Baltimore Blames NSA For Ransomware Attack
CNBC’s Cyber Security Reporter Kate Fazzini talks about the cyber attack that crippled the city
Kate Fazzini, CNBC’s Cyber Security Reporter and Author of the new book, "Kingdom of Lies: Unnerving Adventures in the World of Cybercrime," appeared on Episode #86 of Task Force 7 Radio this week, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, to discuss the latest accusations by the City of Baltimore Officials that the NSA is to blame for the recent ransomware attack that has crippled their city.
Fazzini also talked about the cyber security issues in the Mueller Report, election security, the role social media companies play in our national security, and how history has shown us that some cyber security practitioners are not very effective at their jobs. Rettas also gets into a detailed discussion with Fazzini about 5G emerging technologies, Huawei, how the controversial company is driving discord between Five Eye nations, and how cyber security plays into the recent trade talks between the United States and China.
See Related: “Will Huawei Take Down The Five Eye Alliance?”
The Missing Cyber Security Angle Of Politics
Rettas dove right into the first segment bringing up the Mueller Report, questioning whether or not “we’re missing the point as cyber security professionals” by just focusing on the politics of it. Fazzini commented that when the report was released, a lot of people went and skipped right to the parts about obstruction of justice and collusion.
She continued about the report saying that there is a little about the DNC in there, but a lot of what happened to the Republican National Committee, the Trump campaign as far as how Russia had this really long term, years long campaign to infiltrate social media, to make headway with even people within the campaign, without their knowledge, without them knowing about it, “and it was something we just totally weren't ready for, and we're still not focused on it. This was the thing that actually caused all of the problems in the election, and we are not focused on it; we're looking at all of the other parts of that report. I think that's the most interesting part.”
Rettas added that they [Russian hackers] didn’t intend on one party winning over the other as much as they wanted to disrupt the entire election and turn the American public against each other.
Fazzini went on to explain that in the Mueller Report and in the indictments that were handed down of 12 Russian hackers earlier last year, it was really clearly spelled out that they started doing this as far back as 2014 (maybe even earlier), and really kind of ramping up well before Donald Trump was ever a candidate for president. “What do I mean by ramping up? I mean they went out, got social media accounts. Within Russia's intelligence unit, they formed plans; they had people working on this for a very long time. They became established; they became established voices on social media. They became established personas, and that took a really, really long period of time that went well before and after this election,” she said.
So while this was a long social engineering, hacking campaign, the DHS and some other agencies are doing some things about it, Congress is just not focused on it. “Legislators just aren’t focused on actually fixing the problem that arose in this election,” added Fazzini.
Rettas agreed, “If you look at the news cycle, it gets talked about in a political way, and not really in a cyber security way.” He then pivoted to Baltimore and the recent malware attack, which they blame on the NSA. “It's interesting because it raised the question what does this say about the extreme disconnect between federal, state, and local institutions on our cyber security posture?” he asked.
Getting Back To Basic Cyber Hygiene
With a major U.S. city shut down for a significant period of time that was exploited by a code that leaked, and old patches not deployed, it begs the question of whether or not Baltimore’s basic cyber hygiene was the culprit. Further, Fazzini said that it’s always a similar story, but what’s the way forward?
“So much of the private enterprise is plugged into the municipal side of things. So much of it is plugged into the government side of things. All of these cities are run on software. They all have third-party providers. You see a lot of breaches, resulting even at the government level, from third parties. So, I think that there just needs to be a little coming together of sharing information a little bit better than we already are. I mean, we have to emphasize it,” she said.
Rettas then switched to the topic of social media and the role they play in attacks. He asked: What do you think the role of social media companies should be in our overall cyber security?
“I think that we're putting a little bit too much faith in social media companies to take care of this problem for us. It's interesting that they're playing such a central role and they're taking the reigns and doing all of these things when it seems like that should be the responsibility of either the federal government to say, ‘Here's exactly what we should be doing,’ or the people themselves to try to make a little bit better decisions about what kind of stuff that they are following,” Fazzini said. “I think that it also is important to remember that a lot of these platforms have been built on algorithms that are going to favor discord.”
