CyberWire Daily - 2017 Cyber Security Forecast [Special Editions]
Episode Date: January 31, 2017WWhat are you expecting in 2017 when it comes to cyber security? There are sure to be attacks like we saw last year, ransomware and botnets, IoT vulnerabilities we just didn’t see coming. And what a...bout all of those unfilled jobs? Can automation help fill the gap? Is the board room finally going to give cyber the attention it deserves? How will president Trump affect cyber policy? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
We're probably going to see an increase in the weaponized internet of things.
The good news is everyone is aware of the danger.
We're going to have to get more automated,
but we also need folks that are better trained, better educated,
and quite honestly, better equipped.
What are you expecting in 2017 when it comes to cybersecurity?
There are sure to be attacks like we saw last year, ransomware and botnets, IoT vulnerabilities we just didn't see coming.
And what about all those unfilled jobs?
Can automation help fill the gap?
Is the boardroom finally going to give cyber the attention it deserves?
And, oh yeah, there was that presidential election in the U.S.
How will President Trump affect cyber policy?
We don't have all the answers, but we've gathered up some industry experts to share their thoughts on what 2017 might bring.
And later in the show, we've got a roundtable with Sarah Sorcher from the Christian Science Monitor's Passcode
and our own editor of the Cyber Wire, John Petrick.
Stay with us.
We begin with threats and vulnerabilities.
Christopher Pearson is Chief Security Officer and General Counsel for ViewPost.
I think that we're going to continue to see ransomware moving forward and business email compromise moving forward at the same speed that we're seeing now.
I do think that we're going to see a lot more of activity here, though, in terms of destruction of data.
Instead of ransom and requesting the data back for Bitcoin payments,
I think that we're going to see things really morph into a,
how do we get a hold of the cloud instances of X, Y, and Z company or corporation?
How do we go ahead and take over those instances,
those environments? Unfortunately, more ransomware. Diana Kelly is an executive security advisor with
IBM. More malware that's very sophisticated, that changes very rapidly and very quickly
in an attempt to avoid detection. So we're probably going to see an increase in the weaponized
Internet of Things, where we saw a little bit of that at the end of last year with the Mirai
malware and taking over IoT devices that were using the default logins, username and password,
and using them to create massive denial of service attacks.
So I think that we're probably going to continue to see that kind of activity going forward in 2017.
And again, I hope that this is really going to encourage companies and encourage end users
to go in and change those default usernames and passwords.
Because again, understanding the threat and understanding the attack vector and taking steps to be prepared is the best way for us to defend ourselves.
We've seen a significant explosion in bad guys embracing IoT in a malicious way.
Dale Drew is chief security officer at Level 3 Communications.
He's a regular contributor to the Cyber Wire.
There are no security solutions for IoT.
There is no endpoint protection. There's no intr Cyber Wire. There are no security solutions for IoT. There is no endpoint protection.
There's no intrusion detection.
There's no nothing.
And there's no standards.
And so the bad guys have found that when they gain access to an IoT device,
they have a much longer life on those devices before they are detected.
Their bots are now capable of controlling millions of endpoints
as opposed to just thousands of endpoints.
And that's all because of this sort of attraction to IoT. So we really think that the bad guys are
going to be doing significant research in IoT exploits, and that's going to cause a significant
amount of reaction from the community, especially in the IoT space, to react to all these security
threats until we can get a lot more proactive.
The good news is everyone is aware of the danger.
Dave Larson was chief operating officer and CTO at Carrero Network Security when we spoke to him.
He's since moved on to HP.
At the very first stage, I think you're going to see significant more attention paid to
setting up devices without default passwords. The good news
on the Dyn attack is that it took down Twitter and Okta and Reddit and made it onto the mainstream
news for that entire day, which means even the average person is aware of it now and that
passwords are probably something that you should have put some thought into. So I think in one respect, the attack itself has probably diminished the future capacity
and scale of these attacks because people are going to take proper practice and procedures
to lock things down.
This is a pretty vibrant community.
The attacks are large enough and devastating enough now that people realize you can't just
ignore them.
It isn't just fear and uncertainty, a doubt of the possibility of IoT-based
attacks. They are real. In general, though, the internet community is very good about
banding together and taking care of these kinds of issues. So I think in general,
we will be better off a year from now.
2017, I think workforce development is finally getting the attention it deserves,
although we still have a ways to go.
That's Simone Petrella. She's chief cyber strategy officer at CyberVista,
a training development and workforce initiative company.
