CyberWire Daily - Alleged DIA leaker. Europol cybergang study. Protecting the DIB. Chinese information operations.
Episode Date: October 10, 2019A US Defense Intelligence Agency analyst has been charged with leaking national defense information. Europol releases its 2019 Internet Organized Crime Threat Assessment. NSA Director Nakasone says th...e Agency’s Cybersecurity Directorate will first focus on protecting the Defense Industrial Base from intellectual property theft. CISA wants subpoena power over ISPs. And US companies are criticised for caving to Beijing's demands. Robert M. Lee from Dragos on regulations vs incentives when securing the electrical grid. Guest is Robb Reck from Ping Identity with results from their CISO Advisory Council’s new research on Securing Customer Identity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A U.S. Defense Intelligence Agency analyst has been charged with leaking national defense information.
Europol releases its 2019 Internet
Organized Crime Threat Assessment. NSA Director Nakasone says the agency's cybersecurity directorate
will first focus on protecting the defense industrial base from intellectual property theft.
CISO wants subpoena power over ISPs, and U.S. companies are criticized for caving to Beijing's demands.
companies are criticized for caving to Beijing's demands.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, October 10, 2019. A U.S. Defense Intelligence Agency analyst has been charged
with two counts of willful transmission of national defense information.
The government alleges that Henry Fries gave two reporters highly classified material.
The Washington Post says Mr. Fries was interested in advancing the reporters' careers.
One reporter worked for CNBC, the other for MSNBC. The indictment doesn't name them, calling them simply Journalist 1 and Journalist 2,
and while we'll follow that proper circumspection, their identities are being fairly widely reported.
Journalist 1 is said to have been in a relationship of some sort with Mr. Freeze
and is said to have introduced him to Journalist 2, described as more senior.
The head of counterintelligence for the FBI's Washington field office,
Alan E. Kohler Jr., told the Washington Post that, quote, Mr. Fries not only provided this
information on his own, but the government believes he was taking direction from members
of the media, end quote. Those members would have been journalists one and two.
Some of their reporting cited sources with direct knowledge of U.S. intelligence reports
and sources who have seen U.S. intelligence reports, which is one way of putting it.
The government has said it didn't access the journalists' phones or other devices.
How did the feds determine that Mr. Freeze was allegedly up to no good?
Special Agent Kohler explained to the Post,
quote,
Allegedly up to no good?
Special Agent Kohler explained to the Post, He was searching for and accessing information that he had no reason to access.
He did not need to know the information in the intelligence reports.
Two aspects of the case are attracting comment.
First, it's being compared to the case of Reality Winner,
also prosecuted for leaking classified material to journalists.
Second, it's drawing observations about the use of honey traps,
a long-standing technique in espionage,
but perhaps a characterization that's unfair in this incident involving working journalists.
Still, maybe Ms. Benatar had it right.
Love is a battlefield.
Europol's 2019 Internet Organized Crime Threat Assessment is out.
Its conclusions are unsurprising but worth mentioning.
Ransomware remains the biggest criminal problem,
and organized crime continues to defraud e-commerce and financial organizations.
While ransomware attacks have decreased in volume,
they've increased in targeting and sophistication, leading to greater financial losses.
This is largely due to the fact that attackers are increasingly targeting organizations rather than individuals.
In addition to ransomware, the report highlights DDoS attacks with extortion as a motive.
As gangs become more audacious and sophisticated,
Europol wants to enhance its ability to investigate crimes touching the dark web and cryptocurrencies.
U.S. NSA Director Nakasone said yesterday that the first priority of NSA's new Cybersecurity Directorate
will be to shore up the defenses of the defense industrial base,
with particular attention paid to secure the companies in the DIB from intellectual property theft, Meritalk reports.
We hope to learn more about that mission today after we hear from Cybersecurity Director Anne Neuberger.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency
is also interested in securing businesses, and it's pursuing some expansive authorities to do so.
CISA is interested in obtaining power to issue subpoenas
that would enable it to inspect networks and systems that may have been compromised
or that may have been subjected to cyber attack.
The proposal, just revealed, is already drawing controversy.
Ping Identity recently published research from their CISO Advisory Council
titled Securing Customer
Identity Data. Rob Reck is Chief Information Security Officer at Ping Identity.
Interestingly enough, to start it off, there was two different surveys that we reference in the
paper that give two really interesting data points. Number one, they say that 73% of consumers
say that good experience is key to brand loyalty.
They're not going to stick with you if your experience is bad.
