N2K logoDec 23, 2022

CyberWire Live - Q4 2022 Cybersecurity Analyst Call

As 2022 comes to a close, join the CyberWire as we stop, take a look at exactly which developments were the most important this year. Join Rick Howard, the CyberWire's Chief Analyst, and our VP Editor, John Petrik for an insightful discussion about the events from this year that materially impacted your career, the organizations you're responsible for, and the daily lives of people all over the world.


Rick Howard: Hey, everyone, welcome to the CyberWire's quarterly analyst call. My name is Rick Howard, I'm the N2K CSO and the CyberWire's Chief Analyst and Senior Fellow. I'm also the host of two CyberWire podcasts, the first one, my favorite is Word Notes on the ad supported side, meaning it's free to anybody and it's short, usually no more than five minutes. And it's a description of key words and phrases that we all find in the ever expanding alphabet soup of cyber security. The other one is CSO Perspectives on the pro side, on the subscription side; I call it the Netflix side. A weekly podcast that discusses first principle strategic thinking and targets senior security executives and those that want to be them sometime in their career.

Rick Howard: But, more importantly, I'm also the host of this program, reserved for CyberWire pro subscribers normally, and I'm happy to say that I'm joined at the CyberWire hash table today by the long time editor here at the CyberWire, John Petrik. John, welcome to the show, this is your first appearance here, isn't it?

John Petrik: Yes, thanks Rick and it's my pleasure, I'm looking forward to it.

Rick Howard: So, this is our 12th show in the series where we try to pick out the most interesting and impactful stories and try to make sense of them. Normally we do it from the past 90 days, but since this is the last show of the year, we're going to cover the top two stories of the past year. And so much has happened, John, you know, it was tough to pick just two. We could talk about the aftermath of Log4J. We could talk about Peiter Zatko's whistle-blower complaint about Twitter, or the Google engineer, Blake Lemoine, that got fired because he thought that his artificial intelligence bot passed the Turing Test. But, John, you had something else in mind. What was your most impactful cyber security story of 2022?

John Petrik: I think the most significant story involving cyber security has been Russia's war against Ukraine.

Rick Howard: Yeah, absolutely.

John Petrik: And what we're seeing in Eastern Europe, and what we're seeing in Eastern Europe really is the first major European war since 1945. And it's also the first hybrid war that's waged, that's been waged between two states with roughly comparable levels of development and support. And, you know, Russia's much larger than Ukraine, but Ukraine is no postage stamp country either; it's about the size of Texas. And they have similar background, they both have Soviet army DNA in them. And it was widely expected that we would see in this war the first major battlefield use and tactically, operationally and strategically, consequential use of cyber offensive operations.

Rick Howard: I know, I did. I was all over that, I was one of those guys saying, "We should be seeing, this is going to be the first time in, that we would see actual combat operations in cyberspace, but it didn't really materialize, right, at the beginning.

John Petrik: No, and it really hasn't materialized since then and there's some interesting speculation as to why that might be so. But if you think back on this, the, the Russians have, for some time, talked about, talked about cyber operations, information operations, as they would call them. They don't typically use the term "Cyber", the equivalent term "Cyber" as an integral part of their war planning, their doctrine. And if you go far enough back, if you're old enough as, as you and I are to have served during the cold war--

Rick Howard: What? What are you saying John? I'm a young pup. I don't know why you think I'm in the same category as you. [LAUGHS]

John Petrik: Yeah, I know, what can I say, some of us age, some of us age better than others. No, but what were the many things we thought about the Soviet army, and the Russian army is very much self consciously the heir to the Soviet army. They were very, very good, we thought, with electronic warfare. Right?

Rick Howard: Yes.

John Petrik: That was one of our fears and--

Rick Howard: We thought they were much better than we were, yeah, so.

John Petrik: Far better than we were. We, we always felt we were playing catch up in electronic war. We, we felt that they were, they had stolen a march on us years ago and never looked back. Cyber operations are a kind of natural successor or augmentation to traditional electronic warfare. Or at least how, I think that's how they developed in the United States and in NATO doctrine. So, one would have thought that the Russians would have made use of cyber operations extensively against Ukraine, for the same kinds of purposes they would have used electronic warfare against NATO, had there been a war between the Soviet Union and NATO.

Rick Howard: Well, we thought that too because there, there's been this, they've been successful in the cyber domain doing other kinds of things. You know, with the, the US Presidential election in 2016, not to mention previous cyber attacks against Ukraine, you know, with Sandworm and all those things. So, there was a huge precedent that they would roll out the cyber guns in this conflict, right?

John Petrik: Right. And in fact they had done that in smaller conflicts. There was in the in the odds when there was a, there was a large-scale, it was called the CyberRiot at the time. Patriotic Russian hacktivist that really effectively able to read the Russian intelligence and security services, taking out large chunks of Estonia's net. And Estonian, what was and remains a highly networked country, so that was a serious thing for them and the Estonians learned from that. But there was that experience. More recently there was the experience in 2015 and 2016 where Russian operators, probably GRU, probably Russian military intelligence, were able to take out temporarily sections of Ukraine's power grid during earlier tensions between the two countries.

John Petrik: And how did they do that? They basically got themselves into, into business systems associated with utilities and were able to migrate across to, to control systems that enabled them to knock down substations. And so they were able to take out temporarily large portions of the Ukrainian power grid. They were also semi-criminal, but not really criminal activities like NotPetya, which, again, was initially directed against Ukraine and spread and affected mostly logistics companies throughout the world. So, people expect them to have a track record.

Rick Howard: Yeah, they were, like what you said, like what you said, you know, in the '90s and the '80s, we thought the Russians were the big bad on the physical battle space. In the 2000s, 2010s, we thought they were the big bad in cyber space, right, the, the only ones at their peer level was probably China, right? And so, we were all afraid of them, and so what happened next?

