CyberWire Live - Q3 Cybersecurity Analyst Call
There is so much cyber news that, once in a while, all cybersecurity leaders and network defenders should stop, take a deep breath and consider exactly which developments were the most important. Join Rick Howard, the CyberWire’s Chief Analyst, and our team of experts for an insightful discussion about the events of the last 90 days that will materially impact your career, the organizations you’re responsible for, and the daily lives of people all over the world.
Rick Howard: Welcome everybody to the CyberWire's quarterly analyst call. My name is Rick Howard and I am the CyberWire's Chief Security Officer and Chief Analyst. I'm also the host of one of their podcasts called CSO Perspectives. But more importantly, I am the leader of this panel and I am joined by Ann Johnson, a CVP. Ann, is that how you say it? What does that stand for?
Ann Johnson: Corporate Vice President.
Rick Howard: Wow, that's a pretty fancy title, of Security Compliance and Identity Business Development at Microsoft. Your title is almost as long as Ben's.
Ben Yelin: I knew he was gonna make that joke early.
Ann Johnson: Yeah [LAUGHS].
Rick Howard: So we have Ben Yelin with us. He's the Program Director for Public Policy and External Affairs at the University of Maryland, The Center for Health and Homeland Security. He's also David Bittner's co-host for the Caveat podcast. And Ben, welcome to the show.
Ben Yelin: Thank you, Rick.
Rick Howard: You can respond, it's okay to talk to each other. This is our third show in the series and we're learning how to do it as we go. The purpose of the show is to go back 90 days and pick some of the most interesting and impactful stories in the cybersecurity space and have a discussion about them with some important thought leaders. And I'm very grateful to have both you two on the show. There are so many things we could have chosen to talk about this time, right, but, and we considered a bunch of things. But the first one we considered and discarded, I would be remiss if I didn't say something about the 25th anniversary of Windows 95. And since Ann is from Microsoft I thought it was appropriate that we put that into the mix. Tell us your big story about Windows 95, Ann.
Ann Johnson: Okay, so I think my favorite Windows 95 story, and Rick you and I were talking about this, is that we still have customers actually who have Windows 95 and Windows NT Servers in their data center. Which is something we're encouraging people to modernize, move to environments that can make you more secure, please.
Rick Howard: Yeah, please, please modernize, we want you to modernize. We also considered the publication of the National Cyber Power Index 2000. This is from the Belfer Center for Science and International Affairs and the takeaway from there is they listed the countries who are the powerhouses in cyber espionage and cyber warfare. And the usual subjects were listed there, you know, US, China, Russia. But they also put countries in there that we don't hear too much about and I thought was interesting. The UK is mentioned, Netherlands, France, Germany, Canada, Japan and Australia all made the top ten. So that's interesting. But we're not talking about that today.
Rick Howard: NIST updated their Zero Trust Publication, I know lots of organizations are talking about zero trust now. So if you haven't downloaded that and read it, please do so. They've updated their language and they've really clarified their message about what zero trust is. But we've discarded all those topics and we chose three other ones. And Ann, we're going to start with you. Your topic for today is working from home and election security. So what have you got for us today?
Ann Johnson: Yes, we're going to have a good conversation. Those two things aren't necessarily interrelated.
Rick Howard: Well they're kind of related.
Ann Johnson: [INAUDIBLE] the past six months, particularly in the US.
Rick Howard: I'm getting a little lag with Ann. Ben, can you hear her okay?
Ben Yelin: I'm getting the same lag.
Rick Howard: Let's pause for a second with Ann. Stand-by we'll come back to you.
Ann Johnson: You're back clear. I have a lag coming in there.
Rick Howard: Okay, it looks good now, you want to continue on, go for it.
Ann Johnson: Yes. [INAUDIBLE] I'm getting lag, so work with Ben and I'll make sure my network connection is solid while you do that.
Rick Howard: Alright, Ben. Well we will go to you. So Ben, what's your big question for the panel today?
Ben Yelin: Calling an audible here. Well a lot of pretty tough and difficult things have happened to us in this country in the past 12 months. Ann was going to touch on the main story, which is the Covid-19 pandemic and the fact that all of us have been sequestered in our house for six months and the implications of that.
Ben Yelin: Another thing we've dealt with over the past several months are a series of large political protests in major American cities. So started obviously with the George Floyd incident in Minneapolis. There were large scale protests there that sometimes descended into violence, riots, looting. That spread across the country. It's been ongoing, we've seen largely peaceful protests and isolated incidents of violence from cities across the country, ranging from Portland, Oregon to Kenosha, Wisconsin.
Ben Yelin: The angle that I thought was interesting for our purposes is the series of protests and the violent incidents that accompanied them have opened our eyes to some of the surveillance tools that are being used by particularly federal government agencies. And Dave and I covered a lot of these on our Caveat podcast, but it seems like every week we're finding out about a new technique that law enforcement is using, each one more intrusive seemingly than the previous one. So we really have quite a range of techniques that we're seeing. One of them is cell phone cloning. Dave and I talked about this on our podcast last week. During these protests in Portland the federal government, through the Federal Bureau of Investigation, was using a technique called cell phone cloning to glean information from protester's phones. Meaning they could intercept in-coming messages, in-coming social media posts of people who were at these protests.
Ben Yelin: We've seen a lot of incidents of facial recognition software being used to effectuate arrests. The Miami Police Department without telling their Court of Jurisdiction used facial recognition technology to identify a person who had committed an act of vandalism against a car during a political protest in Miami. That evidence was used during her prosecution. They were able to recognize her face and match it up against a driver's license database.
