Trending Now
We have updated our Privacy Policy and Terms of Use for Eurasia Group and its affiliates, including GZERO Media, to clarify the types of data we collect, how we collect it, how we use data and with whom we share data. By using our website you consent to our Terms and Conditions and Privacy Policy, including the transfer of your personal data to the United States from your country of residence, and our use of cookies described in our Cookie Policy.
{{ subpage.title }}
Hackers, Russia, China: cyber battles & how we win
The next decade will be a turning point in the global cyber arms race. And the stakes are very high.
If measured as a country's GDP, cyber crime would now be the world's third-largest economy after the US and China. And it only takes a single password — as Americans learned after the 2021 Colonial Pipeline attack — for cyber crime to cripple a company or humiliate a nation.
On GZERO World, Ian Bremmer speaks to Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, tasked with defending the country from all cyber threats — foreign and domestic.
America, she says, has finally gotten serious about protecting itself from cyberattacks. But the federal government still needs cooperation from the private sector, which operates 80% of the critical infrastructure that serves our daily basic needs.
Easterly also digs into how Russia is the urgent cyber threat, though China could do more damage in the long term -- and whether the US is prepared to defend itself from both adversaries.
- Will the US be able to withstand cyber attacks on critical ... ›
- Biggest cybersecurity threat to watch in 2022 - GZERO Media ›
- A (global) solution for cybercrime - GZERO Media ›
- Russian cyber attack could trigger NATO's Article 5, warns NATO ... ›
- Russia's cyber attack: an act of espionage or war? - GZERO Media ›
Will the US be able to withstand cyber attacks on critical infrastructure?
The US Cybersecurity and Infrastructure Security Agency was set up in 2018 to help protect America's critical infrastructure.
It might sound like a technical term, but CISA chief Jen Easterly explains that critical infrastructure is how we get water, power, gas — even food at the grocery store. And 80% of it is operated by the private sector.
So, how does the agency help businesses defend themselves from hackers?
"In cybersecurity, the federal government is just a partner ... so we all have to work together to drive down risk to the nation," Jen Easterly tells Ian Bremmer on GZERO World.
- Does Jeh Johnson consider Russia's cyber attack against the US to ... ›
- Podcast: Lessons of the SolarWinds attack - GZERO Media ›
- SolarWinds hack a wake-up call to the tech sector - GZERO Media ›
- Biggest cybersecurity threat to watch in 2022 - GZERO Media ›
- A (global) solution for cybercrime - GZERO Media ›
- Hackers, Russia, China: cyber battles & how we win - GZERO Media ›
Podcast: Lessons of the SolarWinds attack
Listen: Two years after the discovery of one of the largest cyber attacks in history, we’re looking at the current state of security for both software and hardware supply chains.
In early 2020, a group of hackers broke into a software system built and managed by the Texas-based company SolarWinds. The malware they installed was eventually downloaded by thousands of SolarWinds customers, including both private companies and government agencies like the US State Department. SolarWinds has since said the number of clients actually hacked was far lower.
What lessons were learned, and how vulnerable are information and communication technology supply chains today?
In the third episode of Patching the System, a GZERO podcast produced as part of the Global Stage partnership with Microsoft, we’re examining that question with two top experts in the field.
Our participants are:
- Gaus Rajnovic, cybersecurity manager at Panasonic Europe
- Charles Carmakal, senior vice president and chief technology officer at Mandiant
- Ali Wyne, Eurasia Group Senior Analyst (moderator)
Subscribe to the GZERO World Podcast on Apple Podcasts, Spotify, Stitcher, or your preferred podcast platform, to receive new episodes as soon as they're published.
Podcast: Lessons of the SolarWinds attack
Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.
Gaus Rajnovic: Scope and coverage, that is why those supply chain attacks are so dangerous. They spread easily and relatively quickly.
Charles Carmakal: As an average person though, it is impossible for us to really consider all the variety of cybersecurity attacks that are out there. And in general, the right practice is to have some level of trust of the vendors of the software that you use.
Ali Wyne: Welcome to Patching The System, a special podcast for the Global Stage series, a partnership between GZERO Media and Microsoft. I'm Ali Wyne, a senior analyst at Eurasia Group. Throughout this series, we're highlighting the work of the Cybersecurity Tech Accord, a public commitment from more than 150 global technology companies dedicated to creating a safer cyber world for all of us.
Today we're talking about a cyber attack so massive it became a household name, SolarWinds. In early 2020, a group of hackers broke into a software system called Orion, which was built and managed by the Texas-based company SolarWinds. They installed malicious code and later that spring, it was unwittingly delivered to customers in routine software updates. In total, more than 18,000 clients were affected, including large private companies as well as some government agencies, including the state department and the Department of Homeland Security.
Now the SolarWinds hack is an example of what we call a supply chain attack on information and communication technology, or ICT for short. We're going to talk about what those kinds of attacks are and why they pose a serious and unique threat in the world of cyber attacks.
Joining us now are two industry representatives who work on different sides of this issue. First
Charles Carmakal, who is a senior vice president and chief technology officer at Mandiant, a security research firm working to discover and thwart bad actors who target technology products and services. Charles, it's great to have you here.
Charles Carmakal: Thanks a lot. It's great to be here.
Ali Wyne: We're also joined by Gaus Rajnovic. He serves as a cybersecurity manager at Panasonic Europe, which makes a wide range of technology products, many of which listeners may be familiar with. Gaus, welcome.
Gaus Rajnovic: Hello.