John Petrik: I think part of what was going on is that we were looking at a lot of notorious Russian cyber activity that was fundamentally criminal activity. For many years now, Russian cyber gangs have operated with the, the task and probably the explicit permission of the state. That if you are a, if you're a cyber criminal operating out of Russia and you are attacking banks in London or Berlin or Paris or New York, you're not going to, you really don't have much to worry about, haven't had much to worry about in terms of being prosecuted by the Russian authorities. If you're selecting your targets properly but keeping away from Russian targets, you're keeping away from ostensibly targets in what the Russians call the near abroad, but is the former Soviet Republics, that were really on speaking terms with Russia. A small and shrinking number of nations I fear at this point. But if you kept away from that, if you weren't hacking organizations in Russia, or Belarus or Azerbaijan, you were probably going to be okay.

John Petrik: And so there is a lot of criminal activity that was associated with the Russians. So, it was reasonable to think that, when Russia went to war on a full scale against Ukraine, that we would see a lot of offensive cyber operations deployed against the Ukrainians. And that hasn't happened and it's not for want of trying, as many people have pointed out. There's been plenty of Russian cyber operation against Ukraine, but they haven't been terribly effective. The exception was in the opening days of the war. It was when they were wiper attacks, admittedly HermaticWiper was deployed against some Ukrainian targets and among another things, it took down the Ukrainian access to Viasat ground station terminals. That was very quickly remediated, largely through the provision of StarLink connectivity. So, that was a problem for a few days and then it was fixed. And they haven't enjoyed anything like that success since and that itself was a minor success.

Rick Howard: Well, one of the observations though was that it didn't appear that the Russian military had practiced that well with their cyber operators. You know, like you said before, activity by Russian cyber attackers were after political targets and after, you know, criminal targets. But it didn't appear that they had actually practiced together, at least in the initial days, and I'm, so it didn't even feel like they were rolled into the plan. You know, when we, you know, two of us, John, old army guys, right, we'd have this combined arms plan. You know, not only the infantry goes into the tanks, but air force and artillery and everything working together to achieve some goal. It didn't appear that that was what's going on in the cyber domain. Is that your observation too?

John Petrik: Yeah, that's not only mine, but there's also some speculation about that from people. There was an article published recently where the Carnegie Endowment for International Peace that argues essentially that. That's a larger systemic problem apparently for the Russian military, that if you look at the performance of their ground forces, of their general purpose forces, it's been pretty dismal, all things considered. We mentioned earlier that we were, we used to be afraid of Russian electronic warfare, Soviet electronic warfare. We also used to be afraid of Russian armor, Russian tank formations. Heavy formations. And the US army's whole national training center was designed to replicate a really high-end Russian motorized rifle division. That was the opposing force that every brigade, every brigade in the army would skirmish against, regularly. And when you look at their combat performance, it has just been cover your eyes awful. That clearly--

Rick Howard: Yeah, pretty amateur, yeah.

John Petrik: Clearly the vehicles are badly maintained. You see footage of armored vehicles moving and the diesels are smoking, what does that tell you? That's an old, that's an old guy dependent on diesels. It tells you their diesels are not being well maintained. That a well maintained diesel generally doesn't smoke, not like that. You see, you see drone footage, for example, of an armored column coming under air attack and they're moving along and they come under attack and what do they do? They stop in the middle of the road. What's the last thing you do when you're ambushed?

Rick Howard: Not that. Even I know that and I'm just a wimpy signal guy, right, so.

John Petrik: Yeah.

Rick Howard: But you and I, you and I were talking before the show that one of the, one of the hypothesis here is that Russia truly expected to have this thing done in a very short amount of time, right? They were expecting to roll over Ukraine and have it done in a week or two and wasn't that the original idea?

John Petrik: Yeah, but it seems clearly to, to have been the case, most people expected that. I mean, I would not have been surprised had this war would have been over in, in a week or so. And my expectations were, go ahead.

Rick Howard: We have a poll question already for that. Eliana, if you want to put it up for all the audience members, if you want to answer what you think about this. Did, do you all think that Russia expected a Ukrainian surrender in less than a week from the day of its invasion and do you think that contributed to the less than impactful cyber operations? So, John, what do you think? Is that one of your major theories too, is that they thought it was going to be done quickly and we didn't need to coordinate any massive cyber battle plan?

John Petrik: You know, I think that's true, but there have got to be deeper problems with that. You know, your logistics don't fail as badly as Russian logistics have failed in this war, where you just can't, you can't push supplies forward. You can't equip conscripts, you can't, you can't keep fuel moving. You have trouble supplying the ammunition. That kind of stuff doesn't break down just for over confidence. Over confidence is, is a problem, victory disease is a problem, if you think it's going to be a walk-over, you may well be surprised, and they certainly were surprised at that. But there are deeper, there are clearly deeper systemic problems with the Russian military that they haven't come to grips with. There were leadership issues. There were certainly problems with the misreading of intelligence. There's a lot of speculation that the highest levels of Russian command, especially at the presidential level are just not prepared to listen to bad news.

 Are not prepared to listen to anything other than what they want to hear. That's a problem. That's a problem for any force that, if you are not prepared to hear unwelcome news and deal with it, you're going to have trouble on the battlefield.

Rick Howard: Eliana, can you throw the answer up on the poll, see what we got? Oh, looks like everybody's in your ball park, John. Okay. Think that was probably the case.

John Petrik: Yeah, with the, with the 15% of, of patriotic Ukrainians who were, who went in themselves being confident. There's an older precedent for this kind of failure and it's the Winter War that the Soviet Union waged against Finland at the end of the 1930s, right on the eve of World War II, when Stalin and Hitler were still allies. That they went in against the Mannerheim Line, and the Fins heinously outnumbered hand upon their heads. And they were surprised then, too. They expected to have Finland completely under their control very quickly. And I think there was similar expectations with Ukraine.