Ben Yelin: And these examples get more and more extreme. We read about federal officials using social media live streams as a way to catch protesters, particularly in Portland. So they would watch people who were trying to live stream the event, to be citizen journalists or even activists were inadvertently recording people committing crimes, whether that was looting or arson. And occasionally those would be caught on a live stream and that's something that law enforcements could use to effectuate arrests.
Ben Yelin: Smart street lights. The city of San Diego, California has a series of smart street lights, cameras attached to street lights in the city. They use those to keep an eye on some of the protest activity that was going on in that city. And they were using video from these street lights to investigate protesters who were committing crimes.
Ben Yelin: My favorite story, and I went into this in great detail with Dave, was the federal government and federal prosecutors using open source information to identify a woman who committed arson in Philadelphia, simply based on the shirt that she was wearing. So they discovered her in a live stream video through some aerial surveillance cameras taken by a local news station. They were able to get a close-up on this person's shirt. They did a Google search on the shirt, matched it to a seller on Etsy. And within the comments on that particular sale was somebody with a particular username saying, "This shirt is awesome, thank you for selling it to me." They searched that username and it turns out that this person used the same username on another social media site.
Ben Yelin: Eventually they were able to match it to a LinkedIn profile of a masseuse who lives in Philadelphia. They Googled that masseuse and she has an instructional video on her website and on that website you can see a tattoo that was also visible in the original surveillance video. And this was all described in the affidavit that led up to her arrest. And you know, just from a general perspective it is a risk for people who are exercising their First Amendment rights to attend these protests given the pervasive surveillance surrounding them.
Ben Yelin: So the Washington Post had a great article back in June where the only reason we're having these protests in the first place is because of advances in technology. The reason we were able to see what happened with George Floyd in Minneapolis was somebody taking out their smart phone. But it is a double-edge sword, we now know that law enforcement are using facial recognition, they're using cell site location tracking, they're using social media scraping. They're using companies like Fairview AI for artificial intelligence and facial recognition, all these networks of personal security cameras in cities. So relying on citizens and businesses that have set up Amazon devices, Ring devices on the outside of their homes and businesses. So it's really created a persistent surveillance space which makes it more difficult for people to exercise their First Amendment rights in a way where they can conceal their identity.
Rick Howard: I have a question for you about that. Do you have one, Ann? Go ahead.
Ann Johnson: I actually had a comment, rather than probably a question, Ben. The whole warrant list surveillance, because if you think about physical police investigations, a lot of these are investigative techniques that would have in the past, pre all the technology we have had, required a warrant and to get a warrant police need to meet a pretty high standard to get that warrant actually proves that I committed some type of physical crime, right? Instead we have now a lot of warrantless surveillance, whether it's screen scraping of social media or tying together events, the phone surveillance and the phone cloning are things that I read out of Portland were particularly disturbing, by the way for a whole litany of legal reasons. But it's a concerning time. So I guess one of the things and maybe from a pure privacy cyber security standpoint, do you have thoughts about if somebody wants to go out and exercise their First Amendment rights to peacefully protest, what should they be thinking about doing to protect themselves?
Ben Yelin: It's a great question.
Rick Howard: Before you answer that, let me throw the poll up so the audience has a chance to weigh in on this. So, Janet, please put the poll up about this particular question up, okay? Go ahead and choose your answers there. Go ahead, Ben, answer Ann's question.
Ben Yelin: Sure, so there are a lot of things that you can do. Putting your phone on airplane mode to block the collection of your cell site location information, first and foremost. If you're concerned about facial recognition or really if you're concerned about getting Covid-9, or, you know, kill two birds with one stone by wearing a face covering. There are other methods you can use to disguise your face in public, so that you're not recognized on live streaming social media videos. But, you know, going into the settings in your phone, it's not just pinging of cell phone towers to try to find service, but making sure you're not connected to any local WiFi where law enforcement could go in on a warrantless basis with an administrative subpoena and figure out who was on that WiFi network. Make sure that you are not sharing your location with particular applications unless you are using those applications. I know on my IOS device that's now a default setting they will ask you about. So it's protective prophylactic measures like that that I think is the first step that people can take.
Ben Yelin: And to your broader point, Ann, I don't want these concerns to dissuade people from going to protests and getting their voices heard for something that they believe in. I just think people need to be aware of the eyes in the sky on this.
Rick Howard: The poll results is even down the board, 50/50, that knowing about this would dissuade people from going out. Let me play devil's advocate though. I don't believe this at all, but let me play devil's advocate for the other side. Shouldn't law enforcement be able to surveil people in public spaces to make sure that nothing bad is happening. Shouldn't that be allowed?
Ben Yelin: So from a legal perspective, I mean, that's really where we are. What prosecutors would say is you're putting yourself in public view. You don't have a reasonable expectation of privacy when you go into the middle of the street with a giant sign at a protest. And furthermore, you're voluntarily submitting information to third parties when you, for example, turn on your cell phone and are sharing your location, or other information through your device. And that's something for you legal nerds out there is known as the Third Party Doctrine.
Ben Yelin: Those judicial tenets, these ideas that you forfeit your reasonable expectation of privacy by being out in public and by sharing your information with third parties, were geared toward a time where we didn't have a lot one billion different methods of surveillance where somebody could be watched from a million different angles at a given time. These judicial philosophies were designed for a period where it would take a lot of law enforcement resources to actually go out and track somebody. And to Ann's point, you know, law enforcement would have to go out and obtain a warrant, based on probable cause, to engage in this type of surveillance. So I think it's kind of imperative on our policy makers and I think the judicial branch, to reconsider these doctrines in light of the fact that we have this pervasive technology. It could potentially have a chilling effect on people exercising their constitutional rights and I think from a policy perspective, that's not something that we want.