Ali Wyne: Let's dive in first just by providing some additional context around the hacking attack that I mentioned, SolarWinds. Charles you are from Mandiant, which obviously has a relationship to this attack so why don't you explain to us from your perspective first, how bad was this attack? Second, how was it discovered? And third, what was the fallout?
Charles Carmakal: Yeah, absolutely. So I was very close to the event. It really changed my world and I remember it very vividly. So back in December, 2020, I worked for FireEye and that was the organization that ended up detecting and discovering the SolarWinds attack. An employee had registered a second mobile device into our multifactor authentication solution and one of our security analysts had picked that up and noticed that the second enrollment of the secondary device seemed a little bit suspicious. And so he actually reached out to the employee to figure out whether or not he had actually enrolled a second mobile device and he said he didn't.
And that actually kicked off what ended up being probably one of the most notable cybersecurity events in history. And so as the days progressed and as we conducted an investigation to really try to understand how did somebody get access to the credentials of this employee to be able to enroll a second mobile device into our multifactor authentication solution, we started finding evidence of attacker activity.
As part of any investigation, you've got to figure out how did the attackers actually get access to the environment. And as we were digging and digging and digging, the earliest evidence of attacker activity that we saw occurred on SolarWinds' Orion systems that we use at FireEye, but we couldn't tell exactly how did the threat actor get access to those systems. And there were a number of hypotheses that we tested and one of those tests was whether or not there was a potential supply chain attack, essentially meaning was it possible that malicious code was actually sent to our computers through SolarWinds, through a legitimate code process? And what we ended up doing to figure out if this actually was the case, was we reverse engineered these SolarWinds' Orion software. We essentially reverse engineered, tens of thousands of lines of code.
And ultimately, we identified a few thousand lines of code that were heavily obfuscated and looked very suspicious, if not malicious in nature. And the thing that we noticed about it was it was digitally signed by the vendor. So we knew that the code, although it looked suspicious, arguably malicious, we knew that it came from SolarWinds because it was digitally signed unless the digital signatures were stolen or the keys were stolen from SolarWinds. And so as part of the process, we called SolarWinds and we let them know what our findings were. And we got back on the phone with them a few hours later and what they had confirmed to us was that they didn't see any malicious code in the code repositories for the SolarWinds' Orion product.
But what they told us is after the product was built, they see these unauthorized routines that are added to the finished product. And at that point in time, we knew that there was a supply chain attack, and we knew that the legitimate software that was downloaded by thousands of organizations ended up having a malicious component, what we call SUNBURST, which would've allowed a Russian adversary to get access to computer systems that were running the software.
The important thing to note is, this was arguably one of the most expensive cyber weapons that had been developed by a government. And because it was so expensive, the threat actor behind it was very specific in choosing which organizations they were going to leverage this backdoor and this capability to conduct further intrusion activity on. And we suspect that there were less than a hundred organizations that they chose to leverage this capability with.
But those a hundred, some odd organizations are arguably some of the most high profile, hardest to hack organizations out there from both a commercial and a government perspective. The impact was pretty significant in the sense that this enabled the Russian government to get access to data that was of strategic interest to the Russian government. They were very interested in data that governments had, and they were interested in commercial entities that either had access to that same data, or that could facilitate access to the systems or the network of government entities to get that information that was of strategic interest to the Russian government.
Ali Wyne: Wow. I mean, almost felt like I was listening to a new Netflix drama on the SolarWinds attack. Now granted this particular hack took place in 2020, but the narrative that you just related to us, it obviously couldn't be more timely in light of Russia's invasion of Ukraine. Gaus, I want to come to you. Can you give us a basic understanding of what we mean by the phrase supply chain attacks? I mean, why are they dangerous?
Gaus Rajnovic: Absolutely. Let me just say, I am working for a vendor. Part of my answers is basically describing how those attacks influence us vendors, so people who are producing something, but at the same time, how it also affects users of technology.
So coming to your question, scope and coverage, that is what makes them dangerous. They spread easily and relatively quickly. I was also always puzzled why we haven't seen them a little bit earlier because from my vendor side, you were able to see that potential some time ago.
Gaus Rajnovic: And why I'm saying that, let me give example how products are being made. So when you want to create a new product, you would take ready-made components, you just put everything on one pile and then you add a little bit of magic, something that is unique for your product, so that you can be different from the others. But basically, apart from really relatively small number of vendors, most of the vendors are using already made components. So there is a high spread reuse and that is why it spread through our industry and that is why those supply chain attacks are so dangerous.
Ali Wyne: Charles, I want to come back to you in light of the explanation that Gaus just provided and talking about not only sort of software but hardware. When we hear the phrase supply chains, we often think about physical components. So imagine, for example, car parts that are made in one country that are put in cars in another country, but in the case of SolarWinds, we're talking about the targeting of software, not hardware. It's less about a bunch of items that are stored in a warehouse somewhere. Can you explain a little bit more about what is in a software supply chain? And maybe in addition to explaining what is in a software supply chain, help us understand the various points along that chain that potentially could be targeted?
Charles Carmakal: Yeah, yeah. So look, I think there is a general confusion as to what a supply chain attack is and if you asked somebody what a supply chain attack is back in the summer of 2020, they'd give you a very different definition than what they would've told you in January of 2021. And many of our definitions changed in December, 2020 when we heard about the SolarWinds attack.
Ali Wyne: Sure.
Charles Carmakal: And that's kind of because of the ubiquity of SolarWinds and because of how prevalent the attack was. So what happened with SolarWinds is a threat actor found a way to insert malicious code into a legitimate product that ended up getting shipped out to a variety of customers across the globe.