Rick Howard: I want to be clear here too, though. Ukraine prepared. They saw what happened with Sandworm in 2016, right? Or in 2017. And they beefed up their cyber defenses. Not only what they had on the ground, but they brought in all kinds of help from all over the place, to include from the United States, so. They're better at cyber defense than what the Russians had to go against them. Is that not a fair statement?

John Petrik: Yes. It is fair that the Ukrainian defenses were better thought out. They clearly looked for and tried to apply lessons learned from the, from the earlier wiper and energy grid attacks that they sustained. They clearly had a reserve of talent of people who were good, capable coders who were able to work on these kinds of problems and they made intelligent use of them, so they weren't suffering from that kind of overconfidence. And this war had been telegraphed for some time. There are some recent discussions in the media saying that Russia really was kind of surprised, they were surprised by the war. That's just not true. That they invaded what, on February 28th? I think was the, the invasion day.

Rick Howard: Yeah.

John Petrik: And the, the US was already warning about the likelihood of a hybrid war as early as January 11th. So, it didn't come as a surprise, it was under preparation. And the Ukrainians had prepared for it. They were getting close to the EU and NATO. US cyber command said a couple of weeks ago that they had deployed their hunt forward teams. Hunt forward, by the way, is a difference of operation, it doesn't mean going in and attacking Russian networks. It means hunting for threats in your own network, hunting forward. They deployed hunt forward teams to Ukraine as early as 2021. And they were there until shortly after the actual Russian invasion when they were pulled out. So, they received a lot of cooperation, a lot of support and a lot of help, not just from the US but from the UK, from EU countries. From former Soviet Republics have all been going to help, from former Warsaw Pact sates.

Rick Howard: Hey John, I want to pause a second and remind the audience that if you guys have any questions about what we're talking about or anything on your mind, you could submit them in the Go To webinar questions thing. So, go ahead and do that. I have one here from Manny Cho. Here's his question, John. "When the war in Ukraine ends, how quickly will ransomware and new virus attacks begin?"

John Petrik: Yeah, I think that, excuse me. At one levels, those attacks have never really stopped. They've continued. And, heck, I mean, CISA's leading a US national ransomware task force, an inter-agency task force to affect ransomware, precisely because it's continued to be a problem. The Russian gangs have continued to conduct ransomware operations. There have continued to be some Wiper attacks that have been pseudo ransomware, but there's also been no shortage of, of regular traditional ransomware attacks. The stats show that companies are reporting or observing these unsure kind of up and down. But it's a regular rise and fall that the current levels of incidents don't seem to be out of the ordinary. Where I think he-- where I think Manny Cho is correct in his observation, is that a lot of the ransomware gangs that we're accustomed to having seen are being applied effectively as auxiliaries. Russian intelligence and security services. So.

Rick Howard: You're the guy that would know, John. I mean, you're the one that puts the news out every day for the CyberWire, but from reading your summaries, which are excellent by the way, I might have never told you that in public, they, it's the first thing I read every day, right?

John Petrik: Rick is never going to stop selling here folks.

Rick Howard: Never. [LAUGHS] But it's valuable information, I don't read anything else, I read what you summarize, right? But from reading what you said, it, it feels like it's disconnected. Right? What's going on in Ukraine cyber-wise, that's one thing. But it appears that the ransomware crews from Eastern Europe are as active as ever, am I wrong about that?

John Petrik: They're certainly active, but they've been redirected in some ways. A number of them are conducting DDoS attacks, for example. Killnet is a nominally hacktivist group. Probably criminal. You've seen other, you've seen ransomware organizations engaging in DDoS attacks. These aren't serious threats. I mean, they're nuisances, they're annoyances, but they're not, they're not crippling anybody. And they're, people know how to handle them, they're doing it. Why are they doing DDoS attacks? To, because they can. Because it's something that is available, because it's something that you can use to attempt to strike at, strike at the, the Ukrainian enemy and the western powers that support them. They have a strong informational dimension to them that it's what the old, the old Black Hundreds in the 19th century would have called propaganda, the Deed. You think, you think you're beyond our reach, look again. Your website's been defaced. Oh no, look again.

Rick Howard: Well, let's talk about that because we got another question here from Alexis Pinto. Here's his question. "Globally, disinformation is causing huge foreign interference. What is the role of cyber security in monitoring, let's say, social platforms, okay? What do you think about that, John. Should, is that the new task for security operation centers these days, is to collect intelligence from social media platforms?

John Petrik: I think, there's several things I think that are worth saying about that. One of them is, is a general observation about the increasing appreciation of the value of open source intelligence, of OSINT.

Rick Howard: In the commercial space, you know, because I think the military has always known that, but in the commercial space you're talking about?

John Petrik: I don't know. I remember my military days thinking that, thinking that the intelligence people didn't know things that I knew, just because I subscribed to the Wall Street Journal and the Washington Post. Now, I remember, I remember sitting through command post exercises and thinking why, they do they think that? That's manifestly not the case. Or it is the case. But I, I think that OSINT is now so pervasive and it's readily available simply because everybody has a cell phone, everybody's got a smart phone. That smart phone has a microphone, it has a camera. It was striking during the run-up to this war in January and February, the extent to which the, the news media had a pretty darned accurate picture of the Russian order of battle. How did they get that? They got that because Russian and Belarusian people in their villages were, were interested in what was going on around them.

John Petrik: So, a train pulls through your local train station and it's loaded up with, with BMP infantry, combat vehicles. And what do you do? You take a selfie of yourself standing in front of it. What's behind you? It's a BMP with a unit bumper number on it. And it was interesting to see that the news media who were paying attention to these kinds of reports that were coming out, really had a pretty darned good idea of what forces the Russians had ready and where they were, where they had been deployed and what they were likely to be doing. But, you know, the military called the order of battle.