Ann Johnson: Rick, if I may, real quick. It's a policy conversation. We talk a lot in different context about how laws haven't kept up with technology and that's where we're at. In all of these types of things we need a legal framework that actually contemplates the technology that we have today and then the appropriate controls and boundaries around that. And that's, we're operating under a legal framework that was designed pre-Internet.
Ann Johnson: Nobody reads terms of service, I don't read them. You think I would, but nobody reads them.
Rick Howard: Do you read Microsoft's? That's the question.
Ann Johnson: [LAUGHS]
Ben Yelin: Not even the lawyers read the terms of service.
Rick Howard: So, the question I have Ann is, in your perfect world what would you want for protections for individuals? What would be something you would put as a barrier to unlawful surveillance or at least more surveillance?
Ann Johnson: Well I want to separate and even, Ben, I feel like we conflate a lot, I want to separate peaceful protest and deliberate acts of violence and riots. I really want to separate that, because I think it's necessary and we've conflated it for a political narrative quite a bit recently.
Ann Johnson: We have an explicit right in the US to assemble and to peacefully protest, it's protection, it's in the Constitution, right?. I don't feel we should be surveilled during that, that that should even be allowed, personal opinion, right? But when you do get to the point where there are riots and violence and things taking place, then what is the standard and what is the bar for police to be able to pull a video from Instagram or you put it on Facebook or to get your phone records, etc? And what is the standard we need for a warrant there? And I do think we need to be really explicit and separate the things and determining very clearly in the law of when that line is crossed. And the standard need to be different.
Ben Yelin: I think that's an important point. It's one of those Catch-22's. So in the incident I was talking about in Miami where they obtained information on the individual using facial recognition, the ACLU asked the Miami Police Department, "Isn't this violating civil liberties? You're using surveillance methods on a protest." And they said, "Well it's not a protest, because she set a car on fire. That's a crime." But of course they only knew that because they were using surveillance methods during a peaceful political protest. Just because they caught a crime on camera does not mean that that justifies the broader use of surveillance methods during what otherwise would be peaceful protests.
Ben Yelin: So, you know, I think it is a really difficult question to try and answer, where you can draw that line. I mean, I think you hit the nail on the head, the distinction is incredibly important, we all have to be careful that in criticizing people who exploit these protests and take part in acts of violence, that doesn't cast any negative light on the people who are exercising their rights peacefully.
Rick Howard: In the short term we have, what can you do to protect yourself and you were answering some of that from Ann's question. But we had another listener, Links355 say, ask that question. What other preventative measures can people take to protect themselves?
Ben Yelin: Ann, I think you were gonna way in before I rudely stopped and interrupted?
Ann Johnson: No, no, no, all I was going to say is, historically in law that would be the fruit of the poison tree, right? You're dealing with things that you're not and you know that would make the warrant invalid. And that's, we just don't have those protections today, but I think, getting back to the technological question, I will defer that back to Ben again from the user, what can you do to protect yourself?
Ben Yelin: So, I mean, some of the things I already talked about. Check the privacy settings on your device, conceal your face if you can, make sure you are not sharing your location, make sure your phone is on airplane mode. Some of these common sense security measures that you can take. Make sure you have the most recent security patches for your device. These are all common sense measures that work on an everyday context, but also can work as protection from some of these methods during political protests.
Rick Howard: We could probably talk about that for the next 25 hours, but we should move on. Ann, you're talking about working from home and election security.
Ann Johnson: Let's talk about election security, since it's incredibly timely. So, as you know, Microsoft produced a report in the past couple of weeks that talked about some activities we have seen. And we know that, you know, cyber criminals, much like we saw a lot of Covid laws during the work from home period, you know, sign up to get the first test, hey, there's a cure and they were all phishing, right? Well, we know that cyber criminals and nation states are also incredibly opportunistic about elections. Before I talk specifically from an election standpoint about the actual attacks we've seen, one of the things that every expert that you talk about elections wants to talk more than anything is disinformation. Because actually the greatest threat to elections is still disinformation. In the US, I'm gonna make this a very US centric conversation, I don't think many people, believe it or not, realize elections are run by the states. That decentralized infrastructure for elections and how particular states handle those elections actually makes it reasonably difficult for an attacker to launch some type of wholesale vote hacking operation to change votes for a presidential candidate on a wide scale.
Ann Johnson: What they can do though is disinformation with micro-targeting in certain parts of the country and this is what we saw in 2016 and it's what we're seeing today. Certain demographics, populations, certain voter blocks, certain parts of the country we see a lot of disinformation such as very very targeted and specific messaging and very specific messaging.
Ann Johnson: On top of all that we have seen the nation states attempting to attack certain elements of the election. We saw the Strontium group. By the way we published our latest cyber report and in that, you'll see the definition, we use the periodic table to label all of the actors and in that you'll see our definitions. But Strontium is group that operates from Russia, we know that they've attacked more than 200 organizations including local campaigns, advocacy groups,, targeting these political consultants. They're attacking think tanks, any information they can get, it's all about information harvesting and gathering. The plan, usually their next disinformation campaign. We see Zirconium which operates out of China. They've attacked some high profile individuals and campaigns specifically related to the Joe Biden for President campaign. Also some prominent leaders in international affairs community. We also seen Phosphorous which operates from Iran that's attacked the people associated with the Donald J Trump for President campaign.