And that software was authenticated by SolarWinds and it was part of a legitimate software update process that SolarWinds had established to allow people to get updated version of their software. And when they say 18,000 some odd organizations could have potentially been impacted by SUNBURST or by this attack, that's really the estimated count of the number of organizations that had legitimately downloaded the software update.
Another way to look at a supply chain attack is, can a threat actor break into one company, perhaps a service provider, and leverage that access to that one service provider and get access to dozens or hundreds or thousands of other organizations because of the legitimate connectivity between that service provider and their thousands, some odd customers?
And we see attacks like this all the time.
Ali Wyne: Gaus, Panasonic is a company that obviously makes a lot of consumer devices. So are there similar cyber vulnerabilities in the hardware supply chain? How can hardware supply chains be targeted?
Gaus Rajnovic: Oh, well, yes. I mean, nowadays, and especially in IT hardware, it is just software in disguise because usually, I mean, if possible, you would like to have a chip that you can use for multiple purposes. So basically you will have a hardware that then you program and then you change the function as needed. So yeah, absolutely. But not if we move a little bit away from that and look generally how hardware and chips in particular, about vulnerabilities in them, it is a longstanding concern and especially for, well, Western governments, because what is happening is that obviously they need to procure products for their environment whenever they're using it. And sometimes that environment tend to rely on relatively old chips, which are not being produced by, let's say, Western vendors anymore. So they need to procure it from elsewhere. Now you have a question, do we really trust that those chips would not contain any undocumented and unwanted functionalities?
So you do have the whole science of testing and verifying that what you are getting is actually what you want to do and that there is nothing else in it. And it is hard.
Ali Wyne: So Charles, let me come back to you. So software supply chains are being targeted, hardware supply chains are being targeted. Well, obviously as listeners, I think all of us, regardless of what our position is or what kinds of devices we have, we all want to take steps to enhance the security of our devices, but I've got to be candid with you. When I think about how many times, just in a given day, how many times my phone asks me to install certain updates, my laptop asks me to install certain updates, my instinct is to install them because I want to enhance the security of my devices, but it's pretty overwhelming to think about whether or not we can actually trust all of these updates that we were being asked to install. Isn't it?
Charles Carmakal: It absolutely is. And a funny argument that was being made during the SolarWinds supply chain days was that the organizations that weren't impacted were the ones that were really late to apply the patch. And so some of them joke that they just had such bad patch management processes that they didn't have to deal with the cybersecurity implications of the attack.
Ali Wyne: Yeah.
Charles Carmakal: As an average person though, it is impossible for us to really consider all the variety of cybersecurity attacks that are out there. And in general, the right practice is to have some level of trust of the vendors of the software that you use, assuming that you're using legitimate commercial software or open source software, and it's to apply the patches that are made available because the vast majority of the time, the patches will actually increase the overall security posture of your system, of your device, of whatever it is that you're installing the patch on.
It's the edge cases where attackers get access to software supply chains and are able to modify legitimate code and insert malicious code there. It happens. I could list off a few dozen examples where it's happened in the past, but for all the times that it's happened in the past, I mean, that's representative of less than 0.001% of all the software updates and the patching that goes on out there. So I think in general, as an average, everyday person, patching is good, patching provides additional security capability and benefits. And when there are situations where patches are actually malicious, usually the community figures that out and they share that information broadly and people take corrective action.
Ali Wyne: No, that's helpful. That's helpful to know. Gaus, I want to come back to you and I want to make a little bit of an analogy between some of the supply chain vulnerabilities that we've been discussing and some of the vulnerabilities that we've seen in the time of COVID and I want to ask you if you can reflect a little bit on that comparison. So specifically, we know that supply chain issues earlier on in the product life cycle, say in raw materials, for example, that they can have a much greater impact later on when products get closer to consumers.
And we saw something kind of similar to this in global supply chain issues we faced, and that we continue to face during the coronavirus pandemic. So for example, if the raw materials were delayed a week due to labor shortages, that might mean that the next step of production was delayed two weeks or the next step four weeks, and so on. Do you think that it's valid to apply kind of a similar model to ICT supply chain attacks? And that is to say, the earlier in the process we see a vulnerability, the worse and broader the negative result and impact might be later on?
Gaus Rajnovic: Unfortunately, the answer is yes. Yes. There is also additional, how to say, complication to that, because usually the earlier in the chain you get, those really basic components they tend not to be so sexy so people don't really pay that much attention to them. And they'll just say, "Yeah, yeah, fine. I mean, that was working for the last 20, 30 years. Why should I look at it? Just take it and run." And I hear one great example for that. So there is something that is called Abstract Syntax Notation Number One, or in short ASN 1. It is something that is being used everywhere. Not many people heard about it, but it is a way how you would format data before you send it over the network to another peer, approximately 20 odd years ago, there was a vulnerability in ASN 1 library. So basically, the way how that data format was unpacked and processed, there was a vulnerability there. It was very bad vulnerability.
So you were able to do remote code execution on many, many devices by just sending a packet to a device and that packet and that vulnerability would be triggered the moment device start processing packet way, way, way before any other logic kicks in. So it was really basic stuff. If you go and look for those old advisories and you would still find them and just look number of the vendors which are affected, well, that used to be affected by that vulnerability, it is staggering. And also, if you look what protocols were implicated, meaning they were using and they still use ASN 1 notation. So it is absolutely unbelievable. But the worst thing is that we are now almost 20 years after that incident and I am not sure that all vendors still patched it because there are still plenty of old vulnerable libraries lying around and some small vendors, they would just take it and run it and nobody would look at it because, "Hey, it was working for the last 20, 30 years. Why bother? It works." So unfortunately, yes, the sooner you get into supply chain, the more damage you can make.