Number two, 70% of consumers, so 73 versus 70, 70% say that they would be more likely
to buy from retailers when they assure them that the data is secure.
So those two things tell you you got to have a good experience and you want to make the
data secure.
Initially, you might expect that those things are going to have really different outcomes, right? Good experience
versus security. We don't necessarily think that that's going to be the case in all the time,
though. So as we talk to these different companies, and interestingly, if you look at the
paper, we have four different companies that we tell a little bit about their story. So Blue Cross,
Blue Shield of Tennessee, American Red Cross, Allegiant Air, and Power School. And what's interesting is when they talk about customers, it doesn't necessarily
mean the same thing. You know, everyone, I think when you think of online customers,
you're probably thinking about like a retailer, someone who sells knickknacks. But for a healthcare
organization, that's different. For a volunteer, you know, American Red Cross, it's going to
be your volunteers that are your customers, or maybe it's volunteers plus it's also the people who you're helping.
If you're at an airline, it's people who are traveling. Power school, it's teachers and
students. And all of these have really different use cases. The thing that kind of ties them
all together for us is what we realized during this process is the use cases are different,
but all of them are where the value for your organization resides. Like this is, this is what your organization exists to do to serve these
customers. And we were so excited to see that this is a way from the CISO that the CISO can go from
that back office support functionality to the front lines of offering the highest value stuff.
It's kind of a strategy, right? To say, well, we're going to do authentication,
but we're not going to just do the highest level of authentication for everything where we may do biometrics and make you give us a blood sample.
But we want to say, you know, if you're, you know, let's talk about medical, right?
If it's someone requesting highly sensitive medical information, we probably do need a high level of assurance that might include multi-factor authentication.
But if what they're looking for is like a listing of medical providers in their area we could
probably have a lower level of requirement there right yeah I mean it's
an interesting thing is I think about my own experience I think I think in a way
we're we're conditioned to have so many of these online interactions be in some
way frustrating or come up short that when that doesn't happen, when we have
something happen seamlessly without any speed bumps, you walk away with a feeling of delight,
like, wow, that actually worked. The fact that you just said that, I love that you said that
because this is a place where security teams who were so often the bad guy in the back corner
have a chance now to actually go impact your business in a positive way.
Let's go into the – imagine being the CISO who walks into the COO's office
or the CEO's office and says, hey, I got a way that we can delight our customers
and we can also make it more secure along the way.
That's a really powerful conversation that can get us to seat at the table
we might not otherwise have had.
And so what is the change here?
What's different in the way that?
You're recommending approaching these sort of security elements that you can dial it in that way
Well, so really what the change is we actually have five steps to kind of starting your program here
And it starts off, you know, like any other thing is really knowing your current state
I say that in it, you know as we talk to our council members, and as we talk to other folks in the
industry, it's just really common that folks don't actually know where customer data is,
or they don't know, they're not the ones who own it. They just got to really,
security has to step in and say, I want to understand the current state. That's step one.
And it might sound simple, but it's not as easy as it sounds. Step two is really assigning ownership for that data. I guarantee you right
now in an organization that hasn't already gone through this maturation process, there's different
pools of data that are stored, that are owned by different groups, whether that's marketing,
IT, your web development team, maybe product, those different groups have different purposes for it.
And you really want to assign a central ownership to this data
so that you can actually apply some standards to it
and actually do things in a consistent manner.
Once you have that central ownership,
we go to step three, which is let's simplify.
Let's not have this data in 12 different places.
Makes it a whole lot easier for bad guys
to get something that's accidentally not secured.
Let's find a central place to put it.
And whoever owns it, there's not a right or wrong answer here.
Marketing can own it.
Product development can own it.
Security or IT can own it.
But it should be in one place and they should understand what data they have there.
And this is, of course, critical to complying with things like GDPR and CCPA as they're
coming down the pipe.
And then once you have a central owner, you have a central place to store it, and then you want to define your process
for the future. How do we avoid this issue where in order for the business to go fast, they create
brand new kind of one-off solutions that are building us new tech debt? So the process has
to include all the right stakeholders. Don't forget about, you know, the fact that sales wants to go fast, marketing, new product development,
the CEO is going to have a stake in saying, let's do a new fast thing. Let's create a process that
enables the speed you want, but that can be flexible within that central repository that
you have. So everything's there and everything's manageable, right? And then the last element,
you know, now we have a process and then we say,
okay, well, how do we get smarter with, as we're securing individuals out here, smarter around the
authentication we already talked about, where we're applying multi-factor to those high risk
transactions, not to everything else and smarter to identifying what does risky behavior look like
in our organization? In a medical place, it might look like someone submitting, you know,
fraudulent claims. In a school environment, it might look like someone submitting fraudulent claims. In a
school environment, it might look like someone going and changing grades inappropriately.