Ann Johnson: So we're seeing some bi-partisan attacks and a lot of different attacks. These attacks are pretty consistent with the previous attack patterns we've seen. They also highlight the need, and Ben you were talking at this, not just the need to protect yourself political protests but there's some things, patching, multi factor authentication, make sure your devices are completely up-to-date, it applies no matter where in the cyber security ecosystem you're thinking about. So one of the things that we think about then is where does this leave the policy makers and where does it leave the decision makers? And as I mentioned, elections are decentralized. We talked about this before the call. Election workers are largely volunteer workers with very minimal training. Campaign workers, by the way, are largely volunteer workers. Some are paid, but they may not be professionals in cyber security, campaigns recently have started having a CISO on staff.
Ann Johnson: So the question I have is, how do we think about all that and how do we make both elections and campaigns not just physically secure from attacks? Which we're doing a good job at and the attacks I spoke about were largely blocked, via, you know, the ability to find those, detect them early and stop them, but how do we actually build a better ecosystem around campaign security? And then how do we actually educate the local states and the local governments that are running elections, specifically running the elections on the ground?
Ann Johnson: If you're thinking about, like I think everyone who's in security saw Tyler Tech, a company in Texas, that's been hacked. They don't necessarily participate in elections day to day, but what they do is they actually for some government entities, they're the folks who actually show the results. So think about the disinformation of someone hacking into Tyler Tech and hacking into local government using their system to show different results than the actual outcome. That's a disinformation play, by the way. It's a disinformation play via hacking, but it still creates confusion on the whole election and reduces election integrity, which is a big topic. All of these things reduce integrity and confidence of people when they're going out there to vote.
Ann Johnson: So it's one of the things that's top of mind for us with both actually hunting and detecting nation state attacks in the wild, the work we do defending democracy and the work we're doing with this information to try to reduce disinformation. And Microsoft and a lot of leaders in technology have actually published and come together on a lot of these different initiatives.
Rick Howard: So I'm glad you pointed out, Ann that these are two different things going on here. There's hacking that could happen and I totally agree with you that hacking voting systems is not the way I would do it. If I was a nation state I would hack the place where the data is. Once it's all consolidated I would do it there.
Ben Yelin: You're not supposed to tell them this, Rick!
Rick Howard: [LAUGHS] Well, I didn't know it was such rocket science, right? But also you don't have to do it in all 50 states. You really only have to manipulate five or six of the swing states to have an effect on the election. So that's the danger we have here.
Rick Howard: But on the other side, I agree with you Ben and I'd love to get your perspective on this too. It's really eroding the trust of the electorate, of the citizens. And all of us are talking about do we even trust the voting system? So if we don't trust our institutions then the whole shebang kind of implodes on itself.
Ben Yelin: Yeah, I mean I'll say to any foreign adversaries out there, North Dakota is where you want to focus all of your action, that is our closest swing state. But, all kidding aside, yeah, I mean, I think you're absolutely right that the effort is to sew discord in our system, to cast doubt on the process. And our foreign adversaries are better at exploiting our weaknesses than I would have imagined five years ago. I live in the Baltimore Metropolitan region and we were receiving Facebook ads that we later found out were from a Russian troll farm back in 2016, that were very racially explicit, exploiting the real pain that Baltimore was feeling in the wake of the Freddie Gray arrest in 2015 and it was sophisticated in that it was messages that were targeted to both sides, so defending police action that most people would not think was defensible and exploiting racial division. So I think it starts with us ourselves being divided against each other. We're very polarized and we also have a lot of unique political vulnerabilities and it's our foreign adversaries who are exploiting that.
Ben Yelin: In terms of the voting system, I think you're absolutely right it's a blessing that it is decentralized. If you would have asked me 20 years ago if it would have been better to have a nationally run electoral system for federal elections, in theory, I'd say yes. But I think this really does put one on the board for federalism where states can be the laboratories where people try and build the most secure systems and it's really hard to exploit the electoral systems of 50 separate states.
Rick Howard: In my world we call that security through obscurity, right?. So I would much prefer a national effort to secure the voting apparatus than to count on individual distributed systems like that.
Rick Howard: Can we throw the poll up for this particular question to get the audience's view about this? So how much has this pandemic impacted the work flow in your organization? I'll turn that a little bit towards the voting apparatus. Is this going to affect your voting at all? So try to consider that when you answer this question.
Rick Howard: Ann, I'm coming to you for the next thing. Out of all the things we could do to secure the election, what would be the one thing that you would do if you were queen of the world for the day?
Ann Johnson: So I want to be really clear, because I don't want anyone to leave this call and think that the hacking of a vote is, that is the least risky part of this conversation, is someone actually hacking the vote and changing the vote. And so, what would I do? CISA has been pretty vocal and clear that their biggest concern right now is not just disinformation but a ransomware attack that reduces a state's ability to actually run an election. That's the biggest concern right now. So if I were queen for the world, I would make sure that every single state, all 50 of them, are doing a couple of things. One, using multi-factor authentication so that their accounts and credentials can't be stolen. Two, have really good anti-phishing defenses and three, make sure that they have actually not just backed up all the systems, but they can restore from a back-up, so that ransomware doesn't suddenly stop a state's ability to effectively run an election. Because that is probably the biggest concern right now.
Rick Howard: So, let me see if I can put the results up there. It's kind of a mixed answer. From the way I read that you guys, you tell me if I'm wrong, that's most people are gonna deal with the pandemic and I'm going just extrapolate and say they're all going to figure out how to vote in their own particular precincts. Anybody disagree with that?
Ann Johnson: No, I think we're pretty resilient. It adds up to more then 100%.
Rick Howard: Wait, we have voter fraud?!
Ben Yelin: [LAUGHS] exactly. What did you do, Rick?