Ali Wyne: That's sobering and it's sobering to think that even 20 years on, 30 years on, that we still have some of these initial vulnerabilities that companies haven't adequately addressed. Charles, you talked about SolarWinds. It affected 18,000, right? I should say it targeted 18,000 organizations, but as you mentioned, the attacks themselves were only actually executed against a handful of government organizations. So let's say that I'm a business owner who didn't have my systems disrupted, can you help the listeners understand what might be going on? Why it might be the case that I, as a business owner, didn't have my systems disrupted by the SolarWinds attack?
Charles Carmakal: Yeah. And just to clarify, so the threat actor leveraged the SolarWinds backdoor to get access to both government and commercial entities.
Ali Wyne: Right.
Charles Carmakal: So there were a number of technology companies and a variety of other companies that weren't government entities that were targeted. Those companies, as you think about the victimology, I mean, a lot of those companies were pretty large organizations with very large customer bases that potentially could have been the next SolarWinds. And in fact, we may not be calling it the SolarWinds attack if it hadn't been detected when it was detected. What I mean by that is the threat actor, I believe, was surprised that they got caught when they did. I think they were surprised when we outed them. I think they probably thought that they had months or years to continue to do what they were doing. They were doing things in such a clandestine and quiet manner, and they were doing it relatively slowly because they didn't want to get caught. They wanted to keep stealing information, again, that was a strategic interest to the Russian government.
Ali Wyne: Sure.
Charles Carmakal: And I think that they were interested in continuing to create other supply chain attacks. When you look at some of the companies that they broke into, I mean, they broke into security companies, they broke into technology companies. I do think that in a way we're all lucky that it was detected when it was, because I think we very likely stopped what could have been the SolarWinds attack, plus the technology company X's attack, plus the technology company Y's attack that a lot of people would've probably talked about.
For companies outside of the big companies that were targeted, so you just think about just any other company out there, look, most organizations aren't of interest to the Russian government. When Russia conducts offensive operations, they do it for a reason. Sometimes they do it because there is political reason. Sometimes they do it for national defense purposes. Sometimes they do it because they're embarrassed by something. And so you think back to 2016, and no, I'm not going to give the example about the US presidential elections, because everybody talks about that, but I'm going to give a different example. I'm going to talk about the attacks against the Anti-Doping agencies. And there are a number of them that were hacked. And essentially what happened was there were Russian athletes that were accused of doping and it was made known that the Russian government was aware of the performance enhancement drugs that Russian athletes were using.
And so the Russian government wanted to prove that the rest of the world uses performance enhancement drugs and they dope and they hacked into a number of the anti-doping agencies and they ended up publishing a lot of information related to athletes that had failed tests before certain sporting events. And so that is an example of one of the reasons why the Russian government may conduct intrusion operations. There's usually a specific reason. Today as we think about the invasion of Ukraine, I think it's interesting that we haven't seen destructive attacks against the Western world yet. Now leading up to the Ukrainian invasion, we definitely saw a number of intrusions against ministries of foreign affairs and a variety of countries by Russian threat actors to steal information, again, of strategic interests to the government.
We definitely saw very destructive and disruptive attacks against organizations in Ukraine, leading up to the invasion and then coinciding with the invasion. But we haven't seen the attacks against other Western organizations. And I think the anticipation and the fear is that the Russian government tends to go tit for tat. They will very likely target the sectors that were most impacted in Russia, but in other parts of the world. So when you think about the sanctions against Russian entities, there's a very good chance or least the belief is that the Russian government will conduct some kind of cyber operation against the US financial services sector. There's fear and anticipation that the Russian government will target energy sector organizations. There's also fear that Russia will look at who are the companies that are publicly aligning with Ukraine and very vocally standing up against Russia and those are very likely going to be targets of Russian espionage and destructive operators.
Ali Wyne: This kind of actually goes to the name of this podcast series, patching the system. Gaus I want to come back to you so obviously, prevention is probably better than patching things up after an attack. Supply chains are getting more and more complex, more and more complicated. The vast majority of everything comes from somewhere else. I mean, what can companies realistically do to protect themselves?
Gaus Rajnovic: Well, trust, but verify. So I would like to split this answer into two. So one is from perspective of organization as a consumer of technology. So obviously you cannot go and, I don't know, disassemble and analyze each and every line of a patch that you receive and do that constantly for each and every device. It is just out of question, but what you can do is that you are monitoring what is going on in your environment. So that should be a part of your normal security operation center or CERT, or some other security function that you have, or should have internally. So you could trust that what you receive is legitimate and you trust that everything should be fine, but still you need to go and verify that things that you are seeing inside your system matches what you would expect to see inside the system.
And Charles said that at the beginning, how they discovered just because they spotted an anomaly. The other part of my answer is when I look this question through my vendor's eyes, what I can do as a vendor to make sure at least what I'm receiving is more or less legitimate or what I'm expecting, so that what I am giving further up supply chain is also do not contain any defects or vulnerabilities or anything else. And again, the same principle, trust, but verify, so all my suppliers. You can start with some really basic things. For example, I would like to know, contact in each of my suppliers who is handling product security vulnerability, meaning that if I find something in that component, I know who to call. Another, very basic thing, soft bill of material or bill of material in general. I would like to know what is inside component that I am receiving.
