benjamin (Ben) Yelin: So you're right, there is probably more discretion than any of us would really be comfortable with just because it can, to some people, seem kind of arbitrary which is never a word you want to associate with our legal system.
Rick Howard: Which I seem to do a lot. Do you see anything in the future on the docket in the next year, Ben, that Congress may be trying to fix this or at least tweak it?
Benjamin (Ben) Yelin: I do. There have been murmurs, whispers about Congress making changes to the Computer Fraud and Abuse Act to clarify the language in light of the Van Buren decision. I also think there are a couple more decisions generally on cyber law that I'm looking out for in the next couple of years. One of them I was expecting it to get picked up as a case for the upcoming spring court term, it was not picked up, but I suspect it will be shortly, is the legality of searching digital devices at the border and there are a couple of cases in different circuits that have come up to differing conclusions on that. That's one I'm certainly looking out for. And then how lower courts deal with the Van Buren decision. As more cases come in, how do they interpret what the supreme court has handed down in Van Buren to the particulars of given cases, something I'm definitely going to be watching for going forward.
Rick Howard: It feels like that'll be another topic in the Quarterly Analyst Call as we go forward. So we'll have to leave that there, which brings us to our third and final topic, my topic. It's something involved with how the nature of cyber crime and nation states have really changed. When George and I started doing this back in the early 2000s, there was a pretty clear distinction between motivations of groups. There were criminals that did cyber crime, there was espionage done by governments, there was hacktivists doing whatever they were doing and there were people just seeing what they could get away with.
Rick Howard: But what's happened here in the last couple of years is this overlap between nation state and cyber crime and not only that, there's like four or five different categories. Let me run through them for you. We've been calling this one at the CyberWire the APT Side Hustle. These are cyber adversary groups that conduct cyber crime in order to fund the influence of espionage operations they are running. So the biggest example was the Internet Research Agency from Russia. They did cyber crime to fund their influence operations for the 2016 US presidential election.
Rick Howard: In North Korea, that country is so poor that they need to have a revenue stream just to fund their operations. FireEye quotes APT41, a big cyber threat group with two focuses, Chinese state sponsored espionage, in cyber crime activities targeting the video game industry. So that's one category, the APT Side Hustle. The second one would be state sanctioned organized crime. These are groups conducting cyber crime in order to bring revenue into the country, not to support their operations but just as a revenue thing like taxes for the US. The big example is North Korea, the $81 million heist from the Bangladesh Central Bank. That was revenue tagged to go back into North Korea.
Rick Howard: And the WannaCry global ransomware attack which infected some 300,000 computers in 150 nations, so just think of it that way. So in February, the US indictment accused three North Koreans of stealing more than one point three billion worth of money in cryptocurrency from financial institutions and other companies. I just want to plug our podcast here if you want to get some details. The BBC has its excellent podcast called the Lazarus Heist. That describes just how poor North Korea is and it's a really fine show, it's a limited series so take a look there.
Rick Howard: The third category is state tolerated crime and George, you were talking about this a little before. This is the unofficial look the other way policy from nation states for their cyber criminal groups. So Russia's policy on law enforcement has been that way since the early days. Then US prosecutors said that they have five Chinese nationals that hacked 100 companies in the US and other countries. So this is the country looking the other way to let their criminals do what they want to do.
Rick Howard: Finally, the last category is privatarian. It's the unofficial state approval for cyber crime groups to harass and disrupt foreign enemies and perhaps maybe the efforts are cultivating co arch criminal hackers like Evil Core to engage and disrupt ransomware attacks, not for the revenue purposes but just to cause chaos and disruption in countries where they think they're they're their enemies. So it's really evolved in the last five to 10 years. Ben, is there some legal term that we can use here that says nation states turn to cyber crime for revenue purposes? Is there anything official or shall we just invent one?
Benjamin (Ben) Yelin: I'd like to invent one. I think the one that's most closely aligned is exploitative revenue. We haven't really seen as much in the nation state context, but it is thing when we're talking about local governments extracting money by civil asset forfeiture in ways that are unjust. So it's gaining revenue in a way that's not entirely above board and that's exploitative of the citizens it's supposed to represent. It's not really the same thing as what you're talking about here. I think it's probably the closet legal concept we could come up with, but I'd encourage you to come up with a name because I think you could probably do better than that.
Rick Howard: What I find interesting is that there's at least two famous admirals in the last year that have come on the net and written big articles for big newspapers. One was Admiral Stavridis. They started talking about this idea of letter of marque. Apparently there's a bullet in our constitution that allows us to do these letters of marques and the idea originated back in Queen Elizabeth's time from 1558 to1603. Her problem was that she didn't have a navy to combat her enemies so she authorized ships to go off and do things like they were her navy. Apparently we can do this in our own country if we wanted to. The question, George I'll throw to you is, do you think that's a good idea?
Rick Howard: So the question is, should we use letters of marque that were authorized from the US constitution to tag volunteer hacker groups to go after our enemies in cyber space, like Iran, China, Russia and North Korea?
Georgianna (George) Shea: So that's a cyber mercenary then. We've already covered a lot of the issues with legal hack backs so I think if you opened that up to mercenaries it becomes a little less controlled, so I would say no.
Rick Howard: What about you Ben, what do you think about this idea?
