CyberWire Daily - US Clean Network program outlines measures against Chinese operations. $10 million reward offered for info on election interference. Australia’s cyber strategy is out. Grand larceny and petty lulz.
Episode Date: August 6, 2020The US announces five new lines of effort for the Clean Network program, and none of them are exactly mash notes for Beijing. The US is also offering rewards of up to ten million dollars for informati...on about foreign computer crimes aimed at interfering with US elections. Australia’s new cybersecurity strategy is out. Maze may have hit Canon. Rob Lee from Dragos addresses speculation of an ICS supply chain back door. Our guest is Theresa Lanowitz from AT&T Cybersecurity on 5G security threats to businesses. And a bail hearing is disrupted by Zoom-bombing. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/152 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k code n2k. The U.S. is also offering rewards of up to $10 million for information about foreign computer crimes aimed at interfering with U.S. elections.
Australia's new cybersecurity strategy is out.
Mays may have hit Canon.
Rob Lee from Dragos addresses speculation of an ICS supply chain backdoor.
Our guest is Teresa Lanowitz from AT&T Cybersecurity on 5G security threats to businesses.
And a bail hearing is disrupted by Zoom bombing.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 8th, 2020.
U.S. Secretary of State Pompeo has announced five new lines of effort under the U.S. Clean Network program.
These include Clean Carrier, aimed at disconnecting untrustworthy carriers from U.S. telecommunications networks.
Clean Store, which would remove untrusted applications from U.S. mobile app stores.
Clean Apps, intended to prevent untrusted smartphone manufacturers
from pre-installing trusted apps in their own app stores,
clean cloud, which would keep U.S. personal data and intellectual property
out of adversaries' cloud services,
and clean cable, which would ensure that undersea cables
aren't compromised by hostile intelligence services.
All these measures are directed at China,
and the Secretary's published announcement is quite explicit in this respect.
Quartz calls it a new Great Firewall, and then, mixing its metaphors, a digital Berlin Wall.
Great Firewall, okay, maybe, but not a Berlin Wall,
since the literal Berlin Wall was designed to keep people in, not to keep people out.
The Secretary of State has invited friendly nations to participate in these lines of effort.
The U.S. State Department is also offering bounties of up to $10 million under its Rewards for Justice program
for information leading to the identification or location of
any person who works with or for a foreign government for the purpose of interfering
with U.S. elections through certain illegal cyber activities. The tone of the announcement
suggests that Foggy Bottom is more interested in hackers than it is in influencers. The text says,
quote, persons engaged in certain malicious cyber operations targeting election or campaign infrastructure may be subject to prosecution under the Computer Fraud and Abuse Act, which criminalizes unauthorized computer intrusions and other forms of fraud related to computers.
Among other offenses, the statute prohibits unauthorized accessing of computers to obtain information and transmit it to unauthorized recipients.
So, they've got their eye on doxing more than they do on trolling,
although one imagines that if you had a hot tip
that someone was working for a troll farm in St. Petersburg or Shenzhen,
they'd be willing to listen to you.
The offer has particular resonance,
given Fancy Bear's exercise in publishing
the contents of Democratic Party emails in 2016, and more recently the conclusion British authorities
have reached that one of the bears was rooting through cabinet email accounts during the UK's
last general election. Australia's new cyber security strategy is out. It represents a shift towards what others have called a whole-of-nation approach,
with much initial emphasis placed not only on federal responsibilities
and on what can be done by state and territorial governments,
but also on the contributions the government hopes to encourage and enable for private organizations and individuals.
Thus, the document contains a great deal about information sharing,
resilience, and recovery.
There's also evidence that Australia is interested in moving toward
an assertive posture in cyberspace,
with an explicit reservation of a right of retaliation
within the context of international norms.
The document says, quote,
Australia will continue to encourage the international community
to act responsibly online, including by complying with existing international law, domestic law,
and norms of responsible state behavior. The Australian government will ensure that Australia
is not seen as a soft target and will continue to publicly call out countries when it is in
our interest to do so.
The Australian government will match its public statements with action through a range of targeted and decisive responses
against unacceptable intrusions or activity
in line with Australia's statement of principles on cyber deterrence.
We work to actively prevent cyber attacks,
minimize damage and respond to malicious cyber activity directed
against our national interests. We deny and deter while balancing the risk of escalation.
Our actions are lawful and aligned with the values we seek to uphold and will therefore be
proportionate, always contextual, and collaborative. End quote. One interesting sidelight is the
strategy's awareness of the ways in which the COVID-19 pandemic has sharpened awareness of just how the national life, social, economic, and political, has come to depend on connection through cyberspace.
The 5G rollout continues at a rapid pace globally and here in the U.S.
The upgrade provides opportunities for security enhancements for sure,
but there are security concerns as well.
Teresa Lanowitz is head of evangelism and communication at AT&T Cybersecurity.
So 5G is real.
I think a few months ago people would say, well, 5G is on its way,
but 5G is here and it's real.