Rick Howard: Oh my God. Right here.
Ann Johnson: We're pretty resilient people. I actually think we adapt pretty well. You know, 88% of employees globally went home in a two week period. And companies say that about 42% are going to stay at home. And people adapted. We've seen actually, every study, including our own Harvard Business, has shown that productivity has actually increased throughout the pandemic. And I know why, you're on computers, you're on the phone. The bad thing is people are burning out because there's no breaks, right? I started taking a walk in the morning and a walk at night for my commute, so I could separate my home from work. I said, I'm going to walk in the morning and walk at night. It's better for my health and better for the environment too. But then, people aren't taking those breaks.
Rick Howard: So let's talk about that, Ann because that's one of the questions that came from the audience members, right? Here's the question, people are interacting with devices maybe even more than we would have predicted a year ago because of the pandemic. The questioner is really interested in hearing your perspective on how the pandemic is affecting the relationship with our devices and the links between privacy, identity and security.
Ann Johnson: I would say it's more psychologically unhealthy than anything else, because I think we have seen those productivity increases and people are on their devices continually and they're not separating their work space from their home space. The other thing I would say from a pure security standpoint is let's say that I allow my child to use my Microsoft-issued devices, not everyone does by the way, which is another security risk, but let's say I allow my child to use my Microsoft device to check their personal email or to login to their college account. That creates risk. If we didn't have the controls and the systems that we have in place, potentially, what's to say they get a phishing attack and it launches malware on my system. They get phished on their email and it launches malware on my system. There's so many families now who don't have the luxury of having everyone with their own device. They're sharing devices. And if you're sharing a work device, a school device, a personal device, you're creating a risk environment from a security standpoint as well as a privacy standpoint.
Ann Johnson: One of the things we have to do from a consumer standpoint is to educate our family. We owe it to our family. I'm gonna say it again, I say it all the time, use multi-factor authentication for every single one of your personal accounts as well as your work accounts, because then stolen credentials become less likely. But educate the family on phishing attacks. I don't know if both of you have seen but I'm getting all kinds of smishing attacks. I'm getting SMS messages, three or four daily, about packages from the USPS that I need to pick up or drug trials or different things that are just flat-out fraudulent. We need to educate people more and more and more, because consumers are on their devices all the time and a lot of folks aren't security professionals.
Ann Johnson: When I have this conversation with my family, they groan, they shake their heads and they go do what I ask them to do, right? It's an education.
Ben Yelin: Ann, can you help me explain phishing attacks and ransomware to my three and a half year old? That's the question.
Ann Johnson: [LAUGHS] Bad things happen and you won't be able to play your game.
Ben Yelin: There you go.
Ann Johnson: If you click this link.
Rick Howard: I think the problem you're describing is even more insidious, okay, because all of us are in tech and we all have 17 devices connected to the Internet at any one time. But there's a whole segment of our country who aren't the part of the haves. The only time they get to see computers is when they go to school or when they go to work or when they go to the library. And Ben, you're teaching in a university, do you see that manifest at the university level or is that a non-problem?
Ben Yelin: Absolutely. I mean it is an absolute equity problem. I'm teaching in a class with a lot of international students at the University of Maryland and many of them have expressed difficulty with technological issues, access to devices. Dave and I in our podcast covered some of the access problems, particularly in our rural communities. That's been a major problem where rural broadband is relatively weak compared to wealthier parts of our communities in cities and suburbs. And that's just going to contribute to the equity problems in our educational system. It's really going to set us back and I think that's another policy problem that we're going to have to try to figure out a way to solve. I think it's been one of the really difficult and disturbing aspects of this pandemic.
Ann Johnson: It is. You saw the story about the two kids outside the, I think, Taco Bell, I don't remember what restaurant it was, sitting in the parking lot doing their school work via the restaurant WiFi. Then there was a huge Go Fund Me to get them connected. It shouldn't take that. Think about all the kids that don't have access to WiFi, don't have access to a device. And you need a certain level of device to run some of these systems. Another policy thing that we're going to have to figure out how to address.
Ben Yelin: Absolutely. I mean these decisions aren't easy because sometimes the alternative is re-opening in-person education which can be unsafe and given the research we have now it certainly presents a degree of risk. But the alternative is also risky because of the reasons we identify. We're going to have long term problems where we already have these existing inequities that are just going to be exacerbated by this crisis. It's a terrible problem and it's going to be really difficult to resolve.
Rick Howard: I was working on a project in Alabama last year. we were trying to encourage minorities and women to come into the cyber security field by hosting capture the flag contests across the state. We thought that could help but then we quickly realized that half of the state high schools don't have Internet access.
Ben Yelin: Unbelievable.
Rick Howard: It's unbelievable. We all think, and we're all IT people, the Internet is everywhere, it's not everywhere. The have-nots do not have it. That's really depressing. Let's move on to our third topic.
Ben Yelin: This is my topic and it caught my eye because I've been a CISO a couple of times in my career and I had a couple of questions pop up. Let me just tell you what the story is. Joe Sullivan, he was the Uber CISO. They got breached a couple of times over a couple of year period. But this year the FTC charged him with a bunch of things regarding their reporting to the FTC. This really caught me by surprise, because, Ann, I'm gonna come to you on this question first. CISOs that I've talked to in my career, we've always been trying to break through to the senior level of the organizations that we belong to. Which in my mind has never really happened. There isn't that many CISOs or CSOs you can point to who are at the executive leadership team. They're usually two or three layers below that. And this is the first time I can remember that a CISO has been targeted with some of these indictments because of some perceived problems with the way that things are reported. I'm wondering if you agree or disagree with my assessment of that?
