Do Our Adversaries Have the Advantage?

The U.S. has talented cyber security professionals who are willing to work in tandem in the fight against rogue nations -- but the same cannot be said of the corporate community, according to Kate Fazzini, a cyber security reporter for CNBC, who was the guest on Monday night’s episode 57 of Task Force 7 radio, with host George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

“Cyber security professionals are really great; I don't see a lot of competition between them,’’ Fazzini said. “But the relationship is never going to be cozy between the top banks [and] ... especially the top tech companies.”

One of this country’s biggest strengths is “our entrepreneurial spirit,’’ but while the U.S. has some giant tech corporations,” there are also corporations growing in countries with whom we sometimes have an adversarial relationship, such as China, Russia and companies in Eastern Europe and across Asia, said Fazzini, who is also an adjunct professor at Georgetown and the University of Maryland. Previously, she covered cyber security for the Wall Street Journal and worked as a cyber security practitioner in the financial services sector.

This “creates weakness in terms of information sharing because corporations that are doing business in China have some split loyalties,” she said, because they must cooperate with the Chinese government.

“The Chinese government probably would not look favorably on a company that is openly sharing all of the information from all of their customers with the U.S. government, with the [National Security Agency] NSA,’’ she said. For that reason, she said she believes there will be a conflict of interest doing business with companies in those countries, and that “makes it very difficult for companies to truly cooperate with the cyber defense of the United States.”

Asymmetrical warfare

Rettas asked Fazzini who she thinks represents the most formidable threat to the national security of the United States?

Rather than naming a nation state, “what keeps me up at night are the lone wolves,” she replied. “I think that the ability of so many people now to get ahold of really incredible technology, tools used by very sophisticated hackers in past criminal exploits, is very worrisome.”

Russia has created “a structure where their intelligence apparatus can rely on criminals and what criminals are capable of doing. They are letting criminals get away with a lot as long as those individuals cooperate with what they're trying to do,’’ she noted. The United States “has a hard time competing with that because, as a rule, U.S. agencies, are not very favorable about cooperating with criminals.”

The balance is asymmetrical between what Russia is doing and what China is doing,’’ she added.

When it comes to China, the Department of Homeland Security “will often talk about how they want to have companies cooperate with the federal government more, share information,’’ she said. “But we are never going to have the in-depth relationship that the Chinese government has with Chinese corporations,” which need intellectual property to build their businesses. The Chinese government is willing to take steps to get that intellectual property from U.S. corporations and from corporations around the globe, she said.

“That is really difficult for us to compete with … They have capabilities that just aren't built into our society.”

Russia “has these capabilities of working alongside criminals. They're willing to do it. They can get a lot of information that way,’’ she said. This blurs the lines between what is a criminal activity and what is a nation-state sponsored activity, so there's a lot of plausible deniability.

While Fazzini said she believes “the United States has terrific cyber security capabilities,’’ she observed that “we get outmatched just by what our competitors and what other nation states are willing to do.”

Rettas asked her to follow up on the disadvantages the U.S. has in its defense posture compared to Russia and China, as well as the advantages against its adversaries.

“We have an enormous advantage that the internet, that a lot of the big hardware companies, and the technology that the internet is based upon started here. We have people who have been doing this stuff for a very, very long time. We have an infrastructure advantage. We have a knowledge advantage. We certainly have a tech company advantage. I think that that makes us very strong. I think our government agencies are also very strong. They've invested a lot. I have my own opinions about how they probably need to do a better job of sharing information across government agencies, but, still, I think we churn out some of the best cyber security professionals. The disadvantages are some of the ones that I already mentioned.”

Collaboration isn’t happening

In the second segment, Rettas said that DHS wants more companies to collaborate with one another and with the government, but he asked Fazzini how realistic that strategy is? Fazzini replied that companies aren't “particularly excited about cooperating with the government.”

DHS and some private sector organizations have developed ISACs; or Information Sharing and Analysis Centers, where companies are able to share information, she said. At the same time, some companies feel that there is too much government being brought into the process, she said.

Rettas noted that a lot of the ISACs have found a way to share information anonymously. He asked her to elaborate on why companies doing business in China, Eastern Europe and Russia have mixed loyalties when it comes to cooperating with the U.S. government. When people have a business interest in China, she said, placating that government or making it a little easier to do business there “is something that is always going to be a problem. “

And if tech companies “can't be nice to each other [and] if they can't cooperate with each other, I think it's difficult to imagine how they would be expected to cooperate … with the federal government.”

In response to a question by Rettas about how can that situation be fixed, Fazzini said it’s not an easy answer because it’s so complicated.

“I think that Microsoft has the right idea. They've tried to push the idea of an international cyber security-Geneva Convention. I think that getting countries on board with some norms around how we treat corporations and ... norms around cyberwarfare that involve their impact on the lives of citizens, norms around IP theft and other issues like that … is really important.” She said she believes that would help fix the problem and also make it easier for companies to cooperate and make it easier to root out criminal organizations.

That said, Fazzini said we are a long way from that. I “think getting the countries on board who are often the biggest instigators is going to be very difficult.”

Threats to the supply chain

Rettas noted that historically, software-based attacks are much easier to conduct than hardware-based attacks, yet, the latter is making more news lately.

“From my sources and people in government who I've discussed with this about, we're talking about the China implanting spy chips possibly, in motherboards … for U.S. tech companies,’’ she said. But most of her sources have said that counterfeit products are a bigger issue than implanting something in actual products.

Then Fazzini turned the tables on Rettas and asked him from his perspective as a cyber security expert who follows media stories, what journalists are getting wrong and what could they be doing better?

Rettas replied that the single biggest thing that “drives me absolutely crazy,” is seeing some reporters give away information about hacks, breaches, violations of the law that law enforcement is actively investigating.

“And I understand the need to share information and I get the journalistic value of getting information out there,’’ he said. “There's one or two reporters out there specifically that come to mind, that really have … screwed up dozens of law enforcement investigations by their actions and in the end, probably caused a lot more harm than good because they didn't think about what the downstream consequences were of them reporting” the investigations. While the reporters did nothing illegal, he added, he views it as a moral issue.

Fazzini agreed that “you have some legitimate points. I think that any reporter whose doing anything that's related to law enforcement toes this line and tries to toe it very delicately.”

Rettas then asked Fazzini what is it like seeing how breaches are covered by the media as a former cyber security professional?

“On the one hand, I do a lot of cringing” about some of the stories that come out or the stories she thinks don't matter, she said. On the other hand, she said she conducts a lot of interviews, and people will tell her things that “back when I had worked in the bank I myself would have said to a reporter, too.”

Cyber Security in 2019

In the show’s third segment, Rettas asked Fazzini what she thinks the big cyber security stories will be in 2019.

See Related: Cyber Security Challengs, Focuses 2019

“I think we're a little overdue for our big cyberattack, and I think that's something that's going to happen,’’ she said.

She also predicted there will be a couple of interesting IPOs in the next year, potentially with CrowdStrike and Palantir. Fazzini also said she thinks there's “too many cybersecurity vendors” for her to cover right now.

“One of the stories that I think is very interesting in the cyber security vendor space is because it's so crowded, how incredibly competitive it is.” That competition is driving some companies to do some “wild and wacky things” against their biggest competitors.

For example, they run ad campaigns in the hometown of the CEO of the competitor, she said.

Fazzini also said to expect to see a lot more consolidation among cybersecurity vendors.

“I think what the big tech companies are looking for [is] going to be whatever solves the problem of the moment,’’ she said. “And then we get another big cyberattack. That's going to change that equation right away.”

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes, click here.