I would also like to know what tests my supplier have done on that component and what are results. And then I would repeat the testing myself just to make sure that everything matches. So those are some very basic things, but they help a lot. And I am sometimes ashamed to say that industry today, even with all this advancement, we are still having our vendors, and I'm not talking about really small vendors, I'm talking about midsize vendors, that we do not have anybody to call when we have a vulnerability in their product, and we need to fix that.
Ali Wyne: Charles, you heard what Gaus just said. I mean, what are some of the ways in which software and hardware manufacturers can come together to help build trust and to help verify? I mean, how should they coordinate their efforts, how should they keep their lines of communication open, especially because hardware increasingly needs constant updates to software?
Charles Carmakal: Yeah, absolutely. I mean, I definitely agree with Gaus on the trust but verify. And I think there's a certain amount of trust that organizations have to place in their vendors that they're doing the right things and I think most people want to do the right things. It sometimes becomes cost prohibitive to do so, so it doesn't always happen. I think having more transparency amongst security issues that exist that people identify in doing timely fixes is really important. And I'll tell you, it's definitely frustrating to security researchers that identify security vulnerabilities and in particular products, they notify the vendors and they never get an acknowledgement that the vendors heard that there's a vulnerability, or sometimes the vendor will say, "There isn't a vulnerability." Sometimes they'll say, "There is a vulnerability, but we'll get around to fixing it whenever we get around to fixing it."
And so responses like that can be really demoralizing for security researchers. Being as transparent as you can, trying to be timely with fixes, sharing information, and collaborating as a community are really important to addressing this problem.
Look, I'll tell you, things have dramatically changed for the better in terms of the collaboration of vendors and the security community. 20 years ago, we all used to laugh at Microsoft and say that they have arguably a terrible cybersecurity program. But when I look at probably one of the best case studies of an organization that's dramatically changed people's perceptions of them and just how much time and effort and care they put into security, I mean, Microsoft's one of the best examples.
Ali Wyne: So as both of you know, in an earlier podcast episode, I spoke to Annalaura Gallo. She's the head of the secretary of the Cybersecurity Tech Accord. Here's what she had to say about new approaches to combating ICT threats.
Annalaura Gallo: So we've been engaging with UN in the context of the dialogues on responsible state behavior in cyberspace, and we will continue to do so. And we have been encouraging state in particular to introduce a new norm that clearly declares this cyber attacks against the ICT supply chain out of bounds. But our signatories have also been calling for a shift in the way governments and businesses defend from this type of attacks, because taking a purely defensive approach is no longer enough. Organizations should start and think like the attackers.
Ali Wyne: So Gaus, why don't we start with you? What is your reaction to Annalaura's assessment?
Gaus Rajnovic: I agree with assessment. Yes, we need to change things because obviously the way they are at the moment, it is not ideal situation and we would like to improve it. Having said that, so there are multiple points and first point, for example, being somehow putting a supply chain out of bounds, so you should not attack supply chain. It is admirable goal. Personally, I am skeptical that it will be ever achieved just because supply chain is so big. I mean, when you look at single product, how many components are coming and from where, and to how many hands that product is passing, I mean, it is really hard to say, "Okay, so we will just limit everything that relates to supply chain. It is out of bound. We will not attack it. We will not mess with it, but we will go after everything else."
And please bear in mind that there are also initiatives, for example, some national infrastructure, which is necessary for a civilian to live, also to be put out on bounds and things like that. I'm afraid in flux of wars, it doesn't work that way. So admirable, but skeptical towards it. If I may just quickly?
Ali Wyne: Sure.
Gaus Rajnovic: There is another point of not being only defensive. So yes, I heard those ideas multiple times, which is suggesting that we should also go into offensive in a sense, at least to have an active defense. Again, personally, I'm not in favor of active defense because in my mind, imagine two gun slingers in old Wild West. They would just come to the streets. Everybody would move aside. Then they would have a shootout and then pack their things and go away to continue this duel at some other times.
But what will happen is that after that duel, there will be lots of bullets in the walls, broken windows, and somebody will have to go and fix that. So just apply this metaphor into a cyberspace. And yes, you will have bad guys and good guys, and they will having go at each other but in the meantime and then throughout that battle, there will be lots of broken stuff, which somebody will have to fix later. And unfortunately, some of that stuff that has been broken during the conflict, there are people whose life depends on it. And that is the reason why I'm not overly fond of active defense.
Charles Carmakal: Look, I think there are general rules of engagement that certain countries operate by. So for example, when you look at the Chinese government, they typically conduct operations for political or military purposes. They used to also conduct offensive operations for economic purposes, but there was an agreement with president Obama and president Xi where nobody acknowledged hacking into companies in each other's countries, but they said in the future, they wouldn't do it for economic espionage. So I think rules of our engagement are really important. That helps figure out what is the line, when does it get crossed, or what events would be considered crossing the line and a potential escalation. And that's something that we're all thinking about right now. If what happened in Ukraine a few years ago with NotPetya happened in the United States, I'd be afraid to figure out and to see what the United States might do in retaliation.
And so we're all trying to figure out and I think Russia and many governments are very mindful of at what point in time does a cyber operation cross the line and force the victim, or maybe a collection of countries to retaliate in a very escalatory way. And then at what point in time does the retaliation include kinetic consequences? So for example, when we look at the Colonial Pipeline incident from last year, from my perspective, our assessment is that the Colonial Pipeline intrusion was done for financially motivated purposes by organized criminals. We don't believe that Putin had directed that, or at least we have no evidence that Putin had knowledge or directed that. But it'd be a very different thing if there was evidence of Putin directly asking for the intrusion of Colonial Pipeline that would have an impact on the supply chain of gas getting to airplanes and vehicles.