See Related: “The Science And Methodology Behind Social Engineering”
Fazzini explained that the angrier people get, the more debate there is, and that's considered engagement. They measure engagement, and if something's a really high engagement, then it does well. It gets lots of views; it gets put to the top of pages. That's just a model that is very difficult to alter. A lot of their products are based on that model, “and that's where the social engineering piece comes from. You get people who just throw a grenade into every conversation, and that's what drives the conversation and that's what keeps them at the top,” she added.
However, it’s hard for social media companies to weed out of the millions of accounts that are on these platforms. Fazzini noted though that if you go back to the Mueller Report and what it described as far as how social media was used. It was used in a really specific way where you had prominent accounts that were actually taking a key role in organizing live events.
So, you now have this convergence of these social media accounts that might have just been troll accounts, but now they actually started organizing events, including events that might have had some sort of white supremacist overtones to them, meant to cause even more incitement and incitement in the real world, “and I think that you can see where the danger can spread in many different kinds of ways if you have that ability to take what is just a social media account and turn it into real, live action,” said Fazzini.
Breaking Down The Huawei Headlines
While no one had heard of Huawei a few months ago, they’re a major company and now are getting a lot of headlines. So, Rettas asked: What are they accused of?
Huawei was founded in China and sells about 50% of their products in the Chinese marketplace, which is why they haven’t been the big name here that they could have been. They have also not been a big name here because of what they're accused of since about the 2012 timeframe, which is a really long-term relationship with the Communist government in Beijing. Whereby the government and Huawei have conspired in some way to create this technology equipment that may some day have the capability of spying on the countries to which it's been sold.
Fazzini expanded, “So, you have equipment that is used for networking that is really a part of the deeper layer of infrastructure, and that is where the U.S. government has been having a great deal of pause for a very long time. So, they've been floating to starting with government agencies going back about 10 or more years to not use the Huawei products because it's just too risky and they have, they say, classified evidence that this is has been going on.”
Fazzini did an interview with Secretary Michael Chertoff, who was the DHS secretary several years back and discussed Huawei. “He was really adamant that even if these links haven't been explicitly spelled out by the intelligence agencies, which are one of the frustrations of, I know, Huawei and some other folks will say that they've not presented enough evidence. He said that having that level of infrastructure built outside of the United States by a country that is ... We're at odds with them, things could get worse, they could get worse in the future, that having that much stuff tied back to another country is just too risky,” she said.
Huawei says that the U.S. does allow other tech companies like Nokia and Ericsson to do business here, but there are risk mitigation processes in place. They want the U.S. to put in a similar risk mitigation process, but going back to what the Trump administration has said and what Secretary Chertoff said, it doesn't matter if risk mitigation is in place; it's still just too risky. “So, as you can see, there's never going to be a meeting of the minds here. It seems like we're going to be down this road for a long time with Huawei,” Fazzini added.
As for Huawei, Fazzini said that they say, ‘Absolutely not. We'd rather shut down the company than take orders to spy from China.’ She believes that you have two different groups that are having two different conversations entirely. “They're having a conversation about risk mitigation and it's unfair, and by we, I mean the United States and Secretary Chertoff and the Trump administration are having a conversation, saying, ‘We can't have this equipment ever in our networks.’ So, it's two different conversations. I just don't see it ever resolving. I think we will have a wonderful trade agreement with China before we're doing business with Huawei. I think that's my prediction.”
Fazzini said that there are two things that are overlapping a bit when it comes to the role of cyber security and the Chinese government:
- The issue of forced technology transfers where in order to do business in China, you have to give up source code or other information under the auspices of the Chinese cyber security law that exists there. So, we have to make sure that the source code is safe.
- For many years, there has been a great deal of intellectual property theft and hacking coming from China to the U.S., whether that’s attributed to criminals who are living in China or of Chinese origin, or the Chinese government.
“It's that long-term trust that just does not exist, and it's going to be causing problems like this for a very long time,” she said.
Inside The Cyber Criminal’s Mind
Fazzini’s focus over the last few years (as seen in her aforementioned book) has been on really keenly looking at the actual individuals who are either cyber criminals or cyber security professionals and what their day-to-day lives are like, the kind of harrowing things they have to go through, how they got to where they are, how they get out of where they are, if they're criminals.
