CyberWire Daily - Reports of Chinese seeding attacks on the supply chain. Five Eyes and other allies push back at Russia's GRU. NPPD to become Cybersecurity and Infrastructure Security Agency
Episode Date: October 5, 2018In today's podcast, we hear more on the possibility that China's Peoples Liberation Army engaged in seeding the supply chain with malicious chips. Companies deny it, but Bloomberg stands by its stor...y. All Five Eyes denounce Russia's GRU for hacking. Russia responds unconvincingly. And the NPPD will become a new agency within the US Department of Homeland Security, and the lead civilian agency responsible for cybersecurity and critical infrastructure protection. Malek Ben Salem from Accenture Labs on pervasive cyber resilience. Guest is Adam Anderson, scholar in residence at Clemson University’s Center for Corporate Learning and founder of Element Security Group, on behavioral science and cyber crime. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More on the possibility that China's People's Liberation Army
engaged in seeding the supply chain with malicious chips.
All five eyes denounce Russia's GRU for hacking.
Russia responds, unconvincingly.
Adam Anderson from Element Security joins us to discuss the role of behavioral science in the fight against cybercrime.
And the NPPD will become a new agency within the U.S. Department of Homeland Security
and the lead civilian agency responsible for cybersecurity and critical infrastructure protection.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, October 5th, 2018.
Bloomberg's reporting on a Chinese seeding attack on motherboard supply chains
is still developing. Bloomberg is standing by its story. Amazon and Apple, both cited in the
reporting as having noticed the malicious chips and reported their presence quietly to U.S.
authorities, flatly deny the story. The U.K.'s National Cyber Security Centre says it has no reason to doubt Amazon and Apple.
Amazon says the only issues it found with super micro products were some application and firmware issues, relatively minor and swiftly fixed.
Apple says that they have, over the course of Bloomberg's investigation, repeatedly and on the record given them information that refutes the central claim of the story.
Apple thinks maybe Bloomberg is confusing this story
with a single incident in which Apple found
an accidentally infected driver on one Supermicro server
they had in one of their labs.
Bloomberg sourced its story to anonymous U.S. officials and industry figures.
It's not identifying them, Bloomberg says, because of the sensitivity of material they discussed,
but it is standing by the story.
They report that the evidence points to an attempt to gain long-term access
to sensitive government data and valuable intellectual property.
Both Amazon and Apple categorically and unambiguously say that there's nothing to the Bloomberg story,
and it's unusual for companies to issue that kind of denial casually.
But Bloomberg's story is difficult to dismiss out of hand.
They say that their sources include people within the companies who are denying the incident.
However the story eventually settles,
concerns about Chinese involvement in the supply chain are unlikely to be resolved quickly.
Lenovo and ZTE, neither of which are mentioned in Bloomberg's report, have already seen their stock prices punished today as speculators clearly think the entire Chinese hardware industry is likely to suffer.
The global supply chain is thoroughly international, and it will be difficult to unentangle, but it seems likely that many countries will try to bring more aspects of hardware manufacturing home.
The exposure and denunciation of hacking by Russia's GRU that came this week from several Western nations is being regarded as a hard push back at Russia's assertiveness in cyberspace and offers a good example of what imposing consequences can look like.
It is, as Reuters put it, a coordinated effort to expose GRU hacking and misconduct generally.
Some of the harshest language came from the United Kingdom,
which characterizes Russia as a pariah state.
The most immediate consequences were imposed by the Netherlands,
which expelled five GRU officers under conditions that reflected no credit whatsoever on the Russian military intelligence competence and tradecraft. The most comprehensive response
came in the U.S. indictment of seven GRU, who are to be sure unlikely to appear in a U.S. court,
but will now have American teeth in
their lives essentially forever. The three other Five Eyes joined the U.S. and U.K. in denouncing
the Russian organization. Canada assessed with high confidence that the Montreal-based World
Anti-Doping Agency was among the targets, and Australia and New Zealand offered their own condemnations.
Australia chided that cyberspace wasn't the Wild West,
which seems unfair to the actual Wild West,
but we're far enough east that we'll let that one pass.
The GRU techniques have been detailed in U.S. documents.
They seem to have done quite a bit of brazen war driving,
physically parking in front of hotels and other locations where
they expected their targets to be using poorly protected Wi-Fi access points.
It's pretty brazen stuff.
Indeed, it's the stuff that got several of them caught red-handed.
The informational aspects of this conflict can't be lightly written off.
Ridicule and embarrassment are among the consequences Western governments quite wittingly impose.
The GRU is convincingly portrayed as a crew of vicious stumble-bums.
They would be hilarious, a Times of London op-ed says, if they weren't so sinister.
And it's no accident, surely, that so much commentary has linked today's GRU to its even more sinister predecessors in Russian and Soviet history.