And so, again, I think we're all thinking about the escalation. So it is good to have rules of engagement, but the downside of having rules of engagement is basically everything that you are not expressly saying is prohibited. Is everything else okay to do? So if you say-
Ali Wyne: Right.
Charles Carmakal: "Protect the supply chain," or, "You can't attack healthcare," is it then fair game to hack into financial services companies, into manufacturing companies, and schools, right? So that's the counterpoint. So it's hard to tell, but I think the rules of engagement, generally speaking, are good.
Ali Wyne: I would guess that most of the folks who are tuning in to today's podcast, don't have your expertise either on the hardware side or on the software side. Most of the listeners, I would guess, are just lay consumers. And so for us lay consumers, what can we do? What can we do to enhance the security of our devices, to mitigate some of the issues that we've talked about today?
Charles Carmakal: Yep. There's three things and these are three very important things that are, unfortunately, somewhat hard to do. The first thing is we strongly encourage everybody to use a password manager and have a unique and different password for every single website that you use. And the reason for that is because when a threat actor hacks into a particular website or a company, one thing that they do is they download all the usernames and the passwords for all the users that use that resource. And they attempt to use those usernames and passwords for other websites. It could be email accounts or bank accounts or social media accounts, but that is a very prominent way for how threat actors break into organizations and break into accounts and steal data from people. Number two, use multifactor authentication. So that's basically where you provide an username, a password, and then some secondary form of authentication.
Sometimes it's a code that gets texted to you over your phone, sometimes it's an email that gets sent to you with a code, or maybe there's an app on your phone that gives you a randomly generated number. That helps mitigate the risk of somebody getting access to your account. And the third thing is apply software patches when your device tells you to apply software patches, but try to be cautious and careful. You don't want to get tricked into clicking a link on a website that's telling you to apply a patch, but that's actually malicious. You want to get comfortable and familiar with where would a computer or a device tell you to apply an update and just get comfortable with that and do it when they're asked and try to be mindful and try to be aware that there are trickers or scammers and threat actors that will attempt to trick people into applying patches that aren't real that are actually malicious.
Gaus Rajnovic: I totally agree with Charles, what he said, and those are the things that the consumer can do. I mean, looking from perspective of somebody who is making those products, they need to be as easy to use as possible. And unfortunately, that also limits what other actions users can do. At the other end, also, if I have a product that everybody needs to tweak, I don't know, two hours before they use it, I will not sell that product at all because people want functionality and people want stuff to work as is. So password management, absolutely must, do it. There is one thing that, at least on producing side, we see that it is coming, something that is called security labels. So there are several governments around the world who are toying with that idea. So basically that you have a label on a product that we tell you how secure the product is more or less. It is not finalized yet.
There are some pilot schemes going in Finland and Singapore. Most likely it is something that will come to the market in the next, I don't know, three to five years or thereabouts. So that will be also something that later on consumers could look for and try to find if this product is more secure than alternative and then obviously try to base their purchasing decision on that label. But we are not there yet at the moment.
Ali Wyne: Charles Carmakal, senior vice president and chief technology officer at Mandiant, Gaus Rajnovic, cybersecurity manager at Panasonic Europe, thank you both so much for being here.
Charles Carmakal: Absolutely.
Gaus Rajnovic: Pleasure was mine.
Ali Wyne: Well, that's it for this episode of Patching the System. You can tune in next time for more on the future of cyber threats and also what we can do about them. You can catch this particular podcast as a special drop Ian Bremmer's GZERO World Feed anywhere you get your podcast. I'm Ali Wyne. Thanks very much for listening.
Join us live from the 2022 Munich Security Conference
Friday, February 18 at 11 am ET / 5 pm CET: Watch GZERO Media and Microsoft's live conversation from the 2022 Munich Security Conference.
As crises converge, our speakers will discuss emerging risks at the intersection of technology, policy and security: NATO's role and tools to defend democracy, the US role in global alliances, the rise of cyber threats and the need for cyber norms and stronger defenses.
Participants:
- David E. Sanger, White House and national security correspondent, The New York Times (moderator)
- Ian Bremmer, President and Founder, Eurasia Group and GZERO Media
- Benedikt Franke, Chief Executive Officer, Munich Security Conference
- Mircea Geoană, Deputy Secretary General, NATO
- Kersti Kaljulaid, former President of Estonia
- Anne-Marie Slaughter, CEO, New America
- Brad Smith, President and Vice Chair, Microsoft
Event link: gzeromedia.com/globalstage
This event is being held in collaboration with the Munich Security Conference.
Live from MSC 2022: Securing Cyberspace | Friday, February 18, 2022, 11 am ET / 5 pm CET
Sign up to get email alerts about this and other GZERO events.
Biggest cybersecurity threat to watch in 2022
Marietje Schaake, International Policy Director at Stanford's Cyber Policy Center, Eurasia Group senior advisor and former MEP, discusses trends in big tech, privacy protection and cyberspace:
What do you foresee to be the biggest cyber threat and crisis for the year 2022?
Well, to me, the blind trust in commercially made software and technologies, remains an enormous systems risk, because over and over again, we hear of vulnerabilities in thus far, unknown small elements of widely used software that is weaponized.
From Citrix to SolarWinds or Log4j. Now schools, critical infrastructure, hospitals, and governments, the smarter they became with the integration of more and more software, the more vulnerable to attacks they turn out to be, and to overcome the conflicting incentives between companies that may not be too eager to report incidents or share information, versus the need to strengthen protection, security, and resilience in the public interest. Laws, information sharing standards, and corporate liability regimes will have to be adjusted, updated and adopted.