What does fraud look like in your organization? And use that central repository and the learning
that you can put on top of that to help identify that high-value fraud or that high-value
inappropriate activity that you could see on that customer data. That's Rob Reck from Ping Identity.
We're discussing their CISO Advisory Council's new research on securing customer identity.
Some of the concerns about the supply chain centers on fears of the sort of attack Airbus
and some of its subcontractors recently sustained.
But there are other concerns, too, about the software supply chain,
especially the prospect of buggy open source code finding its way into larger projects.
A study of code snippets available in Stack Overflow confirms that quality control is a small but real problem.
But apparently developers tend to think the propagation of such vulnerabilities is an acceptable cost when balanced against the benefits of fast coding and project completion.
And finally, China is enjoying some public success
suppressing expressions of support for Hong Kong protesters in Western corporate circles.
Apple has removed a police tracking app used by protesters, courts reports,
and a bipartisan group of U.S. senators and
representatives thinks that the NBA has joined Team Beijing. CyberScoop says NSA Director Nakasone
yesterday accused China of weaponizing information with respect to the Hong Kong protests,
and it certainly seems to be the case that the Chinese government is succeeding in getting some
of its trading partners to carry water for them. Those who think information operations are necessarily subtle or deniable
will find a clear counterexample in the pressure currently being exerted by Beijing.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Robert M. Lee.
He's the founder and CEO at Dragos.
Robert, welcome back.
I saw you'd made some commenting on Twitter recently about regulations in the electrical sector and the difference between regulations and incentives.
Take us through what you were getting at here.
Regulations can set a good base for what we expect to be done,
either programmatically or performance-based,
on what actions and
minimum standards we want companies to comply with.
And across the U.S. electric grid, they've been doing that for over a decade now with
the NERC SIP regulations.
And they do set a strong base standard of what we want to see, like two-form authentication
for communications into a control center.
The problem, though, is that regulations only can apply to a past state
that we're interested in. In other words, it's not good at predicting where we need to be.
It's not good about allowing innovation. It's saying, hey, here's what we have perceived to
be a good base. Previously, let's work towards that. This is ultimately a good thing, but we
must understand that regulations can't regulate out the human adversary. They can't, regulations themselves can't protect us.
They can just apply sort of a base level of defensibility and opportunities for defenders.
And in that way, I think that some industries could still do with some regulation,
not a huge regulatory van, but there are decentralized industries where that might make sense.
But in certain industries where it's much more centralized and a community driven, and maybe even that we've
already had regulations, we need to open it up for incentives instead. In the case of the U.S.
electric sector, I testified in front of the Senate that we needed to take a pause for a while.
New regulations in the power sector come out every two to four years, and that creates an extreme
pressure of the companies to keep up with
regulations instead of focusing on new innovative ways to do security. And it would be beneficial
to take a three to four year period where we stop coming up with new regulations,
allow the companies to do anything for security that they deem appropriate for their companies,
and then have those lessons learned and extract out best practices from that instead of just trying to focus on regulation.
I'm thinking of the political incentives here that if I'm a politician, it's easier for me
to get hit by saying, well, why didn't you regulate these people? Why did you just let
them run free and do whatever they wanted to do? That's actually exactly why this still happens.
And I've talked to just about everybody in this discussion in terms of like sides of the conversation from the government to regulators to asset owners.
And that's entirely what it comes down to.
Usually we know that the regulations have been good, but nobody wants to be the person that suggests less regulations.
The power company doesn't want to say, hey, you know what?
We've kind of exhausted this because then they don't look willing to move the needle. The government doesn't want to say, yeah, let's take a break on
this because if a cyber attack happens, they look like a weak, you know, administration on
on a weak party on on taking action for security. The regulator doesn't want to not do regulations
because those regulators are generally political appointees and they're only
there for three to four years. So the idea of not doing anything for three to four years looks very
bad on them and their party. And this was their opportunity to get involved and try to influence
change. It's a tricky subject because quite frankly, everybody is incentivized to do regulations,
whether or not they do anything for anybody. I think they have been beneficial, to be honest.
Our power grid today is much better off than what it was a decade ago.
But there is a time to say, OK, folks, let's work towards programmatic regulation
or let's work towards incentivizing through tax credits or programs from the government to find new best practices and innovation and security
that's going to be cool and exciting and helpful instead of checkbox.
Interesting stuff. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.