Rick Howard: Good job, but in terms of cyber security, I think media and the large scale organizations have always used open source intelligence reports, say from security vendors who write on the latest adversary campaigns or even the FBI and DHS, you know, telling people about what they're noticing in the open. So that's been going on for over a decade. But what Alex is talking about here is actively monitoring social media platforms, all right, to pick out influence operations against your organization. Do you see that, something that, you know, general purpose security operations centers are going to have to do in the future?

John Petrik: I don't know. I don't know if they'll be doing it or if the platforms as, as Alex, as Alexis suggests, if it's the platforms themselves that are going to be doing that monitoring. But I think, I think it's worth thinking about information operations, influence operations in the larger context of warfare. That if you, if you look at the influence operations you mention, you mentioned Russian attempts to meddle with the US elections for example. It's well known. It's well known that both Cozy Bear and Fancy Bear were, had their paw prints around in, in the information space during that election cycle. How much of a difference that made is, is I think an open and still unanswered question. But, I think that there are in general two styles of warfare. And if you go back to Clausewitz, Clausewitz said that the thing that distinguished real war from ideal war, from the idea of war, was what he called "friction."

John Petrik: And that's an idea that's familiar to anyone whose taken high school physics. When you're taking high school physics, what does the teacher say? "Assume a frictional surface", right?

Rick Howard: Yeah.

John Petrik: You make simplifying assumptions. That's the idea of war. But in real war, you went into friction. It's unpredictable, it's entropic, it mucks things up. Friction is things like bad weather.

Rick Howard: Let me ask you this, John, let me ask you this, because what you're saying is absolutely true and there may be follow on effects. This is a question from listener Connect The Bots. He says, or his question is this, "What are the chances that Russia will launch cyber attacks against the US in retaliation for our support of the Ukrainians?" What, do you think that's in our cards in the near future?

John Petrik: Sure. I mean, that CISA warned about that as early as January 11th. Well before the war started. And if you listen to Killnet, if you believe Killnet, they've already been doing it. Now, it's been down to the noise level, but sure they will. Will they launch influence operations? Yeah. How successful will they be? I think what the Russians have tried to do when they've enjoyed their most success in influence operations has been to increase the adversary's friction. That is to make things harder, to confuse, not to convince people but to confuse them. So, you found things like Cozy Bear and Fancy Bear setting up troll forums that took both sides of a divisive issue in American politics. They had some success.

Rick Howard: So John, we need to wrap this one up on Ukraine, but we could, you and I could go on and on about this. Can you, can you reduce everything you know about this down to a Twitter line and say what is the impact of cyber operations in the Ukrainian war? Can you give us a buffer line for that?

John Petrik: The impact is that so far they've been negligible, and that's a surprise.

Rick Howard: Yeah. That's a very good way to wrap it up, nicely done, sir. [LAUGHS] Nicely done. All right, we're going to move on to the second story on our pallet this morning. Okay. This new story, this is the one that I think will have the greatest impact and, this is not one you might have typically predicted going into the show. It wouldn't-- it's not going to have the greatest impact for 2022, but I think it's going to for the foreseeable future. Right? And it's the Australian government's announcement, just this past November, that it will go on the offensive against cyber crime. The announcement came from the Minister of Home Affairs and Cyber Security, Clare O'Neil, who was appointed in the cabinet in 2022, as a result of two-- she wasn't appointed, her new program was a result of two giant ransomware attacks against Australian companies this year.

Rick Howard: Hackers using the REvil attacks sequence compromised Medibank in October. And impacted the diagnosis and treatments of its four million customers; that's a big number. And a hacker by the name of Optus Data attacked Australia's second largest wireless telecommunications carrier, Optus, and compromised the phone data of more than one third of the country's population; about 26 million people. So, Australia, and specifically Minster O'Neil, has had enough of that, you know, shenanigans, right, and the mission that she's announced is to go, is to build a new task force on offensive cyber crime. And this is the thing that's going to impact us here in the next five to ten years. And her plan, it's consisting of the Australian federal police and the Australian signals directorate, ASD, and their mission is to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups.

John Petrik: But, the bulk of the funding for this task force is coming from ASD, which is run by Rachel Noble, the Director General. The plan's got roughly $6.3 billion, that's US dollars, over the next decade from the, the Australian government. And their plan is called Red Spice, which stands for Resilience, Effects, Defense, Space, Intelligence, Cyber Enablers. That's a mouthful. It's supposed to triple Australia's current offensive cyber capability, double it's artificial intelligence and machine learning competencies and add 1,900 new employees. Now, Minister O'Neil said that the current model of traditional policing, and this is the impactful thing. The way we used to do this stuff is we would wait for a crime to happen and then take a very long time to investigate and maybe never put any cyber criminals behind bars. She says that whole process is broken.

John Petrik: She says that, instead, we want our police and here's the quote, "Scour the world, hunt down the cyber criminal syndicates and gangs who are targeting Australia in cyber attacks and disrupt their efforts." She says, "We are offensively going to find these people, hunt them down and debilitate them before they can attack our country." Phew, pretty strong words, John, all right, what do you think about all that? Is this a good idea that we're going to put governments going after take downs in cyber space against cyber criminals?

John Petrik: Well, in some ways it's been going on for a while. It's interesting in that it's a, it's a real display of Australian temperament, they, they really just, they've just had it. Medibank, the Medibank incident was a, was a real wake-up call. But I mean, just yesterday the US Department of Justice announced that it had, the FBI has seized 48 domains that were used by booter services. There's criminals in the CDC, the criminals, the criminal market, who are selling DDoS, Denial of Service attacks, to other criminals. So, there's been that kind of offensive work before. That also was an international operation, by the way, was the FBI working with Britain's NCSC and partners in Germany, the Netherlands and Poland to, to take them down. So, that kind of thing has been going on, it'll be interesting to see if what Australia does goes beyond that.

