Will Huawei Take Down The Five Eye Alliance?

Co-Hosts Tom Pageler and Andy Bonillo joined host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, in episode #73 of Task Force 7 Radio on Monday night. The trio analyzed calls from Democrat Presidential Candidates looking to strengthen the election security for 2020. Pageler currently is Chief Security Officer of BitGo, Inc. and Bonillo is Global Head of Information Security for AIG, and as the two are also former Secret Service Agents, they both joined Rettas in hopes to help answer the question: “Will the lack of confidence in our election system lead to more political turmoil in the United States?”

 “I’m determined to keep the focus on securing our election systems,” Rettas opened the show. He talked about how Democrats are making election security a campaign issue for the next election in 2020. He referenced a recent article that basically stated that the Russian hacking unequivocally happened in the Hilary campaign. Ultimately, it led to the notion that the current administration is not paying attention to cyber security, so the issue is being politicized — and it’s going to get worse.

See Related: “Tackling The Latest Cyber Security Headlines”

Pageler agreed that the cyber security push from Democrats will continue and Republicans will need to be more aggressive to show how they’re going forward on this issue just to calm down the public and get people to “believe in the system again.”

“In the United States, we pride ourselves in being represented by the people that we elect, and if you do not believe in the electoral process, then you pretty much undermine the entire government structure we operate under,” Pageler said.  

Bonillo brought up the fact that with the publicity of late, we’re focused so heavily on the national and international stage, but we aren’t focused on local government, which is usually the first target. This sets the stage for the election.

“How do we increase security around local elections that are probably in the process of being tampered with today as we speak, prior to the national stage?” Bonillo asked.

Pageler added, “Our electoral system … should be our primary thing we protect because it’s who we are.” We can’t depend on a paper vote anymore – it’s eventually not going to work and has to ultimately go electronic.

Because of this, Pageler said we need three things:

1. Investment.
2. A Federal system to back it.
3. A tracking system.

“I, as a voter, should be able vote and then go see what my vote looked like,” said Pageler. “Maybe at the end of the year, it’s mailed with my tax return,” he suggested, or maybe look into blockchain expert. “I want to know my vote is exactly what I voted. It’s going to take cost and overhaul.”

See Related: “When Politics And Cyber Security Collide”

According to Bonillo, “It’s hard for people to truly understand what it really takes to protect these digital systems.” It’s not just technology and spend, but getting an entire eco system to speak the right languages, etc. If we upgrade election terminal, it’ll only be a matter of time before someone rips out that new machine and reverse engineers it to find out how to get into it. He also added that there are many benefits of physical security – but even with that, there is no shortage of physical threat, potential extortion, etc., no matter what technology is in place. “Ultimately, it’s going to take a cohesive program to solve this.”

There are other issues outside of election protection that are helping the nation realize there are cyber security issues (i.e. people know that their credit card information has been stolen multiple times and they get replacement cards).

When it comes to Democrats pushing this issue, the three agree that, “The more focus on cyber security, the better.” It shows the country a need for more resources and more capital, which is a “good thing for the country as a whole.”

A Wider Cyber Security Talent Gap

The trio next unpacked the world of underground criminal contractors, the increase in sextortion attempts, the battle between good and evil for cyber security talent, and how cyber organized crime groups are colluding and collaborating like Fortune 500 Companies, without all the red tape. How will private sector security companies keep up with their adversaries?

Rettas referenced an article about digital extortionists who are now offering 6 figure salaries to accomplices who will help seek to extort high net worth individuals such as C-Level executives, lawyers, and doctors.

As such, Pageler noted that it’s already hard to recruit the right cyber security talent within the industry and now companies are not just competing with each other for this talent, they now have to compete with cybercriminals who can pay large salaries.

See Related: “Latest In Cyber Security News Part 2: Where’s The Equifax Data?”

Bonillo added that all it takes is money and technology acumen — also the right mentality. With the amount of money being offered being so high, organizations need to understand their insider threats better. This amount of money could really influence the industry and the already complicated talent gap.

While these extortion attempts are happening more frequently, people are adopting crowd funding now, having the general public contribute in order for them to get the rest of the money to pay these cybercriminals.

In addition, once someone’s data is put out there online, (whether you actually did something or did not) – in some instances you’re going to be a target and public opinion will weigh in.

According to Pageler, until we don’t react to it and don’t pay it out – there won’t be a market for this anymore (which is easier said than done).

And while most people and organizations don’t believe this could happen to them, In the same aforementioned article, Rettas reviews the numbers: Between July 2018 and February 2019 researchers counted 89,000 email recipients of sextortion attempts, 792,000 total attempts against target emails, 92 Bitcoin addresses that received payments and $332,000 total extortion payments received.

So how do we make these attempts stop?

1. Raise bug bounties and salaries to overcome the cost of the underground
2. Heightened awareness/increasing readiness in corporate America
3. Rely on multiple partners to get through the scenario
4. Have a plan and prepare for the attempt

“You can’t change the home,” Bonillo said. “It all goes back to how you’re brought up and what will be a driver for you. It’s sad to see that we could be getting to that tipping point,” where we’re not choosing between right and wrong, but who pays more.

Pageler added, “Just own your mistake and don’t pay for it — we’re all human.”

The Future Of Intelligence Sharing

And finally, Huawei, a Chinese company accused of using their technology for spying purposes, threatens to bring down the Five Eye Alliance as the UK seems to lean towards using the company to build their 5G networks. What will this mean for the future of intelligence sharing for the most important intelligence alliance in the free world?

Rettas referenced an article that reveals how this is causing a major divide in the Five Eyes Alliance, which is the intelligence alliance between the U.S., UK, Canada, Australia and New Zealand.

Building a 5G network means really fast internet all the time with no need for routers, etc. Smart cities are reliant on this, because it would mean stopping hubs everywhere and “just lighting up the whole world,” said Pageler. “But, it’s scary that it’s run by another country. We need standards and a backup plan, and we need to start talking about this now.”

Bonillo said that there’s another component lost in this conversation – we have to look at having to fight an adversary that has control over that infrastructure around the world. “So if you think about cyberwarfare or warfare in general, having a government-owned infrastructure that they can leverage in time of warfare or cyber-kinetic, is really I think the bigger conversation here — because at the end of the day, we don’t own these private infrastructures.”

Rettas read a quote from the article talking about how this is causing a divide between five eye: "We have serious concerns over Huawei's obligations to the Chinese government and the danger that poses to the integrity of telecommunications networks in the US and elsewhere," Bill Evanina, head of America's National Counterintelligence and Security Center has said. "Chinese company relationships with the Chinese government aren't like private sector company relationships with governments in the West."

Australia and New Zealand have sounded negative about Huawei’s involvement in their 5G networks to varying degrees and Canada is still deciding. All eyes are now on the UK.

Bonillo added that we could potentially see segregated networks. “I don’t see where the other four of the five eyes would want to share anything if they didn’t trust the network.”

Rettas had some final thoughts: “There has to be, in these Five Eye countries, a standard technology stack in terms of security.” We need to all understand and come to an agreement on best practices — and it includes all communication technology. “To the point where we can manage some of these supply chain risks, and control it to some degree, and mitigate it to the best of our ability … and I know the challenges we face, but that doesn’t mean we lay down and die – we have to do something. We can’t use companies we highly suspect use technology to spy,” he closed.

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.

To listen to this and past episodes, click here.