Ann Johnson: You know, I'll say a couple of things. One, I don't see a lot of CISOs that are at the senior level, they're usually a click down. So they aren't the most senior. They may be briefing the board--
Rick Howard: If they're lucky they're just one click down, most of them are two or three down.
Ann Johnson: Right. They may be briefing the board, they may be briefing executive staff, but they're not necessarily part of the executive staff. And that's probably something as an industry we need to think about. As security becomes more and more important, where does the CISO role sit and where does it report?And I know there have been some that have reported to Chief Risks Officer, just report to CFOs versus IT. I think that's probably a good change.
Ann Johnson: But as far as the CISO being held accountable, I believe it's Australia and I am doing this from memory, Rick, I don't have notes in front of me. But I believe it's Australia that has actually passed laws recently about the CISO's accountability and there's also a lot of folks that are reaching out to me over the past 12 to 18 months saying I don't want to be a CISO anymore. I do more of a role like yours. I was a CISO, I just don't want the responsibility. So here's what I would say. In the absence of the US having a unified reporting law relating to breaches, it's really hard to determine who to hold accountable for transparency. We had the breach at Equifax where they had some executives that had traded stock and they were held accountable for that. That's a different type of behavior, because they knew the stock would be impacted. For that, there are really clear guidelines at the SCC.
Ann Johnson: It's again another policy conversation where policy hasn't caught up with modern times and there has to be some type of unified breach notification law enforced by someone that has penalties and who's going to endure those penalties. That's what I would say.
Rick Howard: Well, I'll just throw out one more bullet point here too. Capital One got their fine for their breach that happened last year. $80 million fine from the Office of the Comptroller and Currency, the OCC. But if you all remember the CISO there got fired because of that. Michael Johnson got fired because of that breach. And I think the perception in the industry is that if there's a breach, the one you shoot for that is the CISO. But as I went through and looked this up, that's really not the case, especially today. It's been a very small percentage of CISOs and C-Suite executives being fired because of breaches. I mean it's below 1% and I think the perception is it's much bigger than that. I'm wondering, Ann if your experience had been any different to that?
Ann Johnson: It's a very small percentage and I don't really think unless there's deliberate and egregious behavior, they should be fired. I think the CISO has a really almost impossible job some days, so terminating them over a breach is really, really a strong reaction.
Ann Johnson: It's not my experience if CISOs get terminated. I think it's just a high burnout job because it is probably one of the most thankless jobs in the organization, because you're never going to make anyone happy. The business isn't happy because they think you're slowing them down, the risk people aren't happy [INAUDIBLE], the compliance people aren't happy because you're not doing the right reporting. I mean, you talk to CISOs and they're dealing with, you know, and your SOC is understaffed and your the teams are understaffed and you have too many tools, you know the drill. But as far as them being terminated, no, it's a very small percentage.
Ben Yelin: And if you're doing your job correctly as a CISO, you never get recognized. Because no-one's ever going to notice you. So you're only held accountable for these breaches which, as we've seen over the past several years, can happen to any type of entity, private or public. And I agree with you, Ann, that unless we see some sort of gross negligence or people aren't complying with basic best practices, or they're not using your two-factor authentication, then it is a thankless job. And I agree with you that it is a thankless job and it's important for us to not have high rates of burnout in the industry.
Rick Howard: So let's throw the poll question up about CISOs and getting fired about breaches. Ann, you were going to say something?
Ann Johnson: No, I was just going to say CISOs are just incredible. I've yet to meet a CISO that isn't a committed professional, that doesn't want to do the right things, that doesn't follow NIST or Mitre or whatever. It's just about prioritization because they don't have indefinite money and indefinite people. So, it's about prioritizing the most important things and hoping you have a handle on that.
Rick Howard: Well, I think the one thing that's changed here in the last couple of years and I know when I was coming up I used to think for sure you'd be fired if a breach happened. But what's happening around the industry is other companies are hiring the CISOs that were on board when a breach happened, because now they have experience with the crisis management experience. So that experience is what other companies are seeking. Ben, have you seen any of that when you're talking to your students? Are they asking about things like what's the career length of a CISO?
Ben Yelin: Unfortunately, most of my students have made the regrettable decision to go into the field of law, although there are some technologists. I think there's generally a concern about entering a profession where you take on an added burden of risk, and, you know, I think obviously, most CISOs are relatively well paid, so there is some reward that comes with that risk. But, you know, I think the more and more Equifax type events we have, office of personal management, where the events become more than just stories contained within an individual organization, I think perhaps the next generation of people who want to get into this industry, you know, do you wanna take on that responsibility? Do you want to be held accountable in the court of public opinion or even civilly liable in a legal sense? And we want to avoid that, we want as much talent as we can to get into these organizations and agencies to protect our collective security. So, you know, I take it as a positive that it's such a low percentage of CISOs who have been fired.
Rick Howard: Well, I think for the audience members, we have a couple of hardcore people who say fire them, so there you go. But most of the audience it says that we should keep them because of the experience which is interesting. Did you want to say something, Ann?
Ann Johnson: I was just gonna agree with him, I don't think, like I said, CISOs should be fired unless there's just some gross neglect. I think is a good word.
Rick Howard: We've got some questions coming in through the chat channel so this is kind of a free for all, pot luck, for everybody, right. So if you feel like you got something, pop up. This is from Karen Thomas. How can organizations identify the right threat detection security products out there out of so many? What are the key pointers that you should be looking for when you do this. Ann, this question is probably for you.
Ann Johnson: Use Microsoft for everything, okay. [LAUGHS].
Ben Yelin: Send the money directly to Ann, yes [LAUGHS].