The current workforce, just as if you use as an example, you know, the CISSP, which is the
biggest certification that's currently in demand in both government jobs as well as in a significant portion of the private sector.
There are 65,000 jobs that are available that require a CISSP and like only a fraction more of actual CISSP holders globally.
And so clearly, you know, those ostensibly all have jobs.
have jobs. And so you see that just the demand in requisitions and hiring is outpacing the graduates that are coming out of universities, as well as other avenues where people are transitioning from,
say, IT fields. And that probably, unfortunately, can't really catch up until we either develop
academic or university programs that can fill those gaps, or we do start to more conservatively transition
folks that maybe have an IT or ancillary background that could really be successful in cybersecurity.
If you look at who are the cybersecurity experts right now, unfortunately,
only 10% of them are women, for example.
That's Diana Kelly from IBM.
So we're missing out. If We've got a big shortfall
in who's doing the work in cybersecurity. We're missing out on a whole bunch of potential workers
just because we don't have a lot of women in the field. Also, looking at people from diverse
backgrounds. I actually have an English degree from college. I didn't come out with a PhD in
cybersecurity. I was self-taught. Now,
granted, back in the 80s, there weren't a lot of cybersecurity degrees, I don't think we even used
the term. But there are still people that are coming out from very different areas that when
they get interested and start to learn in security, they can add so much, creating a much more and
supporting a far more diverse workforce,
both from the gender of the people, but very much also from the background that they bring in.
Because when you look at cybersecurity, it's a really broad discipline.
So being able to bring people in from other disciplines, I think, can really help us to round out our knowledge base.
Is it quite possible that some of that can be mitigated
through automation? Chris Pearson from ViewPost. I think the answer is yes. Absolutely yes.
As our technologies have grown, I believe that once we have these tools in place, it's going to
allow our individuals to focus on more of the high-risk items as opposed to chasing some of the needles in the haystack
that they've been chasing, given the amount of, the number of alerts that they've had,
as well as poor indications of, are they truly risks or not, and risks that need immediately
dimensioning or not. We're going to have to get more automated, but we also need folks that are
better trained, better educated,
and quite honestly, better equipped to be able to handle the cybersecurity needs of our country.
We really think that machine learning and behavior analytics to be able to detect things
that you've never seen before in ways you've never seen it before, and then tying that knowledge
directly into all of your
existing security infrastructure is going to be the thing that is going to have a step function
above anything else in protecting enterprise assets and critical infrastructure capability.
That's Dale Drew from Level 3.
I cannot look forward enough to turning the things like machine learning from a buzzword
into a more practical product capability that is embedded in a vast majority of our security technology.
Christopher Pearson thinks that not only will artificial intelligence be an important tool in the toolbox,
it's going to be at the center of a lot of action from a purely business point of view, too.
The playing field in 2015 and 2016 is quite littered with a lot of companies in this space
that are startups that are trying to really hone out AI.
And so I think that it's an overcrowded market.
I think that it may be overfunded in some form or fashion.
And so what you're going to see, and you saw a lower amount
of public exits in 2016. The exits have definitely dropped. So I think you're going to see some smart
shoppers over there. I think you're going to see some nice acquisitions and nice opportunities for
acquisitions in 2017 of these types of companies. Speaking of business, Diana Kelly thinks cybersecurity is poised to take its
proper place at the boardroom level. It's got to evolve from just an awareness and continue to go
past that, you know, that TLP, the traffic light protocol where, oh, we're green. You know, we've
got a little bit more awareness. We need to continue to build and drive that awareness
into the the board so that they really own the fact that the company is now when we talk about
risk it's not just business risk it is digital and cyber risk too and they're all one in the same
they're just they're they're so entwined that we really can't unhook them from most organizations.
So the board understanding that as they're making risk decisions, they've got to understand the cyber risk decisions.
And the part on the CISO and the security team is to bring up information about what those risks are
and more than anything to drive a risk-based strategy because there's still a little bit of this
reaction.
It's, oh, today it's ransomware and tomorrow it's going to be the IoT DDoS.
It's really easy for us to become, you know, the magpies and the, oh, the bright shiny
object of whatever's in the news right now.
But the security team bringing to the board this very well thought out risk assessment,
understanding the strategy of where the company
wants to go. That's going to help them to make those decisions and to be very proactive about
how they build out their defenses. It's really understanding your company's desire to manage
and make choices around business and digital cyber risk and then implementing them to a plan
over the course of the years.
You may have heard there's a new presidential administration in the U.S.