Rick Howard: Oh, it's absolutely supposed to go beyond that. You know, those kinds of efforts have been legal issues, working through bureaucracies of countries around the world and which is very difficult to do and then if you start to get into the Eastern Bloc, it's never going to get done. What Australia is telling everybody is that we're done with that. We're not doing that traditional police work any more. We're going on the cyber offensive. We're going to seek out infastructure that these gangs use and dismantle them and make it really hard for them to operate in cyberspace. That is a significant change and I'm wondering, I'm wondering what you think about that. Are we worried about that? Is it, is that what we should have been doing all along? Or what's your take?

John Petrik: Well, I would like to say good hunting to the Australians, I wish them all, I wish them all success. [LAUGHS] I think that's terrific. I think that, I think it's a logical outgrowth of other earlier law enforcement actions. I guess I don't see it as, as entirely that same. I see it as a departure but not the same great revolutionary departure that you think it may be.

Rick Howard: Well, Eliana, let me throw the poll up. Let's see what the audience thinks about this, right? See if they think governments should go on the offensive. I want to tell an old war story, John. I had a boss of mine who would always say when we get all fired up about, you know, attacking the bad guys in cyberspace. He says, "You know what? The enemy gets a vote. Do you actually think they're just going to sit there and take it, or run away, oh no! The government's going after us, we should close down our doors." What do you think's going to happen there? All right, I would expect some sort of retaliation. And, I don't know, what do you think about that?

John Petrik: You know, if you look at the, if you look at the attacks that the Australians were so exercised about recently. They're already massive attacks. They already affect the country to a great extent. What, what reason do we have to think that the cyber criminals have a lot of reserve capacity that they haven't used yet? That they could do a lot worse than they're doing already? I suppose that's one of my reactions. I don't know how much reserve capacity they have, I mean, to return at the end of the, the relevant fizzle of the Russian underworld in support of the war against Ukraine.

Rick Howard: Eliana, let's see what the audience says. It's, oh, yeah. Unsurprisingly everybody said "Yes, let's go, take '=them down," all right? [LAUGHS] Let's, let's go after them. So no-one's worried about retaliation. I would just offer some caution here. Most cyber criminal organizations try not to impact critical infrastructure in hospitals and things like that. Now, there's been exceptions, I, I know that's true. But if they wanted to, they could cause all kinds of trouble. And right now, they are not. If governments decide to go on the offense, do you think that takes the gloves off, takes the cuffs off and lets them take on any targets that they want? What do you think, John?

John Petrik: For the audience, I think...

Rick Howard: Yeah.

John Petrik: I, I don't think the gloves are on. I think that, I think that the criminal promises of restricting their targeting are, are not to be taken all that seriously. That many of the gangs who have said, "We'll never go after a hospital," have gone after hospitals. Many of the, the government sponsored--

Rick Howard: It's a good point.

John Petrik: Either deniable, deniable operations or privateers have gone after medical facilities. It's going on in India right now. That the Indian government just pointed, pointed its finger at Chinese intelligence services for an attack on medical installations in India.

Rick Howard: So, we got a question here from Nerds of a Feather, nice name by the way. Okay, he, he or she says, "What about privacy? In the US at least, hasn't the fear that intelligence agencies would be spying on US citizens, not to mention other international citizens without a warrant, hasn't hat prevented this kind of activity in the past and should we just willy nilly let them go for it here?" What do you think, John?

John Petrik: I think, I think the system of warrants can work. I think that, yes, privacy is a concern. I think in some ways privacy has, is technical supports that governments are, are maybe unhappy about, but are willing to overcome. Apple's recent decision to introduce end to end encryption in its products for example, was really not entirely welcome to the FBI. But it's going to happen. There are sort of ways of accomplishment. Is privacy a concern? Sure, sure it is. It's a concern with, with all law enforcement operations. But there, the activities, when you look at the things that people wind up getting arrested for and prosecuted for, when you look at the kinds of activities that see, that wind up with sites being taken down, they generally are, the take downs in particular, I think are pretty much, as far as I can see, unambiguous cases of sound police work.

Rick Howard: Yeah, but that's not what ASC is suggesting here, okay? They're not letting the police do this. They're going to go after critical infrastructure of the, let's say, 150 cyber crime groups that we know are in existence right now. All right? And that means servers on the dark web. It means command and control servers. It means data servers. It means going after their attack sequence, wherever they store their code or weapons they use to distribute to their victims. It means all of that, without a warrant, all right? That's what that means, all right. And so, I don't think a warrant is even in the discussion, what Australia's trying to do here.

John Petrik: Yeah, don't know. I mean, I would, I would defer to any member of the Australian bar as to what, what would in fact be going on with that. But, it is, take an analogy with anti-money laundering operations that much of the, so much of the, most of the financial transactions that go on are conducted online. Anti-money laundering operations go on all the time without undue disruption to legitimate commerce. And it's not clear to me that this would necessarily be more intrusive than what we're already seeing in activities against criminal organizations. Certainly, their bank accounts are a crucial part of their infrastructure. Their ability to collect, move, use money so you can buy your exotic cats, you can buy your yacht, you can buy your, your track suit and your gold chain. ou can do all of this stuff that the good criminal wants to do.

Rick Howard: Well, I love that topic, I think it's the most impactful, because it's a definite change, right. That governments are going to go do that kind of thing and be, be not as cautious. I do think we need to worry about privacy. I do think we need to worry about retaliation. But I think the horse is out of the barn at this point. It's happening and we will see what happens next, on the next quarterly analyst call year-end program, we'll see what actually happened. We're going to finish up today, John, with just general purpose questions from the audience, since it's the end of the year. Are you ready for this? This is kind of a hit and miss quick draw questions. Are you ready to go?

John Petrik: Sure, whatever I can, whatever I can answer I'll try to answer.