And if you look at 5G, these 5G standards are
dynamic as all standards are. Those 5G standards address the known 4G vulnerabilities and 5G
networks are really being architected with more security than any previous generation of network.
However, when you look at that, businesses still have to be able to prepare for security threats, whether those security threats are existing threats or new threats.
And those businesses have to be able to adjust their cybersecurity policies and cybersecurity practices accordingly.
So if you think about what 5G is going to allow with its ultra low latency and high bandwidth.
It's going to say, all right, IoT is going to be real.
So we're going to have that expanded attack surface
because we're going to have all of those IoT devices
now connected to the network.
But that expanded attack surface means
there are going to be opportunities
for new threats to emerge,
as well as for the proliferation of those existing threats
that we may not necessarily have gone back and patched. So ultimately, what has to happen with
cybersecurity and 5G is security needs to be dynamic, and it needs to be automated in order
to really accommodate the scope and the potential speeds of those 5G networks.
really accommodate the scope and the potential speeds of those 5G networks.
You know, there are a handful of the large mobile service providers who are going to be implementing this, who are making the investments on this infrastructure. And certainly,
you know, AT&T is one of them, is one of the largest. How do you recommend that organizations reach out to educate themselves,
to find out how they can best leverage this new infrastructure that's going to be part of our
day-to-day lives? You know, there is a wealth of information out there about what 5G is, but you
also have to look at it and say, how is 5G going to work with my existing security
practices? Or do I have to modify my existing security practices? So it comes down to from the
data inside of our research that we did, 25% of participants believe that their current security
policies will be effective under 5G. So that's a fairly low number. 53% think that they're going
to have to make some adjustments. So they're saying, you know, we're in pretty good shape,
but we're going to have to go back and make some adjustments to adapt to 5G. And 22% said they
expect that their security policies will need to be completely rethought. And so I think as
organizations continue with their roll robot of 5G,
they have to really make sure that their cybersecurity team is involved with what
is happening with the robot of 5G. That's Teresa Lanowitz from AT&T Cybersecurity.
Sleeping Computer reports that Canon, the Tokyo-based multinational imaging and optics firm,
has been hit with Maze ransomware,
and a number of its internal services appear to have suffered disruption.
The Maze gang contacted Bleeping Computer and claimed responsibility.
They also claim to have obtained 10 terabytes of company data,
which they intend to release if they're not paid the ransom they've demanded.
Claims by criminal gangs should always be received with
an appropriate degree of skepticism, but in this case Mays may indeed have what they claim.
Cannon says it's investigating. And finally, in what seems an almost inevitable development,
yesterday's bail hearing for accused Twitter hacker Graham Ivan Clark before the Hillsborough County, Florida court was held remotely by Zoom.
Master Clark was seeking a reduction in his $725,000 bail.
You'll never guess what happened.
Really?
Come on.
Try.
What do you think happened?
You know you want to guess.
Okay.
We'll tell you.
You know you want to guess.
Okay, we'll tell you.
The Tampa Bay Times says that the court session was Zoom-bombed by cyber-funsters who displayed adult content on everybody's screens
until the judge could step in and suspend the proceedings.
The story has attracted international attention,
with The Telegraph, a British paper,
taking specific notice that the content came from Pornhub.
Apparently, a lot of reporters were on the Zoom call,
and far too many of them sniffed
that they found the adult content relatively tame.
We don't know whether that says more about the Zoom bombing
or about what reporters do in their off hours.
You decide.
But it seems to suggest that they're seasoned critics of the genre.
What happened with Bale?
Dunno.
That part of the story somehow got lost in the Zoom bombing sauce.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to talk to you.
I saw some interesting stuff coming by about some speculation in the ICS community
that there might be some vulnerabilities, and I believe it was in Transformers.
And, boy, the media really ran with this story.
And you jumped in and sort of said to folks, hey, not so fast.
Let's not get carried away here.
Can you give us a little bit of the background as to what was going on?
Yeah, so there is a lot of things converging and accidentally getting conflated.
And so it's understandable where people would be confused of the story.
But there are separate threads that if you haven't been drenched in the community of ICS and following that, again, it's understandable.
So I don't want to make anybody feel bad.
But yes, things are getting conflated.
So you have an executive order that came out from the White House talking about the criticality of getting control of our supply chain as it relates to our critical national infrastructure, starting with the bulk electric system.
So electric power providers and just understanding what's there and what's the risk. Part of that risk is adversarial, but part of that risk is also just delivery of the supply chain of if we lost a transformer due to any given physical event.
If you have to wait six months on one to get delivered from China, adversarial or not, that's a supply chain risk.
So there's that category.
Essentially what the EO was talking about was, hey, we need to take a look at this, and we need to understand what's going on, and we need to encourage
U.S.-made parts going into our critical national infrastructure.
It makes sense. Many reasonable countries are doing this exact same thing.
The U.K. is doing the exact same thing with the NCSC in different ways,
but they're doing the same intent.