What that means for cyber is yet to be determined, but there are some clues.
Here's Chris Pearson.
We do have a, you know, some inkling of a decreased regulatory model as one administration push.
I don't know how we're going to actually do that on cyber. We have a recent executive memoranda regarding an all-stop on civilian positions.
What are we going to do with these cybersecurity positions that are out there?
DHS certainly has the largest billet of them.
But what are we going to do in terms of DOD, DHS, NSA, and the other agencies that have open cybersecurity positions?
These are now effectively at a stop under that presidential memoranda.
at least during the campaign, some notion that President-elect Trump, or President Trump now,
was looking towards the DoD to play a larger role in cybersecurity. So if he stays true to some of those promises or some of the things that have been communicated there, we're going to see
some unique movements that are a little bit different than what we've seen in the past.
that are a little bit different than what we've seen in the past.
But remember, the critical infrastructure that is impacted by cybersecurity is still 85% owned by the private sector.
And so there's going to have to be a huge participation from the private sector
in terms of any things that get pushed forward as it relates to
cybersecurity. We hope to, those of us in the cybersecurity community, privacy community,
and policy community likewise, really hope to learn more in the next 90 days as to what
directions we're taking as it relates to cyber. We do need to, as vendors and as users, start to have a hand in what we do to
help protect ourselves. So if you're a vendor and you deploy a system that shipped in an insecure
state and it becomes an attack vector, then your name could be on the headlines. You're now the
device that is used to be on a headline of a major attack through IoT,
then that can hit your company's reputation.
And reputation and brand awareness is something that we found in one of our studies last year is becoming increasingly important to organizations.
Because if we don't, then government will provide regulation.
That's Dave Larson.
From a telecommunication and from an internet perspective,
regulation is not always good. It is costly. It is well-meaning, but it does not always solve the problem. And if governments are forced to act because the community does not, we will end up
with overlays of controls and compliance initiatives that are just going to make business harder to do.
And I think people realize that
and I expect them to actually get out ahead of this
so that the Congress and the various governments
around the world don't actually have to get involved.
I would say go back to your team and say,
give me your full risk assessment
for all the areas that we're covering.
So everything that's related
to cyber and to digital. And then really look over those very, very, very carefully. Has that team
that reported up about the risk assessment and the risk strategy, did they really get a comprehensive
view? Were they looking at, did they have an inventory underneath of what they're looking at
and reporting to you on? Because very often, it's so simple, right?
What's the inventory?
If you're testing your web applications, are you really testing all of them, for example?
So making sure that that team has reported up to you about where the risks are and what they're doing to prevent an attacker from getting in.
Because, again, it sounds like, oh, well, of course everybody does that.
But they do it at this really high level.
Like you said, you know, the TLP, it's like, oh, we're all green.
We've got a couple yellows, 60 yellows.
Everybody moves on.
Really dig down and look underneath of what it is that they're rolling up into the reporting.
That's a really important part.
As it relates to something that we can
certainly do a much better job on in 2017, and it's just clear as day, is we really have to
tackle this problem of authentication. Who are you? What are your rights and privileges? Is that
you that's logging on? Or is this a username and password that has been compromised in some type
of malware attack attacker keyboard logging
event, and it is not you. We have to move both in terms of consumers and in terms of businesses
towards a pure dual-factor state of things in 2017 so we can stem the bank account takeovers,
we can stem administrative privileges being used improperly by attackers.
We have to be able to do something here in this area so that our time and attention can be turned to the true and real threats
that could have real impact as opposed to a lack of ability
or an inability to keep control of our username and passwords.
It may not be an end state of dual-factor authentication right now.
It may be something that needs to progress further, but we have at least got to make that
jump in a material way in 2017 to have any hopes of tackling cybersecurity.
And I'm pleased to be joined by Sarah Sorcher.
She's the Deputy Editor at Passcode, part of the Christian Science Monitor, and also joining me is John Petrick, our Editor here at the Cyber Wire.
Welcome, everyone.
Great to be here.
It's good to talk to you.
Let's start with you, Sarah.
We've heard from our experts on what they're expecting on 2017.
What's your outlook?
from our experts on what they're expecting on 2017. What's your outlook? Well, as a reporter in Washington, I am tracking pretty closely the policies of the new Trump administration and
what this means for security and privacy in the federal government and in terms of its relations
with the tech industry and all that sort of fun stuff.
So there are some early indications of where the administration is going to go.
And his nominees are also weighing in on issues like encryption.
So it promises to be a pretty interesting year on that front.