- Cloud computing and US cybersecurity - GZERO Media ›
- DarkSide hack reveals risk of ransomware cyberattacks - GZERO ... ›
- Would you pay a cyber ransom? - GZERO Media ›
- A (global) solution for cybercrime - GZERO Media ›
- Constant Russian attacks on Ukraine in cyberspace - GZERO Media ›
- How Russian cyberwarfare could impact Ukraine & NATO response - GZERO Media ›
- How Russian cyberwarfare could impact Ukraine & NATO response - GZERO Media ›
- Will the US be able to withstand cyber attacks on critical infrastructure? - GZERO Media ›
- Hackers, Russia, China: cyber battles & how we win - GZERO Media ›
- Podcast: How the US will fight cyber wars - GZERO Media ›
Biden likely to push Putin on cybersecurity in Geneva meeting
Marietje Schaake, International Policy Director at Stanford's Cyber Policy Center, Eurasia Group senior advisor and former MEP, discusses trends in big tech, privacy protection and cyberspace:
When President Biden and President Putin meet, will cybersecurity will be a key issue that they discuss?
Now, I'm sure that there will be many thorny issues on the table. But after American fingers pointed to Russia and hold it responsible for the SolarWinds hack, it's likely. Criminals in Russia were also not hindered when they held the Colonial Pipeline Company ransom through a ransomware attack. And really, when journalists and opposition leaders cannot speak a single critical word without being caught, how come cybercriminals can act with impunity in Russia? So the need for prevention and accountability really is significant. And I hope the President Biden can push and persuade Putin to change the confrontational and aggressive course that he is on.
Hackers shut down US pipeline
Ian Bremmer's Quick Take:
Hi, everybody. Ian Bremmer here. Happy Monday to you. A Quick Take. I wanted to talk about this unprecedented hack that has shut down a major pipeline in the United States. The Colonial Pipeline carries well over 2 million barrels a day. It's about half of the East Coast supply of gas and jet fuel. In other words, really not something you want to have suspended. And when I think about the impact of cyberattacks in the world, I mean, we've been warning that this is going to be a bigger challenge going forward, we're now really starting to see the implications of it.
In this case, it's a dual attack. It was an attack both against data in the firm that has been stolen that the organization, the criminal syndicate that has perpetrated the attack has said that they will make it public and delete all of the data from the system of the pipeline company if the ransom is not paid by the deadline that they have provided. And then of course, they also physically shut down the pipeline as well. It's an enormous problem. It's probably unprecedented in the scale of impact in the United States, though, we're seeing more of this kind of thing around the world.
So, let's take a step back. What does it mean? How much should we be worried and what can we do when we think about cyber? Well, when I think about the world of cyber over the course of the past 10 years, there are some aspects of it, the great power competition that has worried me less, because even though it's all about offense, the United States, the Chinese, the Russians by far the most capable in terms of offensive cyber capabilities than in other countries, like Israel and Iran with less but significant capabilities. But those governments, large governments do understand that if they are to engage in the kind of escalatory attacks, that could cause real damage to the country that they're going after, then the gloves come off and suddenly this can turn into a real national security danger. It could create a kinetic war that spirals out of control. And so, they don't do it. And so there has been a level of cyber deterrence between major countries all around the world.
You've seen these unprecedented attacks in the last months, for example, the SolarWinds attack that we believe came from Russia and other massive attacks coming from China. But in each of these cases, no critical infrastructure was destroyed or even damaged to the best of our knowledge. No, instead it was espionage. It was surveillance. It was monitoring. By the way, the Americans do the same thing to all of those countries, whether they have offensive cyber capabilities themselves or not. So that's a bit like the nuclear balance. It's all offense. It's not defense, but there are constraints on what countries do, because if you set off one nuke, other nuclear countries are quite likely to retaliate in kind. So it does create a level of stability, even though it is a more dangerous destructive environment in the world. You'd rather not have them than have them. Okay, that's the good side.
The bad side is that you sometimes have governments that engage in acts on cyber that go bigger and larger than had initially been presumed. So for example, when the Russians engaged in the NotPetya attack against Ukraine, which was a piece of malware that was reverse engineered out of the US, out of the National Security Agency developed in the US a few years before, it did hit Ukraine, it absolutely caused major economic damage and political stability damage to the country, but it also escaped. And so in relatively short order, you had Western corporations with operations primarily all over the world, very little in Ukraine. In some cases, just a couple of computers in Ukraine causing billions of dollars of damage because the malware spread. And the Russian government, I find it highly unlikely that they intended for that attack to spread. And the question was, did they either not know or not care? I suspect it's more the former than the latter, because if it got really big, this could have caused an enormous blow back for Russia. But that means that intrinsically when you're engaging in cyberattacks with new forms of weapons that have the ability to spread autonomously, there's greater danger around the nature of attack. That's one point.