Russian counter-thrusts in this information battle include angry dismissal of the accusations,
angry and aggrieved, but also mocking. The Russian foreign ministry called the whole shebang a
diabolical perfume cocktail emanating from someone's rich imagination. This response seems to be reaching
the limits of its usefulness. Soviet propaganda usually had some legs no matter how preposterous
it became, in part because of the ideological cult that underpinned the communist regime.
It's not clear that President Putin can count on similar reinforcements.
There was a communist international.
It's not clear that except perhaps in a few tax havens that there's really an oligarchic international
and weariness with political classes may prove unlikely
to sustain any implausible systematic messaging.
And some of the information operations take the form
of an elaborate and phony tuquoque.
Moscow has made the fairly preposterous claim And some of the information operations take the form of an elaborate and phony tuquoquay.
Moscow has made the fairly preposterous claim that the U.S. is running a secret biowar facility in the country of Georgia.
There's a certain symmetry with the well-founded British account of thebilisi, established in 2013 and named in honor of former U.S. Senator Richard Lugar, who was instrumental in working to secure the very active biowar program left behind when the Soviet Union broke up.
Russia's Ministry of Defense hopes Georgia and the U.S. will come clean in an investigation.
The Pentagon calls it all hogwash.
An international investigation is unlikely.
The Department of Homeland Security's National Protection and Programs Directorate
will become the Cybersecurity and Infrastructure Security Agency.
The U.S. Senate has unanimously passed
Cybersecurity and Infrastructure Security Agency Act of 2017,
a bill that cleared the House, also unanimously, late last year. This will make the newly named
Cybersecurity and Infrastructure Security Agency the lead civilian agency for cybersecurity
and critical infrastructure protection. And finally, Elon Musk is unhumbled by his
encounter with the Security and Exchange Commission over his tweets that appeared to speculate about Tesla.
He's been back on Twitter, trolling the SEC as the Short Seller Enrichment Commission. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Ben-Salem. She's the Senior R&D Manager for Security at Accenture Labs. She's also a New America Cybersecurity Fellow. Malek, welcome back. Over there at Accent are securing the enterprise today, but how are they building cyber resilience in order to secure the future enterprise?
As you know, companies are racing to adopt new IT-based business models in order to achieve higher growth.
But they're not prepared for the new risks that come with those business models.
And I'm thinking of the increased connectivity, the increased risk due to the automation of
processes, and the risks that come from the intelligence being used to derive automated
decision-making through data.
And as security professionals, we keep reiterating the message that companies ought to be cyber
resilient, that they need to infuse security into everything they do today, but also into
everything they do or they're preparing to do in the future.
And so through that survey, where we interviewed about 1,400 C-suite executives, including CISOs about how they prioritize security and the business initiatives,
how their security plans address future business needs, what security capabilities they have,
and the level of internal and external collaboration that they're working on a security.
collaboration that they're working on a security, we found out that only 38% of companies bring the CISO into all discussions at the beginning stage of considering new business opportunities.
So there is a lot of room for improvement if companies are serious about building cyber resilience, not just for today,
but for the future, as they consider new business opportunities, they need to get CISOs involved
into that discussion. I can certainly understand that impulse that we want to get out there,
we want to start doing business, we want to beat the competition, be first to market and all those sorts of things. But you're saying that that
might not be a successful long term strategy. Absolutely. I think companies ought to be
thinking about all the implications of new business initiatives. And we actually dug deeper into what this means for companies.
And we asked the survey respondents about individual technologies that they're thinking
of adopting in the future and how much they think they're already protected for those
types of technologies.
So we asked about things like robotics, virtual work environments,
obviously IoT, cloud services. We found out that there was an acknowledgement that for certain
technologies, these organizations didn't feel as protected or adequately protected. And that
appeared clearly, for instance, for virtual work environment,
where 42% of the respondents said that they don't think they're protected. On the other hand,
they thought that for the adoption of IoT and IoT devices, they think they're much more protected.
What's interesting also to me is that for AI technologies, that was one of the
technologies where the survey respondents felt very confident that they're protected,
which I found very interesting and which I think is a blind spot to them, particularly as we start, as a security research community,
starts being more involved into the issues of AI security and how machine learning models need to
be protected. This is a very nascent field that's being looked at by the research community.
So I think for AI in particular, there is an overconfidence that this technology
is protected versus what we think as a research community that this AI technology actually is
creating a new attack surface for companies. Malek Ben Salem, thanks for joining us. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Adam Anderson. He's scholar in residence at Clemson University's Center for Corporate Learning and founder of Element Security Group. Our conversation focuses on
his efforts to integrate behavioral science into the fight against cybercrime.
I've gotten very frustrated with the arms race of we develop new security measures and they develop ways to get by it.
And I constantly felt like I was losing no behavioral science, talking to people about what good cyber hygiene is, how to act correctly, that I felt that I was actually having an impact.
And that really showed inside of small and mid-sized businesses.