Specifically, I think today we're expecting an executive order from President Trump when it comes to cyber.
What are we seeing in terms of policy?
Are there breadcrumbs we can follow or are there more overt moves that we sense where things might go?
Yeah, definitely breadcrumb stage, I think.
I mean, you're right.
There is an executive order that trump is expected to sign today and it's basically
commissioning several different reviews of the government's cyber security capabilities on both
the offensive side and the defensive side and you know he has made cyber security a pretty big
talking point during the campaign and um you know there are some indications of where he might go. Some
talk about even transferring some of the authority from the civilian Department of Homeland Security
to the Pentagon. That's not in the order, but that's something that I'm looking out for.
And, you know, he has tapped Rudy Giuliani, who has been one of his close advisors to be a cybersecurity advisor.
And he's going to be convening experts who are working on cybersecurity solutions
and business leaders across different industries that have been targeted by hackers,
you know, from energy to transportation,
trying to get everybody together to have this sort of brain trust discussing these issues
and make recommendations back to the
administration. So, you know, we're seeing some sort of motion on this front actually pretty
early in this administration, which maybe is to be expected after a campaign that was so dominated
by hacking news. But we're also seeing some things that might be more controversial when you have the nominee for Attorney General
Jeff Sessions submitting a testimony to The Hill that, well, he understands that encryption has a
valuable and important purpose, that national security agencies and investigators must be able
to overcome encryption under lawful authority. So I think that's promising to be a pretty big issue
for security experts and the administration in the next couple of years.
John Patrick, what are you seeing in terms of reactions to possible policy directions with
this new administration? I think we're going to see more continuity than discontinuity,
actually. And you being an optimistic guy are probably looking toward a surge in restraints
on surveillance, an increase in privacy, an increase in internet security, things like that.
So you probably think that we are really living in 1789, which is when Congress passed the Bill
of Rights, especially our favorite amendment, the Third Amendment, which says,
No soldier shall in time of peace be quartered in any house without the consent of the owner,
nor in time of war, but in a manner to be prescribed by law.
So, right, you know, there's a guarantee of privacy there,
because, of course, one way in which you conducted surveillance in the 18th century
was you quartered soldiers in people's houses, so they could keep an eye on things.
But I don't think so.
I don't think we're living in 1789.
I think it's really 1791. And that's the year Jeremy Bentham began to push his idea of the
panopticon. And Bentham, of course, was a utilitarian philosopher and a political economist
who was devoted to all sorts of reform causes. And one of his causes was prison reform. And he
thought prison should be designed in such a way as to be circular, have a tower in the middle where the guards could watch all the prisoners at any given time.
And they could either keep the prisoners under continual surveillance, or more importantly, the prisoners would never know whether they were being watched or not.
So that's the panopticon. And of course, Bentham's idea was never fully implemented to his satisfaction.
But we see elements of the panopticon, I think, in cyberspace.
And while a lot of people are afraid, for example, that the NSA's got this terrific appetite for their personal information,
I think those fears are in many ways overblown.
And I think whatever appetite you see at Fort Meade for personal data is positively picky and dainty compared
to the way marketers crave your information.
So the sites follow you, they know your interests, they know your predilections, they know who
you are, what you like, what you're up to.
And do you know when you're being surveyed?
Not really, but the safe assumption is probably always.
So somewhere in utilitarian heaven, I think Mr. Bentham is smiling.
But I think there's an important distinction there. I mean, obviously, the marketers are
gathering up information about us, but the marketers don't have guns. And the feds do.
And isn't that a, in terms of, you know, we're talking about the Constitution and the Bill of
Rights. Isn't that an important distinction? Yeah, sure it is. Of course, it's an important
distinction.
But I don't think that we're going to see any major changes in surveillance policy in 2017.
I do think we're going to see a considerable increase in what marketers and corporations know about us and what they do with it.
Sarah, getting back to what we're talking about with this executive order that we're expecting today in terms with regard to cybersecurity, I think a lot of people are sort of holding their breath because with some of the previous executive orders, we've seen untraditional ways
of handling things, to say the least. Do you think that's a fair assessment?
Yeah, I think it is. I think that you've seen a very busy eight days, nine days.
I'm sort of losing track of time with all of the different executive orders that are being signed.
And just I think the pace is really dizzying to a lot of people in media these days just to try to keep up.
And I think when you when you look at some of these issues, I agree that actually there could be a lot of continuity on
the security and privacy front from the Obama administration and the Trump administration,
even though the rhetoric about it is really different. You know, you saw during the campaign
as a candidate, Trump was talking, you know, a lot about the need to go harder on terrorists.