Secondly, it's a lot harder to contain cyber offensive capabilities to a small number of countries. Obvious example, I mentioned among countries that have strong cyber capabilities, Iran. Now, we're working in the United States, the Biden Administration is working very hard right now to try to get the United States back into the JCPOA, the Iranian nuclear deal the Trump Administration unilaterally withdrew from. And if that happens, we will continue to successfully prevent the Iranian government from developing nuclear weapons capability with verifiable inspections on the ground. That's important, it's significant, but there has been no ability to limit the nature and development of Iran's offensive cyber capabilities, which they use against Israel, against Saudi Arabia, against the United States. And there's very little capacity to deter a government that is much more unstable itself, that has willingness. And it's the reason we don't want Iran to have nukes is because we think that that potentially could lead to much more conflict in the region. That's unacceptably dangerous to let's say Israel or to the Saudis, other American allies on the ground, but they have those cyber capabilities. And that's clearly a danger. I mean the Operation Shamoon, which the Iranians did, which looks like it was a reverse engineer of the Stuxnet attack that the Americans, the Israelis engaged in against Iranian centrifuges, basically was within a couple of hours of taking all of Saudi Aramco's energy production offline, and that could have precipitated a war.
So you're much closer to trip wires to red lines, even among governments, because of that when you talk about cyber. And then you have what we just saw, what we're experiencing now with the shutdown of the colonial pipeline, and this is a criminal syndicate. Non-state actors, whether they be gangs or the aforementioned 300-pound guy on a bed in New Jersey, or whether it's a terrorist organization, the ability of institutions and people that are much less easily determinable either because of the ideology or because you don't know who they are engaging in strikes that are really dangerous, that is becoming unprecedented in today's environment. And that's what we just saw. The cybercriminal gang called DarkSide is ostensively behind the attack on the Colonial Pipeline.
And this is a cybercriminal gang, right? It is a group of individuals. It is not known who they are. They have anonymity, they're quite sophisticated. And they engage in these strikes against multinational corporations, some small, some big, to enrich themselves essentially. And this organization, DarkSide, has said that they won't attack hospitals, for example. That's their form of ethics. Other such organizations have no such compunction. You've seen a number of hospitals shut down. For example, one of the things I was worried about is what would have happened if there had been a massive cyberattack by a criminal gang against American hospitals at the time when they were getting overwhelmed by the pandemic. This is an absolute, real danger and something that the technology exists to do. And the people that could engage in those attacks have that technology in their hands, right now. And so the only thing stopping them is the sense of ethics that these criminals actually have. That's a serious problem.
Now in the case of DarkSide, and a lot of these criminals are operating in areas where Western rule of law cannot reach them, the presumption with DarkSide is they are in the former Soviet space. And the reason I presume that is because those that are studying DarkSide's attack so far have seen no attacks against Russian and former Soviet countries. Companies that obviously would be just as exposed, in many cases more so than those outside of the former Soviet union. No attacks against Russia, Ukraine, against Kazakhstan, countries like that. So you would expect that the people that are engaged in DarkSide are either from one or many of the former Soviet states. A lot harder to hit them directly when rule of law doesn't reach that far and when the governments themselves are showing absolutely no interest.
In fact, in the case of Russia, many of the cyberattacks the Russian government engages in are essentially outsourced to these criminal gangs that make money both in terms of the national security efforts that they make at behest of the Russian government, but also then sideline, moonlight, have their side gig engaging in criminal activities, outside the former Soviet space.
The likelihood that this significantly worsens US and Western relations with Russia leads to more sanctions. If so, because the Russian government and others are refusing to take action. That's also a real problem. And one that isn't likely to get resolved anytime soon. So serious challenges as a consequence of this. It showed up very high on our top risks for 2021. This is part of the reason for it. And I suspect we're going to spend a lot more time on it going forward.
So, not the cheeriest topic for a Monday kicking off your week, but hopefully something we get resolved at least in this attacks case, in relatively short order. Be safe, everybody. Avoid fewer people and I'll talk to you soon.
- Why the US was unprepared for the 2020 cyber breach - GZERO ... ›
- Impact of Microsoft hack deepens; why cyber attacks target ... ›
- Panel: Working together to protect cyberspace - GZERO Media ›
- Russia's cyber attack: an act of espionage or war? - GZERO Media ›
- DarkSide hack reveals risk of ransomware cyberattacks - GZERO Media ›
- Will there be a decisive US response to Russian cyber attacks? - GZERO Media ›
- Panel: Working together to protect cyberspace - GZERO Media ›
- Russian hackers target US tech companies with little accountability - GZERO Media ›
- Russian hackers target US tech companies with little accountability - GZERO Media ›
- How Russian cyberwarfare could impact Ukraine & NATO response - GZERO Media ›
- How Russian cyberwarfare could impact Ukraine & NATO response - GZERO Media ›
- Biden likely to push Putin on cybersecurity in Geneva meeting - GZERO Media ›
Watch our live program: Securing Cyberspace
Cyber is a tool, and sometimes a weapon. Whether espionage for commercial gain or indiscriminate attacks on critical infrastructure, actions taken in cyber space affect you directly, potentially upending even the most mundane realities of everyday life.
Watch GZERO Media and Microsoft's live conversation on cyber challenges facing governments, companies, and citizens in a Munich Security Conference "Road to Munich" event recorded on May 18.
Event link: gzeromedia.com/globalstage
Our guests will discuss privacy, truth, security, and the urgency of improving cyber security and establishing cyber norms globally. Joining the discussion:
- Ian Bremmer, President, Eurasia Group & GZERO Media
- Brad Smith, President, Microsoft
- Wolfgang Ischinger, Chairman, Munich Security Conference
- Jane Harman, President Emerita, Wilson Center
- Juliette Kayyem, Harvard Kennedy School Professor (moderator)
This event is being held in collaboration with the Munich Security Conference as part of their "Road to Munich" series.
Beyond SolarWinds: Securing Cyberspace: Tuesday, May 18, 2021, 1pm EDT / 10am PDT
Sign up to get email alerts about this and other GZERO events.