Rick Howard: All right, so here we go. This one's first from an old boss of mine, Barbie Bigelow. Currently the, at Emerald Growth. Hey Barbie, I haven't talked to you in forever. She says, "Please summarize the 2022 impact of cyber disruption to the sectors that most affect the supply chain." What's your take on that?

John Petrik: There are many supply chains. First I'd like to say condolences for having have to serve as your boss, I guess [LAUGHS].

Rick Howard: [LAUGHS] I know. Yeah. She apparently survived, all right, so I don't know. [LAUGHS]

John Petrik: I mean, the, the software supply chain is one, is one supply chain that, that there are obviously standards and regulations that are moving to attempt to secure the software supply chain in ways that it hasn't been secured before. As we move towards a software bill of materials, for example.

Rick Howard: Well, that's what I was going to say. Yeah, I was going to say that. John. The most practical thing that's going to come out of all these supply chain issues is a formalized SBOM, Software Bill of Materials. That idea's been around since the early, or the late 2010, or late 2000s, but it never really, no-one ever really glommedon to it. But because of all the, the bad things that happened the last couple of years, and President Biden making it mandatory that governments will have to have SBOMs as they, as they buy services from commercial customers, this is coming sooner than later. So my advice to everybody is that they need to figure out how to build their own SBOMs on the software they are issuing to their customers. And then also, everybody, you should have your own SBOM for the software that you guys write yourselves and the stuff that you use internally, right? So, that's coming. All right, that's my impact.

Rick Howard: Second question comes from Todd Inskeep, he's the Executive Cyber Security Advisor at Incovate Solutions. In fact, John, we just had Todd on as a guest, one of my CSO Perspective podcast, talking about the role of fractional CISOs. Here's his question. "What's the next big thing in Cyber?" He said, "ten to 12 years ago it was SOX, more recently it was Zero Trust." He says, he's not convinced that SASE, something I've been talking about for the last couple of years, is really the thing that's going to take over. I don't know, what's your take, John?

John Petrik: I, I don't know. Its too, I just don't have any, any insight that would be useful for that, it's unclear. It, where do you things moving, organizationally?

Rick Howard: I think SASE, SASE might not take over, Todd might be right about that. And for those of you don't know what SASE is, it's Secure Access Service Edge. It is a complete flip of our traditional security architectures. Before, and Barbie can attest this, what we would used to do is, we would put our security stack at every location where one of our headquarters buildings or data centers would have access to the internet. Or, we would shoe horn all that network traffic back through one security stack with really expensive T1 lines. And the IT and the security departments all had to maintain all that complexity. With SASE it flips it. You contract with a security vendor cloud provider. They put the security stack that you approve in their cloud environment, and the first hop out of wherever you are, either on the road at Starbucks, or from your date centers or from your headquarters, is through the SASE vendor.

Rick Howard: Right, and that SASE vendor's going to run everything through the security stack and you as a security practitioner get to set the policy, and don't have to maintain all the blinky lights. I think that's the wave of the future. It should be the wave of the future and whether or not it catches in or not, like you said, John, it's up in the air, we will see. Okay. But I absolutely think it's a better architecture. You were going to say?

John Petrik: Yes, does that represent a kind of shift in the controlling metaphor that people use to understand these things?

Rick Howard: Like what do you mean?

John Petrik: Well, we used to talk about cyber security in almost immunological terms. We want to achieve herd immunity. We want to, you want to get, you want to inoculate your systems against attack. And you don't hear that as much anymore as you used to, but I haven't seen another metaphor take its place. I did hear one a few years ago that I thought was interesting, in which a speaker at a conference said, "We need to think about this the way we think about public water supplies." You know, just as you want, just as you want to be able to trust the city to deliver your water that's not going to poison you or make you sick, so we want the, the internet to deliver us data that's not malicious. That's not going to corrupt our, our data, that's not going to corrupt our systems. Are we moving in that direction?

Rick Howard: Well, I don't think the anti-virus thing, that's not worked. Has not ever worked, all right? And so we are reaching out to new models. It used to be defense and death and anti-virus. We went, and perimeter defense, none of that really stopped the bad guys from being successful. These new architectures, like SASE, are, are so much superior. And the reason I like it so much is that a SASE vendor can offer any kind of security service in that cloud environment, and you know, to, as a subscription. So, it should be a money maker for them, right? That, and so, there's no configuration, it's just point your, your internet connection right to the, as a first hop, right to the SASE vendor. It should make it easier for them. We will see if I'm right about that, but that's what I like about it. Let's move onto a third question, this is from a good friend of mine, Joe O'Brien, the principal at Alchemy. He says, "Forget cyber 2023, let's go to cyber 2030. And then milestones of proximity of set outcomes."

Rick Howard: All right, he wants you to put the crystal ball on here, John, and predict some things for 2030. Anything come to mind?

John Petrik: I think that, I'll revert to what the Russians have built, permanently operating conditions. I think that whatever happens in 2030, cyber is going to come down to people doing unpleasant things to other people using computers. I think, I think that's not going to change. I think we will find interesting new modalities, we'll find things that will surprise us. There will be things that we're worried, that we worry about today that we won't worry about in 2030. But what will become more of a problem, I think that by 2030, to revert to an earlier question, what do we do about controlling disinformation on the web. I think that by 2030 we may have come to the conclusion that the current search for, for an engine that's going to distinguish truth from falsehood is probably vain, and we'll have arrived at another way of living with that, another way of dealing with that.

John Petrik: And a way forward to that might be the, the one that I think was pioneered by Facebook, where you expose what they call coordinated inauthenticity. So, I'm not saying it's false, what they're saying, what they're saying, I'm not saying, telling you it's false. I'm telling you they're not who they say they are. There's someone else.