And, you know, if you called for a boycott of Apple, you know,
when they did not help the investigators get into the San Bernardino shooter's phone.
So, you know, he's taken a really tough stance.
But, you know, you could end up seeing in the end a more moderate policy on cybersecurity.
But I think that the public perception of it could be different at this time of uncertainty.
And the public view of surveillance tools that they might have said, meh, I don't really pay so much attention to this under Obama,
either whether that's for political reasons or because it just wasn't so, you know, such paired with such loud talk about it.
And then maybe they might feel differently in the Trump administration.
So you're already seeing some pockets of this swirling. talk about it, then maybe they might feel differently in the Trump administration. So
you're already seeing some pockets of this swirling. I mean, even with the immigration
executive order this weekend, where you have a ban on travel from seven majority Muslim countries and
on refugees, you're seeing other things paired with that, too, where the Trump administration is reportedly discussing the possibility of asking all foreign visitors to give up their cell phone contacts, social media data, whether they know that they're giving it up, you know, to a point that John made earlier, or whether they, maybe they don't know.
And, you know, what the motives are of the administration will be a big question because you still might have the same surveillance capabilities as you did before.
and the same tools that the Obama administration was able to use before,
I think that people will be paying a lot closer attention to how this actually plays out,
what you can do with lawyers and what you can do with who you're targeting and why.
I think all of those things are going to be really scrutinized in the coming years.
Switching gears to some of the other things that we're certainly going to have to face in the coming year when it comes to cybersecurity issues. Everyone agrees that we're probably going to see more ransomware, more IoT attacks. John, on the threats and vulnerabilities landscape,
what other kinds of things do we need to have on our radar? I think one of the more interesting
developments that we saw over the past year, and that is certainly going to continue into this one,
I think one of the more interesting developments that we saw over the past year, and that is certainly going to continue into this one, is something the expert you spoke to living in 1948, and that 1949 was about to arrive.
And those years are interesting because 1949 is the year the Soviets tested their first nuclear weapon. And in Krutsky's view, and I don't think he's unusual in Russia in thinking this,
that's the year when the Americans had to take the Russians seriously.
They couldn't ignore them anymore. They couldn't just write them off. And Kutzke was talking
specifically about cyberspace. He says, pretty soon, the Americans are going to have to take
it seriously. And indeed, we do have to take them seriously because we saw how involved they were
in attempting to influence the American elections. So I think we're going to see this year a rise in a kind of cyber
Cold War. And we're going to see a lot of the things going on in that Cold War that we saw
going in the first Cold War. A lot of the things we now call information operations or influence
operations, well, they're really not that different from Cold War staples like propaganda,
disinformation, use of front organizations, and employment of agents of influence.
So I think we're going to see much more of that on the threat front in 2017. information, disinformation, use of front organizations, and employment of agents of influence.
So I think we're going to see much more of that on the threat front in 2017.
I want to switch gears and talk some about workforce issues.
Obviously, we have this ongoing shortage of qualified people in cybersecurity.
Sarah, we heard people in the piece previously talk about how perhaps automation could play a part in helping to ease some of that stress with the shortage of qualified workers.
Any thoughts on how we help to close that workforce gap? Yeah, I think automation could definitely play a role.
And, you know, whether you're just simplifying the technology so that people can learn it faster, make it more intuitive.
I did a piece a little while ago about a DARPA program that's the Pentagon's research arm,
the Defense Advanced Research Project Agency, and how they're trying to make things as futuristic as an app store for cyber operations where cyber attacks are depicted in you know maybe
something like a fire or something visual that people can intuitively
understand so I think automation and visualization whether it's in you know
the private sector or in government efforts I think those can really play a
big role in getting more people trained up to take these jobs yeah I mean you
see some big
progress on that in the last year when you're looking at also in the automation front when
you're looking at the cyber grand challenge that darker ran a black hat i was there it was
pretty crazy you have a super bowl style machine on machine hacking event and you know the more
that machines themselves can you know patch, patch, find and patch these
flaws and humans can shift into different roles that they're more equipped to play in
directing, you know, those operations or, you know, doing analysis in more targeted
ways and not just, you know, patching things, you know, that that essentially a computer
could do.
So I think it'll be really interesting to see what happens on that front.
And in D.C., policy also plays a role in that too
because federal agencies are still looking
for people to fill their open jobs.