Ann Johnson: Let me be really serious with my answer. Using the right threat detection, to start with it's where in your environment are we talking about. Is it end point or server or cloud or are we talking about your active directory or your identity store. That's the first thing to isolate. I think it comes down to actually understanding, I particularly like the [INAUDIBLE] framework. Understanding where the risk, the greatest risk is in your environment, understanding what gaps technologically you need to close to reduce that risk, because cyber security is a risk conversation. You can have perfect security, take for example the Wall Street bank who was famous for Super gluing their USB ports when they didn't have the right controls, so you have perfect security, but you're never going to with a risk conversation. Where is your greatest risk, what do you need to do to close the gap on your greatest risk and what tools can you buy to close that gap that are both affordable. The total cost of ownership must be affordable and you have people trained on, you know, people that actually know how to use them.
Ann Johnson: We've always had a proliferation of tooling problems in cyber security because organizations will have a problem and then buy a tool and they'll have a problem and they'll buy another tool, etc, and suddenly they have 60 tools and nobody knows how to use them. So you need to think about all of those things. Do you have people that know how to use the tools? What tools close the gaps on your greatest risk? Are they a reputable vendor because reputable can mean a lot of things. I know CISOs are really good about calling their peers, are really good about calling Gartner and they look at the company. You should think about all of those things and that should be in your decision criteria. It's not an easy thing to do. I had one CISO tell me once, well I only buy the top three things in the Gartner Chart. That's great, by the way, not criticizing them, but if those top three things don't actually solve your problem, that's what you need to do first is identify what your problem is.
Rick Howard: I totally agree with that and in fact the podcast that I've been building these last two seasons is about that very question, alright, Ann, you talked about cyber security as a the risk question. I tried to get it down what the four are of the fundamental problems we are trying to solve and I really, the folks on this, whoever are listening, know that I say this on every podcast, but really the problem we're trying solve is how do we reduce the probability of a material impact to our organization? Right, not stop it, not prevent breaches, not patch, some of those things may be involved, but it's really reduce the probability. That might help you not get fired, by the way, on your next breach because you didn't tell your bosses that you weren't going to stop everything, you said you were going to reduce the probability of it.
Rick Howard: There are a number of strategies you can think about, right and we talked about them all on the podcast, it's basically zero trust, it's intrusion kill chain prevention, it's resilience and the ability to do risk assessment so you can determine what the probability is, so you can tell that to your bosses. You shouldn't be worrying about the shiny object tools, all those vendors that Ann was talking about, they all have features, yes pick the one that works best, but really look at the strategies and which tools do you need to make the strategies reduce that probability. That's how I would look at it.
Rick Howard: From a lawyer standpoint, Ben, is there a legal consideration that we should be thinking about for tool selection or do you guys not get involved in that?
Ben Yelin: So, it's difficult from a legal perspective to determine what issue you're actually trying to focus on. In terms of liability you are largely held to industry standards and what a reasonable person would do, especially in tort law, and who was in your position, had the same level of experience. So that is going to end up inoculating a lot of agencies when they're dealing with novel problems. I think we've seen that in the legal world.
Ben Yelin: One area I think that we're seeing develop more is this issue of cyber insurance and not just purchasing cyber insurance policies, but getting insurance brokers who understand issues in cyber security just as well as they understand, for example, flood mitigation, because that's a risk that's going to continue to build and you want somebody from whom you're buying insurance to have that institutional expertise.
Ann Johnson: Can I just close this real quick? Zero Trust is a great framework because it's so fluid and flexible and the one great thing about cyber insurance isn't just the protection that you're afforded, it's the fact that they use a lot of industry standard tooling to tell you the baseline security of your program, they rate you, like any other rating policy. So one of the upsides of cyber insurance is being able to use a Microsoft secure score or, or one insurer uses CrowdStrike whatever, right, it doesn't matter But they're giving you a rating on your program and telling you where your weaknesses are and that's one of the upsides of cyber insurance.
Rick Howard: Absolutely. Good answer. There's a question from an old buddy of mine, Todd Inskeep and this is gonna be a wildcard for you guys, so let's see how we handle it. What are the ramifications of US pressure on companies like TikTok and ByteDance and the deal that seems to have come out of all of that? It seems to be a good policy question.
Ben Yelin: I'll chip in first with a plug for next Wednesday when Dave and I will be discussing this on our podcast. Make sure you tune in for that. So we just saw a judicial decision in Washington D.C. this Sunday on TikTok where a judge issued a preliminary injunction against the President's Executive Order saying that TikTok had to cease operations in the United States. As a result it is still in your App Store, no matter what device you use. There are a couple of issues that were invoked in that case. The statute itself which is about international sanctions might have been violated because there's an exception in that statute for these sanctions as it relates to personal communications. This is something that's largely done on TikTok, or at least that's what the young people tell me. And First Amendment issues as well. Not only have courts said that the code drafted by individuals at TikTok is First Amendment protected for intellectual property, but also just the issue of shutting down this service which a lot of individuals use for personal protected activities, for personal communication and sharing photos.
Ben Yelin: And to have that avenue shut down, given its reach, is potentially going to have some first amendment ramifications. So that's not something that any courts have adjudicated thus far, they've sort of raised the issue as something that's going to come down the line. But it is interesting that there has been some judicial push-back against the Trump administration on the effort to bank TikTok in the United States.
Rick Howard: Ann, do you have anything to add?
Ann Johnson: No.
Rick Howard: [LAUGHS]
Ann Johnson: Even if I did, I like my job [LAUGHS]. In all seriousness, no, unfortunately, that's not what I can talk about.