Rick Howard: Well, I have a more, more straightforward answer to this question. First, 2030, ten years away, oh my god, less than ten years, right. I can't figure out what's happening next week, so to try to predict it, seven, ten years away, is ridiculous. However, I will say that security practitioners will have completed the transition from being very technical security practitioners to being business-orientated practitioners. We started to make that turn somewhere around 2015, we all started to realize that the worse thing we could have done to ourselves back in the late '90s was convince senior leadership that cyber risk was somehow different than all the other risks that businesses have to deal with and it's just not so. It's just another risk. And what happened was, we started telling senior leaders back in those days that, "oh, this is too complicated, you'll never understand, just give me a gazillion dollars and you'll be safe."

Rick Howard: And you know, I've used that technique in my, in my previous jobs. Not with Barbie, okay, but I have used it in the past, right, and sometimes it's been successful and sometimes it hasn't. But, I think we will get through the transition, the evolution that security practitioners will be business people first and security practitioners second. That's where I think it's going.

John Petrik: Let me ask a question to you, Rick, to hang on that as a follow. We've seen, do you think the insurance industry is going to play a significant role in that change, in driving that shift?

Rick Howard: That's a really good question.

John Petrik: Historic, historically they have. I mean, why do we have fire safety codes today? It's not because of wise municipal governments. It's because of the actuaries. Because the insurance companies wouldn't insure you unless you built out of fireproof material, unless you had sprinklers, unless you had exits. Unless you had a way of getting out the window in case there was a fire. That's what drove the changes, that's what drove fire safety, for example. I think there are signs we may be seeing something like that going on with cyber security. What do you think?

Rick Howard: I, I've been disappointed with the cyber security insurance industry. I thought by now they would have figured out how to measure risk for any one particular organization. And they have really punted on this, right? And, and have failed, I thought. So, for today, if I was buying cyber insurance today, I would use it for some very specific purposes. Right? I would use it to pay for the internet response team that needs to come in during an actual attack. So I don't have to go find that money, you know, on the fly. I would have those folks on a retainer. And I would have insurance for recovery costs, all right? And be very specific about that. And all the other cyber insurance policies that are out there are so hard to pin down that you could get bit by, you know, they could say, "Well, it was Russia, and you know, with their Sandworm attack, it was an act of war, so, we can't possibly insure you for that." So, I've been very disappointed with the insurance response to cyber security. We'll see if they get better going forward. Does that make any sense?

John Petrik: Yeah, yeah.

Rick Howard: We got a question from Jeremiah Osborne, the senior director of cyber operations at Capital One. John, he's an old army buddy of mine, when he was the CISO for the White House, he very graciously gave me and my family a late night tour. Hey, Jeremiah, I'm glad you came on. Here's his question. He said, "Ransomware integrating disparate technology, stack, cloud abuse tacts." I'm not sure if there is a question in there, right? So, what do you think he means by that, John? I'm not sure.

John Petrik: Give it to me again?

Rick Howard: He said, "Ransomware, integrating disparate technology stack..." Oh, I know what it is. How do you protect yourselves from big ransomware attacks when all your data is scattered to the four winds? You got data centers still, you have mobile devices. You have cloud environments like AWS, Google and Microsoft and others. And a bunch of SASE applications, just hit the CyberWire, you know, we're a start-up. You know, we, we have 100 SASE applications that run the building. So our material data is scattered everywhere. So, the question is, how do you protect all of that from ransomware? I don't know, any ideas there?

John Petrik: Isn't the issue not so much protection as it is ability to recover?

Rick Howard: I think it is, okay? But people might disagree. And what you're talking about is you could either try to prevent it from happening, which is what I would say medium to big companies do; I'm talking in terms of revenue. They try to prevent it, which is a good strategy. They use things like Zero Trust and intrusion, kill chain prevention to do that kind of stuff. Those are all great things, but they are expensive. For the small to medium size company in times, in terms of revenue, I think resilience is the strategy you go for. You just accept the fact that at some point you might get hit and your, your whole movement arm should be to continue operating the business as if nothing else has happened, all right? I think that's how you have to approach it. What do you think about that?

John Petrik: Yeah. I, well, I think ransomware itself is a ball. But the classic ransomware was, they would come in, they would encrypt your files, they'll say "look, pay up or you'll never get your data back." That was the classic ransomeware attack. It still goes on. Now, and in the early days of ransomware, there was a tendency for the criminals to pay. So, for the criminals actually to release your data once the victim paid, so that you actually had some law enforcement people saying, "well, you know, maybe in this case it wouldn't be such a bad idea to pay them off." They've grown increasingly unreliable in that regard, but there's also been a move on the part of the gangs toward double extortion. Where it's not just, "You'll never get your data back," but "I've got your data and if you don't pay up, I'm going to dump it on the internet. I'm going to sell it to whoever wants to buy it."

John Petrik: And that exposes you a whole new category of risk. It's not your, you're not going to be able to do, you're not going to be able to accomplish some business that you were access to your data. It's that you're now exposed to regulatory risk. You're now exposed to litigation. What do you mean, local hospital, you might, you lost my medical records and now they're posted all over so everybody knows about, about that embarrassing problem? You know, I'm going to sue. Right? You know. Defend yourself. You've got that problem. So, handling that is where even the small organization I think probably needs to think about the protection you mentioned.

Rick Howard: So, we've got another question here from listener Bit Hoarders, fantastic user name, by the way. He says, or she says, "How can we, as private citizens convince our state and the local governments to be more proactive in defending against cyber attacks on critical infastructure like power stations, or is that something that would need to happen at a much larger scale? What do you think, John?

John Petrik: Depends on what the different utilities and different pieces of critical infastructure are in different people's hands. Electrical power tends to be regionally organized. And, in fact, it crosses international lines that the power grid, New York state and Quebec for example are linked. They're the same grid. New York buys a lot of its power from Quebec. Water utility is probably local, it's probably under local management, local control. Many of them are in private hands. So, I think you would have to look at the regulatory bodies that are presently responsible for the safety of these things in other respects. For managing the risk of those utilities and looking at getting them to engage with cyber risk, which as you've just pointed out, Rick, is just a species of bigger risk. It's not something so terribly distinctive.