“One thing that really surprised me as I began kind of meeting people who are in the criminal underworld is how many of them really desired to just have kind of a regular cyber security job, and they had somehow stumbled into this very negative experience, either out of necessity — because they needed money, because it was very thrilling and they were young and stupid, and that was just a running theme,” Fazzini explained. “I mean, there were a couple of people who I discussed and who I got to know through their friends and their contacts who were just total sociopaths; those people definitely exist. But there's also another side of it where there are people who have really good skills that those can translate into the real world, and I think that that's an important story to tell too.”
Rettas asked, “What motivates people to either become a cyber criminal or to become a cyber security professional, or sometimes these people, actually, are both?”
Fazzini noted that we’ve all met people who, maybe when they were in high school or something were just a little bit bad here and there, but were not shutting down Baltimore with ransomware. Then, they go into the field because it’s the technology they understood. They become ethical hackers or red teamers — whatever you want to call them, but Fazzini said she thinks it’s the same thing that motivates most criminals: boredom.
“It's almost like kind of a teenage truancy sort of thing that I see happening in much of Eastern Europe,” she said. “There are not a lot of legitimate employers, but there's a ton of infrastructure around the criminal cyber activity, and it's very easy to make a lot of money, to not get taxed on that money, to not have to worry about the police because they're not policing this stuff.” Fazzini continued that some people just have good computer skills and there no huge Microsoft campus or giant Google facility for them to go and attempt to get a job. So, they join this collective and try to make as much money as possible in a very anti-social way.
Fazzini explained that some key theme kept resurfacing in her interviews for the book time and time again: People who rise up the ranks in cyber security who may have received a degree in the field at a certain period of time and have rested on that degree and not updated their skills or their knowledge since then, and have just tried to make it on leadership skills alone.
Then you see people like that in an environment where maybe they move from, let's say, a military role to a big bank. They are just not prepared for the politics of the bank, what kinds of attacks they're going to see, the bureaucracy and resources they have, which is significantly less than you would have in the U.S. military. It can cause a lot of strife and cause a lot of problems, and “I think it can even exacerbate cyber attacks,” Fazzini said.
All CISOs Are Not Created Equal
Rettas wondered about what the masses think of the talent at the top, because they seem to be ‘playing musical chairs right now’ and just go from one place to another. Plus, the Boards put the weight of the title of CISO across the entire organization.
Rettas explained, “When I say Board, I mean the entire marketplace of cyber security. So, if you're a CISO of 12, or if you're a CISO of 1,200, it doesn't matter; you are a CISO, we'll consider you for this position, which is just completely ridiculous, I think, in my mind. I mean, all CISOs are not created equal. Not even close, right?”
Fazzini agreed, “Absolutely, and I had this conversation with Bret Arsenault, who's the CISO of Microsoft, and it was a very interesting conversation because he has been in that role for more than a decade,” which is so rare she noted. “He has depths of knowledge in his understanding of the fact that yes, he talks to the board, but he has people who are doing product stuff. It's a totally different job, product security and security engineering, and in all the different Microsoft products, and then all of the different towers within the company.”
Fazzini added that he was just this really humble guy and “I thought, this is really amazing because you see so many people moving in and out of this as a role, really short term, don't get a feel for where they are, and having that feel for the company you're working for is just so critically important. I think that they're really overlooking that part of it.”
Fazzini and Rettas closed out the show by talking about making cyber security a little more approachable. She offered some tips:
- When hiring don't expect that person to speak the language of the business exactly, and look at what kind of skills they have, what kind of transferrable skills they have that you can actually use, and teach them.
- Rather, look for intellectual curiosity, leadership skills, communication skills, people that can talk, build strategies and execute.
- Make education more accessible.
- Relax on degree requirements and do four years on-the-job training instead.
“If you were really thinking outside the box, that that is a way to do it that makes so much more sense, because four years of on-the-job training in cybersecurity is... Well, you're ready to be a CISO, basically,” Fazzini joked.
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub. To listen to this and past episodes, click here.