Rick Howard: That's alright. We will move on then. Got a question from Andreas Ham about the recent ransomware attack against the German hospital that resulted in a death. His question or her question was in her view the human's life should not depend on hospital IT and how can we ensure this? That's a loaded one right there. Ann, I think a lot of those hospitals have old Windows 95 machines running, so how do we deal with that?
Ann Johnson: So, there's a special place for any bad actor that attacks a hospital. There's a whole lot of people in the industry that on their personal time are launching some initiatives to stop those things and I hope they're successful, they have full support. But we also had a large ransomware event early this week with UHS in the US earlier this week, or the weekend, we had a large ransomware event that that took down a lot of hospitals. So, health care is super challenging because, to your point, not only do they have a lot of systems they're running on legacy systems, they have a lot of IOT and embedded devices that aren't patchable or updatable. And they also run on razor thin margins, especially children's hospitals by the way and they don't have the sophistication of IT systems and updates, etc, it has to be a community effort. There's no easy answer to this. It has to be a community effort of the folks that are supplying those cardio lab systems and other systems. It has to be a community effort of people like Microsoft. We have a very large healthcare practice that we're working to try to modernize healthcare organizations as quickly as we can to make their systems more resilient, so a human life doesn't come down to IT.
Ann Johnson: Then there's fundamental control, unfortunately we talk about all the time, MFA, backing up your systems, patching, encryption, quarantining devices that can't be patched or upgraded. Making sure that if that cardio system gets impacted, it can't take down the entire hospital, it can only have an impact in its specific environment. There's so much work to be done because there's so much legacy technical, that we're years away from solutions. But I'm optimistic that some of the work we're doing at Microsoft and some of the work the industry is doing to actually block ransomware as a whole is going to have an impact and reduce the attacks we're seeing against healthcare. And again, there really is a special place for people who will attack a hospital, I have literally, you know, no patience.
Rick Howard: The folks at the Cyberwire know I've suggested this to our CEO a couple of times, a new service from the CyberWire. It's basically "Get in the back of my truck, we drive over to those guys' house and beat their ass" service. I think it would be very successful. Alright. But to your point, Ann, we talked about strategy before. Zero Trust is the way that we help the IOT stuff that can't be updated, can't be fixed, but we just need to make sure that that device only talks to the other devices that it needs to talk to and nothing else. That would greatly reduce the attack surface for those kinds of solutions.
Rick Howard: Ben, I interrupted you, do you have something you want to add here?
Ben Yelin: No, I'm good.
Rick Howard: Alright, this is from Bliss155, back to the surveillance discussions. Doesn't the surveillance that the law enforcement people are using violate First Amendment rights and aren't they constitutionally protected at protests? I'm not sure that's true, but over to you, Ben.
Ben Yelin: So, technically you are always protected if you are engaging in speech. I mean, I think the things that they're being prosecuted for are actually violent crime. So you don't have a First Amendment protected right to engage in property destruction or arson. I think that's a given. Where this gets sticky as I think what we talked about earlier, when you have surveillance on First Amendment protected activity, you will, incidentally, probably catch people committing actual crimes, but from my perspective it's problematic in the first place to still have that surveillance, nonetheless. They're arresting people for activities that aren't protected under the First Amendment, but I still think this invokes First Amendment concerns in the respect that if people are dissuaded from attending these events, then we're dissuading people from exercising their constitutional rights. And the Supreme Court and other legal scholars will tell you that that's the exact opposite of what we want to do. We want to encourage people to be involved in the political space.
Rick Howard: So folks, we're getting close to the end of this. Ann and Ben, I'm going to come to you for a last word here, any takeaway from this discussion. Ben, how about you? Anything you want to part to the audience before we get out of here?
Ben Yelin: You know, one thing I think is important for everybody during these difficult times, we're talking about some really heavy issues and it's unlike any issue that any of us have dealt with in our life. This is something that affects everyone because we've all had to adjust from working at home. These were protests, you know, that we discussed today that happened in hundreds of cities across the country and some world communities. So, I mean, it's just interesting that we're talking about subjects that are very relatable to everybody, because that's just the nature of what 2020 has brought us. Maybe it'll bring us together since we have had this common experience, maybe we can have some resolve to find some common solutions. I certainly appreciate everybody hopping on, always enjoy chatting with everybody. This is the third one of these that we've done from the comfort of our own homes and hopefully one day we can do this in person again. That's my hope.
Rick Howard: Ann, you have the last word.
Ann Johnson: Yeah, so a couple of things. One, you talked about Zero Trust. We know the companies that have implemented Zero Trust were very able to withstand things like working from home with the pandemic, because they were prepared and had an architecture that was incredibly flexible. So big plug for Zero Trust. The second thing is small plug for my podcast. Afternoon Cyber Tea. I do have my own podcast, I heard the others mention, so I'll pug Afternoon Cyber Tea with Ann Johnson. We're on our third season, we have a lot of folks and one day I'll probably have both of you on, so stay tuned for an invitation. The final thing, we are in really difficult times, so the one thing I'd say is stay safe, stay well, but also show yourself some grace, show other people grace, so show yourself some grace. We're all under a tremendous amount of pressure so don't take it all on your shoulders. Make sure you're making some time for yourself just to disconnect and kind of get through it all.
Rick Howard: I couldn't have said it better. Thank you for that. And on behalf of my two colleagues, Ann Johnson and Ben Yelin, thank you all for attending the webinar. We really appreciate it and we'll see you at the next Cyberwire quarterly analyst call. Thanks, everybody.
Ben Yelin: Thanks everyone.
Ann Johnson: Thank you.