Rick Howard: I've always had this kind of moon shot idea that no one would ever do it, but here's what I would do if I was king of the world for a day. I'd have just in the US, I'd have the US government, let's say DHS, set up a SASE service, how about that, as a call back, John? Okay? And offer it at a really cheap rate. Right? So, that we wouldn't make it mandatory that critical infastructure companies would have to go through it, but we make it so incentivized, is that a word? We'd make it so appealing that they would have to go for it, all right? And that's how we would get that done. All right, but I'm a little pie in the sky, I don't think that would ever, ever happen. I don't know, what do you think, John?

John Petrik: It's difficult to, it's difficult to say. I think, okay, here's my answer. I, I think that will happen if the insurance companies get involved.

Rick Howard: [LAUGHS] Nice call back.

John Petrik: So, I'm, I'm going to be on team actuary here again.

Rick Howard: [LAUGHS] We got a question from Tom Sego, the CEO at BlastWave, and, by the way, a relatively new friend of mine. Hey, Tom. He asks, "What is the simplest way to make the biggest leap towards a Zero Trust architecture?" He wants to know where the low hanging fruit is. That's a, I have an answer for that, but I'll let you go first, John.

John Petrik: No, I'll defer to you on that, I know that that's an area you've thought long and hard about.

Rick Howard: I, just remember, everybody, Zero Trust is a journey, it's not a state, okay? You're never going to get to the end and say, "Oh, I got Zero Trust accomplished." There are literally a bazillion things you can do to increase your Zero Trust architecture and you likely have equipment on your prim that you can use right now to get most of that done, all right? Just remember what Zero Trust is. And I have arguments about this with some of our CyberWire staff about what it really means. Here's what I think it means. We're trying to reduce the attack servers as much as possible. So what that means is, you've got to to restrict every access point down to the nub of who should have access to it in terms of people, in terms of any kind of APIs connected to it, any kinds of machine to machine things going on, any kind of device, all right? Zero Trust, it can be done with anything that you have already in place, right? But, you can start with your own equipment, okay? And so go from, go from there. Does that make sense, John?

John Petrik: Yeah, sure.

Rick Howard: [LAUGHS] Okay. I got a question from Bob-- yeah, I know it's kind of my thing and not your think. Yeah, I totally get it.

John Petrik: I was reading your definition in the glossary and it's consistent with what you said, so of course I'm going to agree.

Rick Howard: Well, well I'm glad I didn't disagree with the glossary. [LAUGHS]

John Petrik: Yeah.

Rick Howard: This question's from Bob Turner, he's the Field CSO for Education at Fortinet, and by the way, a regular subject matter expert here at the CyberWire's hash table. Hey, Bob. He, this is an interesting thing. There's a, there's a relatively new development in the CISO world, John, where we call them field CISOs. Where a security vendors and other people responsible for cyber security hire veteran CISOs to come in and explain their product to their customers, right? And his question is, what capabilities in the cyber security field practitioners need to develop in the next 12 to 18 months to be able to be successful here? So, here's the question, let me boil it down. What does a field CISO need to be able to be good at in the next couple of years to be successful here? Have you got any thoughts about that?

John Petrik: Is the field CISO someone who's actually going to work as a CISO, kind of gig economy CISO? Or is the field CISO more like a sales engineer?

Rick Howard: He's, he's more like a executive advisor or an executive mentor. He's someone who's been a CISO, has the scars on his back to prove it, you know, that he did the work, but now he's going to take this kind of evangelist job, that's what it is.

John Petrik: I think, I think translation is important. I think being able to translate the kind of, the kind of stuff that the organization security teams may be saying. It is something that the leadership can understand and use, would be the most important thing that he could do. I think he would be useful if he could help people see through some of the, just some of the poor expression that people use when they talk about security matters.

Rick Howard: I totally believe that. Storytelling is a huge benefit here. Being able to summarize really technical things to smart people but maybe not smart in your, you know, domain of expertise. So, being able to take something really technical and explaining it to them so that they can understand it, is a really useful skill. So, I would recommend to all field CSOs that they, that's a thing you have to practice. You don't get, you don't get good at that overnight. You have to write all the time, you have to speak in front of crowds. And speak in the small groups and just practice, practice, practice is how you get there. John, I have this, when newbies ask me how they can be cyber security practitioners, I always give them some homework at the end of, at the end of the question. Because, here's the homework I usually give.

Rick Howard: I take something that's famous technical paper in the cyber security space, let's say the Lockheed Martin kill-chain paper. Came out in 2010, not that technical, about 15 pages. But it really fundamentally changed how we all think about cyber security. If you can take that 15 page paper and summarize it and explain it to your grandma, you're going to have a great career as a field CISO, okay, going forward. Because you can tell stories and explain things that are very difficult. You buying any of this?

John Petrik: Yeah. I buy that completely. I think that's, I think that's like Napoleon's remark that every Corporal has a Marshall's baton in his knapsack.

Rick Howard: Exactly right.

John Petrik: If you can make it simple, you can, you can do, you can be of great benefit.

Rick Howard: So, John, we're at the end of this, the hour has gone by really fast. And just a reminder to the audience, normally the, the quarterly analyst call is just for CyberWire subscribers only. But because it's the holidays, we opened this one up to everybody; you're welcome. Okay, but if you want to hear the next quarterly analyst call, which is March 30th of next year, you have to sign up for CyberWire Pro, so visit CyberWire.com/pro to subscribe. And, John, thanks for coming on and being a guest on my show. Thanks for doing this, I appreciate it and all the listeners--

John Petrik: Thank you for having me.

Rick Howard: You're welcome, John. And for all the listeners, have a great holiday and we'll see you in March for the next quarterly analyst call. Thanks, everybody.