However, people then started twisting that EO and conflating it with other
things. So first and foremost, a number of media sites jumped on and said, yeah, this is about
China. No, it's not about China. Sure, there have been things with China before, and there are
questions about Huawei and ZTE and similar, but it's not about them. Well, it's about Russia and
Kaspersky. No, there's been comments about Kaspersky and so forth. That's not what this is about.
It's about everyone.
It's not any given country.
Sure, there might be more concern from the adversarial side about things with China, Russia, Iran, etc.
But the EO isn't about one topic.
There's a lot of things that have gone into it.
But what you're referring to explicitly that really got things carried away is a gentleman in our community, Joe Weiss,
who's a very well-respected ICS security person who's been around this community a very, very long time.
He made a very sensational claim that the EO was tied to the seizure of a transformer coming from China, that the Department of Energy seized this transformer because of an event at,
and he named the utility,
Western Area Power Administration,
he named WAPA and said,
WAPA found hardware backdoors
in a Chinese transformer.
DOE seized it.
EO came out to have a reaction to this.
And the hardware backdoors would allow China EO came out to have a reaction to this,
and the hardware backdoors would allow China to remotely cause a destructive event
on our key infrastructure like an Aurora event.
And just in that two sentences,
you have 15 years of lots of topics getting inflated.
And what I want to say here,
and I want to remove it from Joe,
Joe's a really good person who's well known in this community and has been in this community for a long time
and he cares about things that a lot of the community
aren't focusing on right now
I'm not so sure they're the right things
I'm not weighing it one way or the other
but he's focused on things like sensor security
which isn't the conversation most of us are prioritizing or having,
myself included.
And so I wanted to look at it as unbiasedly as possible,
because I like Joe.
And so I knew a lot of things were getting inflated,
but the question is, is that okay?
Is the conflating of the topics okay?
Is it getting to the right place?
Are we going to make investments in defense in the right ways anyway?
Let's analyze this. So Jeff and Tim Conway and I over at SANS, the SANS ICS team, we took a look
at it. We contacted everyone we got in the community. We are very familiar with what you
can do from an Aurora effect, which is actually a physics challenge. It's not a vulnerability in
electric infrastructure. It's just a discussion of physics and electric power. We looked at that type of transformer and
that type of equipment and what you could and couldn't do with it. I called around the White
House and DOE and executives everywhere to like, hey, what's going on? And got drenched in what
really the EO is about and similar. And where we came out is very simple.
There's kind of multiple threads here.
Thread number one is that U.S. government has gone to electric power companies before and said, please don't use X product or X thing,
and we're going to tell you this in a classified manner.
But then those utilities can't do anything about it because it's classified.
And even if it's not classified, they can't not include those vendors in a classified manner. But then those utilities can't do anything about it because it's classified. And even if it's not classified,
they can't not include those vendors in a bidding process
because they're public utilities usually,
or they're at least beholden in some way
to the Public Utilities Commission,
and they have to be able to show best price and similar.
So what the request basically was
that I think fed a real strong component of the EO
was if you as a U.S. government
think we shouldn't be doing something
and you don't want us to do it,
you have to give us something to be able to say no
because we aren't able to right now.
And so it was a threat of that.
There's another threat, which is non-adversarial,
of, wow, we're losing control of our supply chain
in a huge way, and that poses a national security risk
even without anybody being malicious.
We should bring back certain manufacturing jobs in the United States. We should bring back certain production of equipment that we need for national security
purposes across bulk infrastructure. Let's look at that very critically. Then there's another thread
of, we are worried about adversaries getting into these environments, especially through remote
access. How are we going to deal with that? Then there's this seizure of the transformer
that did take place, but before it got to the utility.
And we have no idea why.
I might have some guesses,
but there's nothing to say that it was related
to anything related to hardware backdoors.
And there's nobody that's come forward
with any insight information or anything
or know why Joe would have any insight information or anything or know why
any you know know why joe would have any insight into it anyways however the claim being put
forward doesn't match what you can technically do on that equipment and match what you technically
can do in that environment so where we came to in the end was publishing this report i think here
in the next week or two um basically saying, in our analysis,
if you want to go invest in security,
here's the areas to focus on,
which happen to do with network security monitoring,
segmentation, instant response plan,
things we've talked about for a long time.
But the claim that this hardware backdoor thing exists,
I find no evidence for it,
and there's been no evidence provided.
So the burden of proof is on the person claiming it.
What we further found is it's not tied to the EO at all, and have pretty
senior-level government conversations going on to validate, yeah, that has nothing to do with this.
And there's just a general supply chain discussion going on anyway.
So we kind of just unthreaded this ball
that had gotten formed, and at the end of the day,
without any offense to any of the people involved,
because they're good people,
I think this was a lot to do about nothing.
Yeah, yeah.
All right, well, thank you for providing some clarity for us.
Robert M. Lee, thanks for joining us.
Thank you for joining us. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.