I mean, they have some,
we did a report in Passcode about how there are still some,
I think, 1,100 cybersecurity jobs
that are unfilled in the government.
And there's also a blanket civilian hiring freeze that's been put in place in the last couple of days,
which might potentially hurt those efforts, too, that are already trying to fill talent gaps.
So, I mean, we'll have to see how some of these things play out, both in the private sector and in the government.
things play out both in the private sector and in the government.
John, I want to switch and talk about critical infrastructure, something we only touched on in the previous segment. We have this ongoing concern. Usually people talk about power grids,
and of course we've joked about how squirrels are a greater threat to power grids so far than
cyber attacks. And snakes, don't forget the snakes.
And snakes, right? Don't forget the snakes. But as we head into this new year, do we expect to see
any significant developments with that in terms of either protecting it or perhaps some attacks?
Well, people are certainly worried about that, and with good cause, because there
have been two attacks on power grids. They were both in Ukraine and a year apart in December of
2015 and December of 2016. So that's something that people have to be worried about. And when
people talk about an attack on critical infrastructure, they always talk about a
digital Pearl Harbor. You know, are we going to be surprised? Are we going to be hit by this
devastating attack? So again, a lot of people think it's 1941. We're about to see the attack materialize over Battleship Row,
with Battleship Row for the modern age probably being the power grid.
I think there's some words of caution that are in order for that. I think in many ways,
we're not in 1941, we're in 1964, when the US Navy thought for a couple of hours
that it had come under attack in the South China Sea by North Korean torpedo boats.
And this hit a government that was willing to believe it. And we had the Tonkin Gulf Resolution
and President Johnson was authorized by Congress to go into Vietnam in a big way.
And the rest, of course, is unfortunate history. So it's possible
that we have more to worry about digital Tonkin Gulf incident than we do a digital Pearl Harbor.
I'll give you two recent examples that point that out. You remember I Pyramid? It was the spyware
that was discovered mostly in systems belonging to the Italian government, to Italian leaders in the financial sector,
and in the Vatican. And it just looked like a state-directed espionage effort when it was
first detected. It was collecting information. That's what it was doing. It turns out that,
in fact, it was probably the work of an Italian brother and sister in their 30s and 40s who were
interested in collecting information so they could use
it for illicit trading and speculation.
So it looked like a state operation, but in fact turned out probably not to be that at
all.
And Trend Micro has just been pointing that out this week, that if you want to look for
a case study in the dangers of hasty attribution, look at iPyramid.
Or a more interesting one in some ways for us, because it's closer to home,
is the Mirai botnet, the big IoT botnet that in October conducted a distributed denial of
service attack against Dyn that took down the internet for a great piece of North America.
Just their distributed denial of service with a bunch of dumb IoT bots sending all of this traffic.
So shortly after that, I was down in D.C. at the PsyCon,
which is a pretty serious conference that was sponsored by the U.S. Army Cyber Institute
and its NATO counterpart.
And the talk of the people there was that, you know, Mirai, it's got to be state-controlled.
Almost certainly it's Russian, and it's probably a dress rehearsal
or a proof of concept for exactly the kind of digital Pearl Harbor takedown of the power grid
that everybody's worried about. So time marches on, and what happens this month? Brian Krebs,
who's not only a solid investigative journalist, but he's also kind of the patient zero for Mariah
attacks since he came under a DDoS from Mariah himself. Krebs looks into it and he traces it,
and I think pretty plausibly he thinks
that the responsible person was probably
an undergraduate in a U.S. university
who was interested in all things
in gaining a competitive advantage
in the Minecraft support industry.
So if you believe Krebs,
and I find him pretty convincing,
don't look at Moscow.
Look somewhere in
the general direction of New Brunswick instead, not to finger any particular American university,
but there you go. Well, I think we can all agree it's going to be an interesting year,
and we'll all do our best to help keep everyone informed on the latest news and events that are
going on. So thanks to both of you for joining us. Thanks so much for having me. Thank you. It's been a pleasure.
And that's our
Cyber Wire look at 2017.
Thanks to Christopher Pearson,
Diana Kelly,
Dave Larson,
Simone Petrella,
Dale Drew,
and Sarah Sorcher
for joining us.
We're excited to be featuring
original music
in this special edition podcast
from local artist Ben Hobby.
If you like what you hear,
you can check out more of his stuff on Twitter, where he is at Ben Hobby. The Cyber Wire podcast
is produced by Pratt Street Media. Our editor is John Petrick. Our social media editor is Jennifer
Ivan, and our technical editor is Chris Russell. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.