I feel like the enterprise typically does a fantastic job building a cyber fortress and keeping the gates shut. But with supply chains and trusting vendors,
I find that the small business is really the big security risk that I'm most interested in. And for
those guys, you move the needle with behavioral science, not with spending a lot of money on
technology. Yeah, I mean, it strikes me that the folks, like you say, the small business people
are the least prepared, certainly budget-wise, to build that moat around their business.
Why do you find that behavioral science gives them the best bang for the buck?
Well, because they have messed up beliefs. There's not a CSO in the Fortune 500 that's not going to
have a voice with the executive
management staff. They're going to be able to say cybercrime is important and everyone nods their
head and says yes. But for a small business owner, they have three core beliefs that screws everything
up. They think they're not important and no one's looking for them. They think they have nothing
anyone would want. And they think, hey, there's nothing I can do to stop you guys anyway.
So that leads a victim mentality on the table that they put their head in the sands and they just don't act. So let's walk through those one by one. What are the ways to combat those beliefs?
The thing is, is they're correct beliefs or just old beliefs. A small business owner is going to
think I don't have intellectual property or a whole lot of data that a hacker is going to want to steal and then sell on the black market.
And so my message to them is like, hey, you're absolutely right.
But you know what you have?
You've got money and they're going to screw with you until they get you to actually pay them something.
So the mind shift that happens on those three beliefs, at least the first two, is to say, you know, you do have what you want.
And if you have low self-esteem, good news, you're just what the cyber criminal is looking for.
So at the end of the day, the first two are all about changing the mindset from I've got intellectual property or I've got trade secrets that people want versus I've got cash flow and money and I can buy bitcoins and send them.
Do you suppose some of this is sort of paralysis?
You mentioned thinking that there's nothing that they can do about it.
And it strikes me that maybe they don't have to build that fortress around their business.
It's kind of that old joke about, you know, I don't have to outrun the bear,
I just have to outrun you. Exactly right. If the business down the street is less secure than I am,
they're going to be easier pickings. Yeah, I use an analogy with them with fly fishing,
where the hacker walks up into a mountain stream, has got a fly fishing rod, and to me,
that's witchcraft technology. I've never been able to get that to work.
And they are hunting fish individually.
And when they catch one fish, all the other fish are safe.
But I tell them the things have changed.
It's not a guy in a stream anymore.
It's a guy on a trawler. It's a lower skilled person pulling a giant net behind a boat and catching all of the fish.
So the I cannot run the bear thing, that doesn't work.
You need a new skill set, how to avoid nets and then escape them or recover after you've been in them.
How do we go about getting this message to sink in without just spewing FUD at these people?
Right. So FUD will only take them so far. And I tell folks that, especially small business owners,
if you're buying based on fear, then you're buying the illusion of security. And I tell folks that, especially small business owners, if you're buying based
on fear, then you're buying the illusion of security. And if you're buying based on compliance,
you're basically securing someone else. And if you don't think of this as just another business
process like sales or marketing, you're going to suffer analysis paralysis. So when I can pull them
away from thinking about the technology and say, look at business processes, understand which ones are important, and then find a smart cybersecurity person to apply the correct security controls to keep your processes running.
That they are very excited about because they understand business process.
And I say, don't worry, you don't have to understand the technology.
You just have to tell the cyber expert what you need to protect. So that mindset, I mean, what it sounds like
you're describing is not unlike, you know, a lot of small businesses will hire an outside
accountant to take care of their accounting. They don't want to hire a full-time person. They'll
hire an outside attorney. They don't have the funds to have someone on staff all the time. Cybersecurity should be given the same approach. Yeah, I tell folks there's four
key things a small business needs, a banker, insurance agent, a CPA, and a lawyer. And I
believe the future for small business is also going to be a fractional chief security officer
where you're going to approach that person. They're going to help you build a business continuity plan. They're going to keep it updated to help you build your
disaster recovery plan. And then they're going to manage the vendors for you. So very much like you
said, we're going to add a fifth key role that every small business is going to have in the
future. The message I give to folks, as I say, look, spend somebody else's money.
Be Yoda, not Luke. Go to the marketing person who makes all of the technology purchases at this
point and has the CFO's ear and say, you know that new mobile initiative you're trying to do
and make all of our stores, point of sales are mobile and all that. You know, there are some
cybersecurity stuff that we don't take care of. Your project might stop.
But hey, it's not my call.
I'm here just to tell you what's going on.
But maybe we should go ahead and ask for another million dollars to fund this project to make
sure you don't have a failure in two years.
So the idea here is the CIO, CSO needs to partner with the other C-suites and align the cybersecurity initiatives up with the stuff that the other C-suites are doing.
Because when two CXOs come in and talk to the CFO and they're on the same page, it's really hard for the CFO to say no.
Our thanks to Adam Anderson from Element Security Group for joining us.
You can learn more about what he's up to at elementsecuritygroup.com. And that's the Cyber Wire. For links to all of
today's stories, check out our daily briefing at thecyberwire.com. And for professionals and
cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.