Discussions of the threat landscape at the Global Cyber Innovation Summit (in Baltimore, May 1st and 2nd, 2019) ranged across the familiar spectrum hacktivist, criminals, and nation-states, with a growing awareness that nation-states increasingly tolerate, inspire, make use of, or actively run gangs and hacktivist collectives.
What keeps the C-suite up at nights?
In brief, judging from a May 1st panel on the future of cybersecurity, they're kept awake by two of the techniques attackers are using, and by some large-scale trends in the criminal economy. Momentum Cyber’s Dave DeWalt moderated a panel composed of Tom Gillis (VMware), Wayne Jackson (Sonatype), and Mike Viscuso (Carbon Black).
Viscuso sees island-hopping, in which attackers jump from one company to another, as a growing problem. "Fifty-percent of the breaches partners responded to were the result of island-hopping." Gillis singled out attacks using stolen credentials as the most prevalent problem he had to deal with (and he looked to context and automation to help drive this down).
The big secular trend both Viscuso and Jackson saw lay in the sheer size of the cyber criminal market. The underground cyber economy is now larger, Viscuso emphasized, than the illicit drug trade. In fact, it's now a better than trillion-dollar industry. He thinks that as defenses get better (and they have been getting better) the criminals will cease playing the long game because the long game will no longer pay off. They'll increasingly turn to smash-and-grab attacks. Jackson agreed, and saw a need for standards to guide enterprises as they embrace increasingly complex technologies.
"In the vat, being boiled like frogs."
In a discussion moderated by David Sanger of the New York Times, FireEye's Charles Carmakal, Tenable's Amit Yoran, and NSA's Rob Joyce warned of an increased willingness on the part of threat actors to destroy their targets. No longer content to collect from or disrupt those targets, both nation-states and criminal gangs are rendering data permanently unavailable and driving physical systems to destruction. It's a slow-moving crisis, like the one faced by the proverbial frog in the pot of heating water--the frog thinks he's fine, but in fact is being gradually boiled.
Countries are now using the cyber domain to impose their national will, Joyce said. And one aspect of how they do so is to attack their adversaries' data. If the data can't be trusted, public trust and confidence in government and civil institutions erodes. Thus data integrity is a big problem.
FireEye is also seeing an increase in destructive attacks. Costs have risen in other ways, too. Carmakal notes that the new norm in ransom demands is about $250 thousand, and some extortionists now threaten to release sensitive data to the public. Companies are now likelier to pay the ransom than they formerly were. Operational technology networks are also at risk. In Carmakal's opinion, it's not that difficult to knock out an OT system: the skill levels required to do so aren't high.
Risk isn't equally distributed, either. Yoran said that, while it is in his view possible to protect yourself today, "we see a tremendous difference between the cyber haves and have-nots.
Joyce offered some thoughts on 5G technology. It's evolutionary, he said, but the applications 5G will support are going to prove revolutionary. The massive number of new devices that 5G will connect will expand attack surfaces and induce new vulnerabilities in ways that are difficult to predict.
Data provenance as a growing challenge.
A discussion led by Deloitte's David Hendrawirawan took up the problems surrounding data provenance. The panelists were Joe Witt (of Cloudera) and Steve Bunnell (of O'Melveny & Myers LLP). Hendrawirawan reviewed some recent history relevant to the challenge. The financial crisis of 2007 and 2008 illustrated that banks simply had too many data sources to support risk management. In April of 2013, the Syrian Electronic Army was able to break into AP's Twitter feed and distribute a false report of a bombing at the White House. And in June of 2018 shipping in the Black Sea was subjected to GPS spoofing. These all touch on data provenance.
Witt thought that organizations don't even know where to start. "The reality is that organizations lack the knowledge about their data that would enable them to make decisions on the basis of that data." Bunnell agreed. "Historically we've focused more on confidentiality and availability than on integrity." Consider, he said, fake news, deep fakes, and so on. The problem extends to legal and regulatory issues, to the authenticity of evidence presented in court.
There were no easy suggestions or solutions on offer, beyond counsels of prudence that people exercise appropriate skepticism especially with respect to information that's rapidly disseminated. Clearly data provenance requires further research.
The adversary's IP theft playbook (and it's the slow-boil, again).
Recently retired FBI Special Agent Bill Priestap shared a detailed and disturbing account of an incident of IP theft. He intended his presentation to be troubling; he wanted people to "wake up to the counterintelligence threat before it's too late." The threat is misunderstood and underestimated, and a very significant counterintelligence threat is the threat to intellectual property. The opposition is after anything that can give them an advantage. "We have a huge bull's eye on our backs," and the opposition isn't limiting itself to spying on our government: "It's not spy versus spy any more." We're no, Priestap argued, very good at responding to gradual, nonviolent threats. Counterintelligence threats are of this kind.
The fact that a threat is both gradual and nonviolent doesn't mean that it's not serious. Priestap took the case of what Huawei did to T-Mobile to illustrate the point. T-Mobile had developed a proprietary robotic system, "Tappy," for testing phones. They gave their partners, Huawei among them, limited access to Tappy under a nondisclosure agreement.
The NDA was no impediment to Huawei's decision to steal T-Mobile's IP and develop its own version of Tappy. The Chinese company's US employees collected information in violation of the NDA, at which point T-Mobile suspended the access to its test labs it had granted Huawei's engineers. Huawei's response was to mislead T-Mobile about the incident, saying the employees involved were rogue actors who would be fired. But meanwhile, back in China, Huawei at the same time introduced a formal incentive program to reward employees for theft of competitors' and partners' intellectual property.
This is not, Priestap argued, a problem that's confined to one company. Certain foreign governments, notably China's want an economic advantage, and they'll use people from all walks of life to obtain it. Many people are incentivized to act on behalf of the government, and they do so even if they've not been formally tasked. In China, to be a private company as opposed to a government organization is a distinction without a difference. China wants insight into anything that makes a business successful, and won't hesitate to use illicit means to collect it.
Priestap's example was intentionally one of on-site IP theft. To be sure there are ("of course") computer intrusions. "But don't get so caught up in the cyber threat that you miss other forms of collection." Huawei in its action against T-Mobile was "focused, aggressive, and relentless." The company completely disregarded rules and agreements.
He concluded that we underestimate the opposition at our peril. "This is a fight for our way of life," with prosperity and freedom at stake, Priestap said. And it's a private sector fight, too: the US Government cannot protect all the vital assets in the country. Businesses must look to their own defenses.