Benjamin (Ben) Yelin: I'm curious about it because it's such an innovative legal idea. It's not something you see very frequently and it's kind of a 19th century concept. I just think, like George was saying, just like hacking back, it has the potential to backfire on us. I would probably be hesitant as well, but maybe I'm more risk averse than you.
Rick Howard: I am totally agree with you. I think what most Americans forget is that just because you hit back doesn't mean the adversary gives up. I think it invites potentially more disastrous cyber attacks as they respond to those kind of attacks. Can you put up the answers to the poll questions? So we've got 19% that says yes, this is what we absolutely should be doing. 38% says no.
Rick Howard: Let's move to a couple of audience questions on this. One from Jimmy Bean, who says can you provide more details about the Lazarus Heist podcast? So it's ten episodes, published by the BBC. I highly recommend it, it's very well done. It's details about the North Koreans and how they built their world class hacker program and it gives a lot of details about how hard it is to live in North Korea. We know the normal people that live in that country are poor, they are really poor, and you get a lot of that details from listening to that podcast.
Rick Howard: Second question is you mentioned Evil Core as potentially being part of the Russian privateering operations, can you provide more details? Evil Core has many names, CLOP, Indrik Spider, Fin 11, the Riot Group, TA505. They've been active since 2009 and they're famous for using the dry deck banking trojan. So they've been around causing trouble for a long time.
Rick Howard: Question three from the audience is regardless to whether or not the US should issue letters of marque, what is the practicality of the US doing that? In other words, how easy is it? Ben, I guess that's a legal question to you.
Benjamin (Ben) Yelin: It's not easy, there's a reason it hasn't been done. A couple of recent times it was proposed, it was a Ron Paul pet project in the 9/11 era and then again in 2009 when we had that issue with Somali pirates, as a way to engage in some of what the military would do without activating our military and without putting the responsibility on US forces. Because it's something that has been so inapplicable for the past 100 years, I don't think it would be easy for us to resume this activity without any sort of legal regime in place to govern it especially since we haven't used it in a non digital world in the last 100 years or so, maybe 150 years.
Rick Howard: So the mechanics of doing it would be really hard to do even though it's a constitutional point?
Benjamin (Ben) Yelin: Yes. I guess I wouldn't say the mechanics are so hard. Congress has the authority to pass an act granting letters of marque and reprisal for a particular purpose. So you could give the president the authority to issue marque and reprisal against specific cyber criminals, for example. It's not impractical to give the president that authority, I just think because we haven't done it it would be more impractical for him to try and use that authority and to try and determine the extent of that authority. That would be my thought on that.
Rick Howard: Before we go, we have some general purpose questions. The first one for you Ben from George Fenton. What's the difference between information security and cyber security in terms of upcoming regulations?
Benjamin (Ben) Yelin: That's a great question. I think of cyber security as a sub category of information security. Cyber security also can have its own meaning but as a sub category of information security. Information security is protecting information no matter how it's stored, whichever realm it is. So information security can be the lock and key on files in the national archives, or it can be protecting systems and information. And cyber security, I think of as a sub set to information security and I think that's the way our regulatory agencies see that distinction as well.
Rick Howard: George, from Travis Fox, do you have certification recommendations, either technical like the CISP or non tech like the Dale Carnegie Leadership Training?
Georgianna (George) Shea: Whenever people ask me this question, I put it back on them, what do you want to do, where do you want to work, what do you want to work on? But I also want to make sure that they're aware of the requirements out in the community. So if they are working in the Department of Defense, or in the defense industrial base, for example, Lockheed Martin, Booz Allen, any contracting companies supporting the DOD, they're looking to get a job in those areas or on particular projects, they require certain certifications. So if you're in school and you think I'll just get a major in computer science and a minor in cyber security and not get a CISSP, the requirement is you have a CISSP for some of these jobs. [audio cuts out]
Georgianna (George) Shea: If you know the field you want to be in and where you want to work [audio cuts out]. .. the CISSP is very flexible as it's an all-encompassing part of cyber security. It just depends on the person and where they want to be. If you're going to be in the DOD or working around that industry, definitely know what those baseline requirements are and then pick from one of those required certifications.
Rick Howard: So I'm a bit of a contrarian when it comes to these certifications, there's literally thousands of those things out there. My recommendation is if you're going to study something because you want to get smart about it and if there's a certification for it, then you might as well go ahead and get the certification but unless there's a specific requirement for a job you're going into, I don't think there's any one particular certification that is more important than the other.
Rick Howard: Let's go to the next question, from Todd Inskeep, what industries are still lagging in cyber capabilities in defense. Who's still not ready for the inevitable ransomware attack?
Georgianna (George) Shea: [audio cuts out]
Rick Howard: I don't think it's the industries that are in trouble for ransomware. It's really how big you are. The small and medium sized companies don't have the resources to protect themselves from a ransomware attack. They don't have the bodies, they don't have the money, they're definitely not investing in encryption and back up schemes. So that's what I would worry about if I was them.
Rick Howard: Since we're having technical trouble, we might just want to pull this to an end and call it quits for now. It's been a lively discussion you guys, nicely done. So on behalf of both my colleagues, Dr George Shea and Ben Yelin, thank you for participating and we will see you at the next CyberWire Quarterly Analysts Call.